Building on our cloud security leadership to help keep businesses protected
Moving to the cloud requires careful planning and hard work, but it also requires something more fundamental: trust. You need to trust that your cloud provider will keep your data safe and prevent threats, and also do it in a way that is transparent and keeps you in control. As threats increase in complexity, trust requires a cloud provider that is always working to create new ways to protect you by being on the forefront of security innovation.
In March we announced more than 20 security enhancements to help keep your organization protected. It's been four short months since then, but in that time we’ve increased the quantity and scope of our security offerings. Here’s an update on our ongoing work, and what it can mean for you.
What we’re announcing today:
Context-aware access capabilities, available now for select customers in beta for VPC Service Controls, and coming soon to beta for Cloud IAM, Cloud IAP and Cloud Identity
Titan Security Key, available now to Cloud customers, and coming soon to the Google Store
Shielded VMs, available now in beta
Binary Authorization, coming soon to beta
Container Registry Vulnerability Scanning, coming soon to beta
Cloud Armor geo-based access control, available now in beta
Cloud HSM, coming soon to beta
Access Transparency, soon to be generally available
G Suite security center investigation tool, available now via Early Adopter Program
G Suite data regions, now generally available
Making access to apps and services more secure and convenient
People increasingly want access to their business critical apps on the devices that make the most sense for how they work. However, traditional access management solutions often put security at odds with flexibility by imposing one-size-fits-all, coarse-grained controls that limit users.
To address this, we’re announcing context-aware access, an innovative approach to access management that implements many elements of Google’s BeyondCorp vision for apps and services on Google Cloud and beyond, to help organizations increase security as well as flexibility. Context-aware access allows organizations to define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS apps based on a user’s identity, location, and the context of their request. This increases your security posture while decreasing complexity for your users, giving them the ability to seamlessly log on to apps from anywhere and any device. Context-aware access capabilities are available for select customers using VPC Service Controls, and are coming soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity.
We’re also announcing Titan Security Key, a FIDO security key that includes firmware developed by Google to verify its integrity. We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft. Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key. Titan Security Keys are available now to Google Cloud customers and will be available for anyone to purchase on the Google Store soon.
Strengthening a secure foundation
As your organization moves workloads to the cloud, trust in the underlying infrastructure is critically important. Our goal is to deliver a highly reliable, highly secure foundation for you to build on, and to allow you to take advantage of the protections we’ve built in.
Available now in beta, Shielded VMs leverage advanced platform security capabilities to help ensure your VMs have not been tampered with. With Shielded VMs, you can monitor and react to any changes in the VM baseline as well as its current runtime state. You can learn more about how to easily deploy Shielded VMs on our website.
In addition to verifying the integrity of VMs, organizations running containerized workloads need to ensure only trusted containers are deployed on Google Kubernetes Engine, as part of a secure software supply chain. With Binary Authorization, coming soon to beta, you can enforce signature validation when deploying container images. Binary Authorization can be integrated with existing CI/CD pipelines to ensure images are properly built and tested prior to deployment. It can also be combined with Container Registry Vulnerability Scanning to prevent deploying images that contain any vulnerable packages. Container Registry Vulnerability Scanning automatically performs vulnerability scanning for Ubuntu, Debian and Alpine images to ensure your images are safe to deploy. Learn more about Container Registry Vulnerability Scanning and Binary Authorization on our website.
Google Cloud’s extensive global network offers organizations meaningful performance and security advantages. Cloud Armor is our DDoS and application defense service, based on the same global infrastructure that we use to protect Search, Gmail and YouTube. Today we’re announcing geo-based access control for Cloud Armor, available now in beta, which allows you to control access to your services based on the geographic location of the client trying to connect to your application. Other Cloud Armor capabilities include whitelisting or blocking traffic based on IP addresses, deploying pre-built rules for SQL injection and cross-site scripting, and controlling traffic based on Layer 3-Layer 7 parameters of your choice. Cloud Armor works in conjunction with our global load balancing service and provides a policy framework with a rich, open rules language for specifying defense rules. In effect, you can deploy application-level DDoS defense at scale based on your unique requirements.
Securing the bits
Data protection is the number one consideration when running enterprise workloads in the cloud, and we’re proud to be the only cloud provider that encrypts data at rest, by default, with no customer intervention required. But we know that many customers may still want additional options that help them protect their most sensitive information assets.
Today we’re introducing Cloud HSM, a managed cloud-hosted hardware security module (HSM) service. Cloud HSM, coming soon in beta, allows you to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs. With this fully managed service, you can protect your most sensitive workloads without needing to worry about the operational overhead of managing an HSM cluster. The Cloud HSM service is tightly integrated with Cloud Key Management Service (KMS), which makes it extremely simple to create and use keys that are generated and protected in hardware and use it with customer-managed encryption keys (CMEK) integrated services such as BigQuery, Google Compute Engine, Google Cloud Storage and DataProc. Learn more on the Cloud HSM webpage.
For even stronger levels of protection, we recently introduced Asylo, our open source framework built to help protect the confidentiality and integrity of applications and data in a confidential computing environment. We’re pleased that it continues to gain developer interest and momentum. Learn more on the Asylo website.
Giving you more transparency, insight and control
We believe that trust is created through transparency, and want to empower you with the visibility, insight and control you need to meet your organization’s security objectives as you move to the cloud or increase your cloud adoption.
We provide a comprehensive level of documentation on how we do things in our cloud, such as data encryption. We also offer customers near real-time visibility into the limited situations when we’re required to interact with your data on our platform. Access Transparency for GCP—a first-of-its-kind capability—is soon to be generally available. Learn more about Access Transparency on our website.
For G Suite customers, we’re adding new functionality (sign up for early adopter) for security center—the investigation tool. With this new tool, admins can identify security issues within their domain and take rapid action to remediate. As an example, admins can conduct organization-wide searches across multiple data sources to see which files are being shared externally. They can pivot across these searches to correlate results, and perform bulk actions on limiting files access. We’re also making it easier to move G Suite reporting and audit data from the Admin console to Google BigQuery. And for GCP customers, Cloud Security Command Center recently added integrations with five new container security partner tools to help you gain more insight into risks for containers you’re running on Google Kubernetes Engine.
Finally, many customers take advantage of our globally distributed data centers to minimize latency and increase geo-redundancy. Some organizations, however, have requirements around where their data is stored, and we’re committed to meeting their needs. As a first step towards that commitment, data regions for G Suite makes it possible for G Suite Business and Enterprise customers to designate the region in which primary data for select G Suite apps is stored when at rest—globally, in the U.S., or in Europe.
In addition to these updates, last week we announced a new policy for Chrome Browser, called Password Alert, which lets IT admins prevent their employees from reusing their corporate password on sites outside of the company’s control, helping guard against account compromise.
More to come
Recognizing our ongoing security efforts, Google Cloud was recently named a Leader in The Forrester Wave™: Public Cloud Platform Native Security, Q2 2018 report. We’re thrilled to receive this recognition, but at the same time, we aren’t standing still. We believe a more secure business landscape is better for everyone, and we’ll continue to deliver innovative ways to help enterprises be more secure. To learn more, visit our security page.
Editor’s note: As of November 2018, Cloud Armor whitelists and blacklists are now referred to as allow lists and deny lists.