Google Boosts Security of Google Cloud
Google this week announced a series of tools meant to increase the overall security of Google Cloud and improve customer trust in the service.
The new functionality will allow users to gain better visibility into their environments, detect threats and accelerate response and remediation, mitigate data exfiltration risks, ensure a secure software supply chain, and strengthen policy compliance.
Building on the Access Transparency service introduced last year and which is now generally available in G Suite Enterprise, Google announced Access Approval for Google Cloud Platform (GCP) in December, and is now making it available in beta for Compute Engine, App Engine, Cloud Storage, and other services.
Access Transparency was designed to provide visibility into the access that Google Cloud employees had into G Suite data (details on each access and the reason behind it is logged in the G Suite Admin Console). Through Access Approval, users can explicitly approve access to their data or configurations.
A newly introduced Data Loss Prevention (DLP) user interface, which is now in beta, allows users to perform scans with just a few clicks.
Google also made virtual private cloud (VPC) Service Controls generally available to help customers define a security perimeter around specific resources, including Cloud Storage buckets, Bigtable instances, and BigQuery datasets, and mitigate data exfiltration risks.
The Cloud Security Command Center (Cloud SCC) introduced last year is now generally available to help prevent, detect, and respond to threats across a broad set of GCP services (App Engine, BigQuery, Cloud Storage, Compute Engine, Google Kubernetes Engine, and more).
Google also added new services to Cloud SCC, including Event Threat Detection to detect malware, crypto mining, and outgoing DDoS attacks, and Security Health Analytics to automatically find public storage buckets, open firewall ports, stale encryption keys, deactivated security logging, and much more.
Generally available for App Engine and in beta for Kubernetes Engine (GKE) and Compute Engine, Cloud Security Scanner detects vulnerabilities such as cross-site scripting (XSS), use of clear-text passwords, and outdated libraries in GCP applications.
Additionally, Google announced security-focused partner integrations with Capsule8, Cavirin, Chef, McAfee, RedLock, StackRox, Tenable, and Twistlock.
New security reporting in Apigee, Google Cloud’s API management platform, helps customers gain a holistic view of the health and security status of API programs.
Google also announced several GKE services “to help build confidence in your containerized software supply chain.”
Generally available soon, Container Registry can find package vulnerabilities for Ubuntu, Debian, and Alpine Linux to identify bugs before containers are deployed. Binary Authorization, which can be integrated with Cloud Key Management Service and Cloud SCC, helps customers make sure containers meet the organization’s requirements before being deployed.
Google is also promoting GKE Sandbox out of beta. Based on the open-source gVisor project, the tool provides additional isolation for multi-tenant workloads, to prevent container escapes and increase workload security.
Furthermore, GKE now offers Managed SSL certificates (currently in beta), with full lifecycle management (provisioning, deployment, renewal and deletion) of your GKE ingress certificates. Google Cloud also offers Shielded VM, designed to provide verifiable integrity of Compute Engine VM instances.
Google also introduced new ways to help customers protect, control, and remediate threats to the business data created and stored in G Suite.
Since some organizations want their data to be stored in specific locations, G Suite Business and Enterprise customers can select where their covered data is stored (globally, in the US, or in Europe), and backups are now covered as well.
New controls for advanced phishing and malware protection (in beta) should help stay safe from anomalous attachments and inbound emails spoofing domains in Google Groups. A security sandbox (in beta for G Suite Enterprise customers) improves protection against ransomware, sophisticated malware and zero-day threats by executing attachments in a sandbox environment.
G Suite also includes security and alert centers, with best practice recommendations, unified notifications, and integrated remediation against threats. With new beta functionality, admins can save and share investigations, indicate alert status and severity, assign alerts to other admins, automate actions, and send notifications to the alert center.
Also this week, Google introduced Policy Intelligence, with three new tools to help understand and manage policies and reduce risk, namely IAM Recommender (to remove unwanted access to GCP resources), Access Troubleshooter (to understand why requests were denied and modify policies), and Validator (to set up governance and security guardrails to prevent overly-permissive access).
Following the introduction of the Web Risk API last month (in beta), Google now announced Phishing Protection, a service for reporting unsafe URLs to Google Safe Browsing and viewing the status in Cloud SCC, and reCAPTCHA Enterprise, a new service with capabilities designed specifically to address enterprise security needs.