Google Cloud security adds data regions and Titan security keys

Google Cloud security has new improvements across access management, data security, transparency and more, including support for Google-made Titan 2FA keys.

Multiple improvements for Google Cloud security aim to help users protect data through better access management,...

more data security options and greater transparency.

More than half of the security features announced are either in beta or part of the G Suite Early Adopter Program, but in total the additions should offer better control and transparency for users.

The biggest improvement in Google Cloud security comes in identity and access management. Google has developed its own Titan multi-factor physical security key -- similar to a YubiKey -- to protect users against phishing attacks. Google previously reported that there have been no confirmed account takeovers in more than one year since requiring all employees to use physical security keys, and according to a Google spokesperson, Titan keys have already been one such key available to employees.

The Titan security keys are FIDO keys that include "firmware developed by Google to verify its integrity." Google announced it is offering two models of Titan keys for Cloud users: one based on USB and NFC and one that uses Bluetooth in order to support iOS devices as well. The keys are available now to Cloud customers and will come to the Google Store soon. Pricing details have not been released.

"The Titan security key provides a phishing-resistant second factor of authentication. Typically, our customers will place it in front of high value users or content administrators and root users, the compromise of those would be much more damaging to an enterprise customer … or specific applications which contain sensitive data, or sort of the crown jewels of corporate environments," Jess Leroy, director of product management for Google Cloud, told reporters in a briefing. "It's built with a secure element, which includes firmware that we built ourselves, and it provides a ton of security with very little interaction and effort on the part of user ."

However, Stina Ehrensvard, CEO and founder of Yubico, the manufacturer of Yubikey two factor authentication keys, headquartered in Palo Alto, Calif., noted in a blog post that her company does not see Bluetooth as a good option for a physical security key.

"Google's offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability," Ehrensvard wrote. "BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience."

In addition to the Titan keys, Google Cloud security will have improved access management with the implementation of the context-aware access approach Google used in its BeyondCorp network setups.

"Context-aware access allows organizations to define and enforce granular access to [Google Cloud Platform] APIs, resources, G Suite, and third-party SaaS apps based on a user's identity, location, and the context of their request. This increases your security posture while decreasing complexity for your users, giving them the ability to seamlessly log on to apps from anywhere and any device," Jennifer Lin, director of product management for Google Cloud, wrote in the Google Cloud security announcement post. "Context-aware access capabilities are available for select customers using VPC Service Controls, and are coming soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity."

Data transparency and control

New features also aim to improve Google Cloud security visibility and control over data. Access Transparency will offer users a "near real-time log" of the actions taken by administrators, including Google engineers.

"Inability to audit cloud provider accesses is often a barrier to moving to cloud . Without visibility into the actions of cloud provider administrators, traditional security processes cannot be replicated," Google wrote in documentation . "Access Transparency enables that verification, bringing your audit controls closer to what you can expect on premise ."

In terms of Google Cloud security and control over data, Google will also now allow customers to decide in what region data will be stored. Google described this feature as allowing multinational organizations to protect their data with geo redundancy , but in a way that organizations can follow any requirements regarding where in the world data is stored.

A Google spokesperson noted via email that the onus for ensuring that regional data storage complies with local laws would be on the individual organizations.

Other Google Cloud security improvements

Google announced several features that are still in beta, including Shielded Virtual Machines (VM, which will allow users to monitor and react to changes in the VM to protect against tampering; Binary Authorization, which will force signature validation when deploying container images; Container Registry Vulnerability Scanning, which will automatically scan Ubuntu, Debian and Alpine images to prevent deploying images that contain any vulnerable packages; geo-based access control for Cloud Armor, which helps defend users against DDoS attacks; and Cloud HSM, a managed cloud-hosted hardware security module (HSM) service.

Dig Deeper on Public Cloud Computing Security

Join the conversation

1 comment

Send me notifications when other members comment.

Register

Please create a username to comment.

What do you think of the various Google Cloud Platform security enhancements?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close