Multiple improvements for Google Cloud security aim to help users protect data through better access management,...
more data security options and greater transparency.
More than half of the security features announced are either in beta or part of the G Suite Early Adopter Program, but in total the additions should offer better control and transparency for users.
The biggest improvement in Google Cloud security comes in identity and access management. Google has developed its own Titan multi-factor physical security key -- similar to a YubiKey -- to protect users against phishing attacks. Google previously reported that there have been no confirmed account takeovers in more than one year since requiring all employees to use physical security keys, and according to a Google spokesperson, Titan keys have already been one such key available to employees.
The Titan security keys are FIDO keys that include "firmware developed by Google to verify its integrity." Google announced it is offering two models of Titan keys for Cloud users: one based on USB and NFC and one that uses Bluetooth in order to support iOS devices as well. The keys are available now to Cloud customers and will come to the Google Store soon. Pricing details have not been released.
"The Titan security key provides a phishing-resistant second factor of authentication. Typically, our customers will place it in front of
However, Stina Ehrensvard, CEO
"Google's offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security
In addition to the Titan keys, Google Cloud security will have improved access management with the implementation of the context-aware access approach Google used in its BeyondCorp network setups.
"Context-aware access allows organizations to define and enforce granular access to [Google Cloud Platform] APIs, resources, G Suite, and third-party SaaS apps based on a user's identity, location, and the context of their request. This increases your security posture while decreasing complexity for your users, giving them the ability to seamlessly log on to apps from anywhere and any device," Jennifer Lin, director of product management for Google Cloud, wrote in the Google Cloud security announcement post. "Context-aware access capabilities are available for select customers using VPC Service Controls, and are coming soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity."
Data transparency and control
New features also aim to improve Google Cloud security visibility and control over data. Access Transparency will offer users a "near real-time log" of the actions taken by administrators, including Google engineers.
"Inability to audit cloud provider accesses is often a barrier to moving to
In terms of Google Cloud security and control over data, Google will also now allow customers to decide in what region data will be stored. Google described this feature as allowing multinational organizations to protect their data with
A Google spokesperson noted via email that the onus for ensuring that regional data storage complies with local laws would be on the individual organizations.
Other Google Cloud security improvements
Google announced several features that are still in beta, including Shielded Virtual Machines (VM, which will allow users to monitor and react to changes in the VM to protect against tampering; Binary Authorization, which will force signature validation when deploying container images; Container Registry Vulnerability Scanning, which will automatically scan Ubuntu, Debian and Alpine images to prevent deploying images that contain any vulnerable packages; geo-based access control for Cloud Armor, which helps defend users against DDoS attacks; and Cloud HSM, a managed cloud-hosted hardware security module (HSM) service.