Google Cloud security adds data regions and Titan security keys

Multiple improvements for Google Cloud security aim to help users protect data through better access management, more data security options and greater transparency.

More than half of the security features announced are either in beta or part of the G Suite Early Adopter Program, but in total the additions should offer better control and transparency for users.

The biggest improvement in Google Cloud security comes in identity and access management. Google has developed its own Titan multi-factor physical security key -- similar to a YubiKey -- to protect users against phishing attacks. Google previously reported that there have been no confirmed account takeovers in more than one year since requiring all employees to use physical security keys, and according to a Google spokesperson, Titan keys have already been one such key available to employees.

The Titan security keys are FIDO keys that include "firmware developed by Google to verify its integrity." Google announced it is offering two models of Titan keys for Cloud users: one based on USB and NFC and one that uses Bluetooth in order to support iOS devices as well. The keys are available now to Cloud customers and will come to the Google Store soon. Pricing details have not been released.

"The Titan security key provides a phishing-resistant second factor of authentication. Typically, our customers will place it in front of high value users or content administrators and root users, the compromise of those would be much more damaging to an enterprise customer … or specific applications which contain sensitive data, or sort of the crown jewels of corporate environments," Jess Leroy, director of product management for Google Cloud, told reporters in a briefing. "It's built with a secure element, which includes firmware that we built ourselves, and it provides a ton of security with very little interaction and effort on the part of user ."

However, Stina Ehrensvard, CEO and founder of Yubico, the manufacturer of Yubikey two factor authentication keys, headquartered in Palo Alto, Calif., noted in a blog post that her company does not see Bluetooth as a good option for a physical security key.

"Google's offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability," Ehrensvard wrote. "BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience."

In addition to the Titan keys, Google Cloud security will have improved access management with the implementation of the context-aware access approach Google used in its BeyondCorp network setups.

"Context-aware access allows organizations to define and enforce granular access to [Google Cloud Platform] APIs, resources, G Suite, and third-party SaaS apps based on a user's identity, location, and the context of their request. This increases your security posture while decreasing complexity for your users, giving them the ability to seamlessly log on to apps from anywhere and any device," Jennifer Lin, director of product management for Google Cloud, wrote in the Google Cloud security announcement post. "Context-aware access capabilities are available for select customers using VPC Service Controls, and are coming soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity."