Google Straps On Cloud Armor

Google says it introduced 20 security enhancements to both Google Cloud Platform and G Suite, with many focused on improved transparency and control.

Mitch Wagner, Executive Editor, Light Reading

March 22, 2018

6 Min Read
Google Straps On Cloud Armor

Google introduced a passel of security improvements to both Google Cloud Platform and G Suite, including Cloud Armor to protect against Distributed Denial of Service (DDoS) attacks, as well as better controls for enterprise security admins

In teeing up the announcements earlier this week, Urs Hölzle, Google (Nasdaq: GOOG) senior vice president of technical infrastructure, made the case that the cloud is more secure than legacy infrastructure.

"Cloud providers offer a vast army of experts to protect against threats -- one far larger than almost any internal team a company could invest in," Hölzle said. "In fact, if businesses were to go it alone, there wouldn't be enough security professionals in the world to adequately protect every single company and their users."

Google followed Hölzle's comments, posted Monday, with 20 security enhancements Wednesday (or so Google said -- we didn't count) to both its Google Cloud Platform infrastructure and platform, as well as G Suite collaboration tools. We'll just hit the highlights for you.

Cloud Armor provides defense against DDOS attacks based on the technologies and infrastructure the company uses to protect Search, Gmail and YouTube. Cloud Armor provides DDOS defense through global http: and https:// load balancing, along with a rules language and a global enforcement engine to create custom defense against multivector attacks -- combinations of two more more attack types. Custom defenses can use any combination of Layer 3 to 7 parameters.

Figure 1: Random Googlers at Google. Photo by Google. Random Googlers at Google. Photo by Google.

A second post describes a new command center for cloud security, audit logging to increase transparency when Google accesses customer content and controls for virtual private clouds (VPCs).

Cloud Security Command Center & Cloud Audit Logging
Google introduced Cloud Security Command Center, a control panel that gives users visibility into cloud assets across the Google Cloud Platform, and how vulnerable those assets might be to attack -- such as whether assets are open to the Internet or contain personally identifiable information. The Command Center integrates information from a half-dozen partners, including Cloudflare, CrowdStrike, Dome9, RedLock Palo Alto Networks and Qualys.

Google's Cloud Audit Logging provides transparency -- "an immutable audit trail" -- when Google engineers access customer content on Google Cloud Platform, Google says. Even before the new logging tool debuted, Google administrators have only been permitted to access customer content "only with valid business justifications, such as responding to a specific ticket our customers have initiated or recovering from an outage," Google says.

VPC Service Controls
Google introduced VPC Service Controls in alpha, to give users better control of the perimeters of their Virtual Private Cloud (VPC) service from Google.

Virtual Private Clouds are one of those fine distinctions between types of cloud service that has cropped up as the cloud matures and different organizations have different needs. VPCs run on public cloud infrastructure from Google and other cloud providers, but they behave like private clouds in that resources are kept separate rather than pooled together with the whole public cloud infrastructure. VPCs are for organizations requiring greater security and control than public cloud, but not as much as you get from true private cloud, where the hardware infrastructure is separate.

The new VPC Service Controls allow cloud users to set up a perimeter around the VPC to control data entering and leaving the VPC. Well-defined VPC service controls can help admins stop attackers from taking data -- or "exfiltration" -- from a VPC, Google says. Admins can "set up, reconfigure and tear down these virtual perimeters at will," Google says.

With the new controls enterprises "can create policies to grant access based on contextual attributes like user location, IP address and endpoint security status," Google says, allowing enterprises to "feel confident running sensitive data workloads in the cloud."

G Suite security
Next up, Google introduced enhanced G Suite security, including anti-phishing, mobile device management and more.

Google is using machine learning to identify phishing attacks, flagging email with encrypted attachments or embedded scripts from untrusted senders; warn against email that tries to spoof employee names or comes from a domain that looks similar to the recipient domain; flagging unauthenticated email and scanning images and shortened URLs for phishing indicators.

For mobile device management, admins get security management controls to help them see which devices access corporate data, enforce pass codes and erasing confidential data on both Android and iOS, and automatically protect Android and iOS devices with no user intervention or device profile required. Google updated Cloud Identity to manage users, apps and devices centrally.

Google is beefing up its security center for G Suite -- a security monitoring dashboard -- to display information on the new phishing detection and mobile management capabilities, as well as provide layout tools to make the dashboard more useful and analysis tools for overall security health and custom advice. (See Google Launches Security Dashboard for G Suite.)

For Team Drives shared document storage, Google is adding Information Rights Management to limit access to Team Drives members or users within the domain, and preventing printing, downloading and copying.

Security gains importance
As enterprises entrust more of their critical processes to the cloud, security is becoming of greater importance and vendors are scrambling to meet that need. This year, Cisco Systems Inc. (Nasdaq: CSCO) acquired Skyport Systems to enhance its cloud security. (See Cisco to Buy Skyport Systems for Cloud Security.)

Amazon.com Inc. (Nasdaq: AMZN) bought Sqrrl, founded by six former NSA employees, which develops big data analytics tools to help detect, investigate and visualize security threats within the network. (See Amazon Scoops Up Sqrrl for Cloud Security.)

And security startup ShiftLeft came out stealth in October, with designs to shift cloud security from reactive to preventative -- get on top of threats and vulnerabilities before they emerge. (See Cloud Security Startup ShiftLeft De-Stealths.)

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud, Light Reading

About the Author

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like