Google introduced a passel of security improvements to both Google Cloud Platform and G Suite, including Cloud Armor to protect against Distributed Denial of Service (DDoS) attacks, as well as better controls for enterprise security admins
In teeing up the announcements earlier this week, Urs Hölzle, Google (Nasdaq: GOOG) senior vice president of technical infrastructure, made the case that the cloud is more secure than legacy infrastructure.
"Cloud providers offer a vast army of experts to protect against threats -- one far larger than almost any internal team a company could invest in," Hölzle said. "In fact, if businesses were to go it alone, there wouldn't be enough security professionals in the world to adequately protect every single company and their users."
Google followed Hölzle's comments, posted Monday, with 20 security enhancements Wednesday (or so Google said -- we didn't count) to both its Google Cloud Platform infrastructure and platform, as well as G Suite collaboration tools. We'll just hit the highlights for you.
Cloud Armor provides defense against DDOS attacks based on the technologies and infrastructure the company uses to protect Search, Gmail and YouTube. Cloud Armor provides DDOS defense through global http: and https:// load balancing, along with a rules language and a global enforcement engine to create custom defense against multivector attacks -- combinations of two more more attack types. Custom defenses can use any combination of Layer 3 to 7 parameters.
Figure 1: Random Googlers at Google. Photo by Google.
A second post describes a new command center for cloud security, audit logging to increase transparency when Google accesses customer content and controls for virtual private clouds (VPCs).
Cloud Security Command Center & Cloud Audit Logging
Google introduced Cloud Security Command Center, a control panel that gives users visibility into cloud assets across the Google Cloud Platform, and how vulnerable those assets might be to attack -- such as whether assets are open to the Internet or contain personally identifiable information. The Command Center integrates information from a half-dozen partners, including Cloudflare, CrowdStrike, Dome9, RedLock Palo Alto Networks and Qualys.
Google's Cloud Audit Logging provides transparency -- "an immutable audit trail" -- when Google engineers access customer content on Google Cloud Platform, Google says. Even before the new logging tool debuted, Google administrators have only been permitted to access customer content "only with valid business justifications, such as responding to a specific ticket our customers have initiated or recovering from an outage," Google says.
VPC Service Controls
Google introduced VPC Service Controls in alpha, to give users better control of the perimeters of their Virtual Private Cloud (VPC) service from Google.
Virtual Private Clouds are one of those fine distinctions between types of cloud service that has cropped up as the cloud matures and different organizations have different needs. VPCs run on public cloud infrastructure from Google and other cloud providers, but they behave like private clouds in that resources are kept separate rather than pooled together with the whole public cloud infrastructure. VPCs are for organizations requiring greater security and control than public cloud, but not as much as you get from true private cloud, where the hardware infrastructure is separate.
The new VPC Service Controls allow cloud users to set up a perimeter around the VPC to control data entering and leaving the VPC. Well-defined VPC service controls can help admins stop attackers from taking data -- or "exfiltration" -- from a VPC, Google says. Admins can "set up, reconfigure and tear down these virtual perimeters at will," Google says.
With the new controls enterprises "can create policies to grant access based on contextual attributes like user location, IP address and endpoint security status," Google says, allowing enterprises to "feel confident running sensitive data workloads in the cloud."
G Suite security
Next up, Google introduced enhanced G Suite security, including anti-phishing, mobile device management and more.
Google is using machine learning to identify phishing attacks, flagging email with encrypted attachments or embedded scripts from untrusted senders; warn against email that tries to spoof employee names or comes from a domain that looks similar to the recipient domain; flagging unauthenticated email and scanning images and shortened URLs for phishing indicators.
For mobile device management, admins get security management controls to help them see which devices access corporate data, enforce pass codes and erasing confidential data on both Android and iOS, and automatically protect Android and iOS devices with no user intervention or device profile required. Google updated Cloud Identity to manage users, apps and devices centrally.
Google is beefing up its security center for G Suite -- a security monitoring dashboard -- to display information on the new phishing detection and mobile management capabilities, as well as provide layout tools to make the dashboard more useful and analysis tools for overall security health and custom advice. (See Google Launches Security Dashboard for G Suite.)
For Team Drives shared document storage, Google is adding Information Rights Management to limit access to Team Drives members or users within the domain, and preventing printing, downloading and copying.
Security gains importance
As enterprises entrust more of their critical processes to the cloud, security is becoming of greater importance and vendors are scrambling to meet that need. This year, Cisco Systems Inc. (Nasdaq: CSCO) acquired Skyport Systems to enhance its cloud security. (See Cisco to Buy Skyport Systems for Cloud Security.)
Amazon.com Inc. (Nasdaq: AMZN) bought Sqrrl, founded by six former NSA employees, which develops big data analytics tools to help detect, investigate and visualize security threats within the network. (See Amazon Scoops Up Sqrrl for Cloud Security.)
And security startup ShiftLeft came out stealth in October, with designs to shift cloud security from reactive to preventative -- get on top of threats and vulnerabilities before they emerge. (See Cloud Security Startup ShiftLeft De-Stealths.)
Related posts:
— Mitch Wagner Editor, Enterprise Cloud, Light Reading