- Google Cloud Security VP Sunil Potti has announced new capabilities for data encryption, network security, security analytics, and user protection.
At Next UK event in London, Google Cloud Security VP of Engineering Sunil Potti announced new capabilities for data encryption, network security, security analytics, and user protection.
External Key Manager
With the external key manager, users can store and manage encryption keys outside of Google Cloud. With this tool, Google Cloud give enterprises a broad range of encryption options so you can balance risk, control, security, and operational complexity when protecting your cloud workloads. And Google Cloud encrypts customer data at-rest by default and offers customers multiple options to control and manage their encryption keys.
Google Cloud announced the next level of control with the new External Key Manager. Coming soon to beta, External Key Manager works with Cloud KMS and enables users to encrypt data in BigQuery and Compute Engine with encryption keys stored and managed in a third-party key management system deployed outside Google’s infrastructure. Plus External Key Manager allows you to maintain separation between your data at-rest and your encryption keys while still leveraging the power of cloud for compute and analytics.
In order to make this service easier to implement, Google Cloud is working with Equinix, Fortanix, Ionic, Thales, and Unbound.
Key Access Justifications
Key Access Justifications is a new feature that will work with External Key Manager. This feature provides a detailed justification each time one of your keys is requested to decrypt data along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set.
With External Key Manager and Key Access Justifications, you can deny Google the ability to decrypt your data for any reason. And as a result, you are the ultimate arbiter of access to your data — which is a level of control not available from any other cloud provider.
The Key Access Justifications feature is coming soon to alpha for BigQuery, and Compute Engine/Persistent Disk. And it covers the transition from data-at-rest to data-in-use.
These encryption innovations also complement other recently released encryption options, including customer-managed encryption keys for Cloud SQL (now generally available), customer-managed encryption keys for GKE persistent disks (a beta feature for Google Kubernetes Engine), application layer secrets encryption in GKE (a GA feature which enables envelope encryption for your Kubernetes secrets), Key import for Cloud HSM (a GA feature that lets users generate and use their own keys with Google Cloud’s managed HSM service), and Cloud HSM availability in all Google Cloud regions and multi-regions.
Defense From Internet Threats
By standing up applications on Google Cloud, you gain the benefit from DDoS and web attack protection at Google scale. And Google Cloud Armor works with the company’s global Cloud Load Balancing infrastructure and provides always-on attack detection and mitigation so you are able to run your business without interruption.
Google also announced the beta of Cloud Armor’s new web application firewall (WAF) capabilities to help protect applications against targeted and distributed internet threats. And now you can configure Cloud Armor policies with geo-based access controls, pre-configured WAF application protection rules to mitigate OWASP Top 10 risks, and a custom rules language to create custom Layer-7 filtering policies. Plus Cloud Armor also now integrates with Cloud Security Command Center (Cloud SCC), notifying customers of suspicious application traffic patterns directly in the Cloud SCC dashboard.
Collecting And Inspecting Network Traffic At Scale
While networks grow in complexity, monitoring traffic helps users manage performance and security. And in public cloud environments, capturing network traffic reliably at scale for monitoring has been a challenge.
Google Cloud’s new Packet Mirroring service (now in beta), allows users to collect and inspect network traffic for Compute Engine and GKE. And it is available for all machine types in all of our regions. Using this service, you can use third-party tools to more proactively detect threats, better respond to intrusions with signature-based attack detection, and better identify zero-day attacks with anomaly detection. You can learn more about it in this video:
Google Cloud also built an ecosystem of partners so you can use Packet Mirroring with third-party tools of your choice, including products from Awake Security, Check Point, Cisco, Corelight, cPacket Networks, ExtraHop Networks, Flowmon, Ixia by Keysight, Netscout, and Palo Alto Networks.
Protecting G Suite And Cloud Identity Users
Google’s Advanced Protection Program is the company’s strongest protection for users at risk of targeted attacks. And in the enterprise, this includes IT administrators and executives.
Now the Advanced Protection Program is starting to roll out to G Suite and Cloud Identity customers. And with the Advanced Protection Program for the enterprise, Google Cloud is going to enforce a specific set of policies for enrolled users including security key enforcement, blocking access to untrusted apps and enhanced scanning for email threats.
“We’re also introducing app access control, helping you reduce the risk of data loss by limiting access to G Suite APIs to third-party apps you trust. You can also more easily manage and restrict which Google APIs are available for use by third-party and customer-owned apps, and see which apps are verified by Google,” said Potti.
Google Threat Intelligence In Cloud Security Command Center
Google Cloud is continuing to build products that help its customers benefit from the techniques the company has developed. And Google Cloud is packaging threat detection and prevention capabilities.
For example, Event Threat Detection (now in beta) helps users detect threats targeting cloud resources using logs so they can send incidents to your SIEM (Security Information and Event Management system) for further investigation. The Event Threat Detection tool relies on Google threat intelligence to help users spot and stop threats before they result in business damage or loss.
And Security Health Analytics helps users prevent incidents by identifying potential misconfigurations and compliance violations in their GCP resources and suggesting appropriate corrective action.
As Google Cloud continues to innovate and simplify security management on GCP, Event Threat Detection and Security Health Analytics will be bundled in a Premium Edition of Cloud Security Command Center with other new capabilities that help users meet industry compliance requirements, catch web application vulnerabilities, detect compromised VMs, and discover other threats. And the Premium Edition will give you a comprehensive and easy-to-deploy set of tools to protect your cloud resources.
Chronicle Security Analytics
The Chronicle Backstory product was designed by former Google security professionals for enabling anyone to use the types of techniques for detecting threats and investigating security incidents. The Backstory tool offers you this level of intelligence. And with just a few clicks, you can aggregate and analyze your security telemetry wherever your apps may run and where they might run in the future.
