Though corporate concerns about cloud security have waned considerably in recent years, it still remains a big reason why enterprise balk at move IT workloads more quickly to cloud environments.
Google this week introduced as many as 20 new security enhancements to its cloud portfolio in one of the company’s most comprehensive efforts yet to address some of those security concerns.
The updates are designed to give organizations more visibility and control over their security environment in the cloud and include new tools and services for protecting data, for mitigating threats such as denial of service attacks and managing user and administrator actions.
In a blog March 21, Google’s vice president of security and privacy Gerald Eschelbeck described the updates as the latest examples of the company’s efforts to make it easier for organizations to build and grow workloads in the cloud.
“We continue to develop new ways to give our customers the capabilities they need to keep up with today’s ever-evolving security challenges,” he said.
One of the more significant announcements today is a new service—currently in the alpha stage—that Google is calling VPC Service Controls.
VPC Service Controls gives enterprise security administrators a way to extend perimeter security defenses to the cloud, according to Eschelbeck. Just like firewalls and anti-malware tools work to protect on-premise systems and data, VPC Service Control can be used to define a perimeter around enterprise assets on Google Cloud services including cloud storage, Bigtable and BigQuery, he said. VPC Service Center gives organizations a way to enable secure communications between resources spanning cloud and on-premise deployments.
A so-called Access Context Manager feature in VPC Service Controls gives administrators more granular control over user access to cloud resources. For example, with it, administrators can control access based on a user’s location end point security status or IP address, Eschelbeck said.
Another update this week is Cloud Security Command Center, also in alpha status, which is designed to give enterprise administrators more visibility over all of their resources across Google’s various cloud infrastructure components such as Compute Engine, Cloud Storage and Cloud Datastore.
The goal, according to Eschelbeck is to give enterprises a way to get a quick handle on the projects they have running on Google’s cloud, the resources they are using, where sensitive data might be located and how security settings are configured.
The command center lets administrators quickly gauge if their cloud deployment configuration has changed in any way. It helps them identify potential issues such as cloud storage settings that are open to the Internet, sensitive data that may be openly accessible and whether cloud applications are vulnerable to specific threats including cross-site scripting errors, Eschelbeck said.
Google has also bolstered its Cloud Audit Logging feature with a new Access Transparency feature that gives organizations better visibility into all actions taken by Google’s own engineers and support staff when they interact with enterprise workloads in the cloud.
Such access has traditionally been a huge consideration for organizations planning cloud migrations. According to Eschelbeck, Access Transparency augments the controls that are already available in Cloud Audit Logging for keeping an eye on administrator activity in cloud settings. The new feature restricts the actions that Google’s staff can take with enterprise workloads and provides an immutable audit trail of all their activity, Eschelbeck claimed.
To help organizations mitigate the impact of denial of service attacks, Google has introduced Cloud Armor, a new service based on technologies the company currently uses to protect its own Gmail and YouTube cloud services. Organizations need to do little to activate the new capability, which also protects against attacks such as SQL injection and cross-site scripting, said Jennifer Lin, director of product management with Google’s cloud security and privacy team in a separate blog.
With this week’s updates, enterprises using Google’s G Suite cloud productivity and communications suite will get new default protections against phishing threats. The new controls include automatic flagging of emails from untrusted senders that contain embedded scripts and encrypted attachments. It also incorporates a control that warns against email attempting to spoof other employees.
Google claims these protections help ensure that more than 99 percent of the email threats that result in Business Email Compromise are automatically flagged or sent to the spam folder said Suzanne Frey, director of security, trust and privacy at Google cloud in a third blog post describing the new updates.