A Google product that allows enterprises to know when and for what reason a Google administrator might have accessed their cloud data is now generally available.
Customers of six Google Cloud Platform (GCP) services including Compute Engine, App Engine and Cloud Storage can now use the company’s recently announced Access Transparency Logs to monitor any access to their workloads by Google engineers.
“Google’s terms of service state we only ever access your data for reasons necessary to provide your service to you,” noted Joseph Valente, a Google product manager in a blog Sept. 11. Access Transparency Logs allows organizations to verify if Google is indeed adhering to this claim, he said.
“These logs provide visibility into access at every layer of the stack—not just when access happens through public [Application Programming Interfaces] or high-level endpoints.”
Analysts consider such visibility important for companies that want to migrate workloads to the cloud, but are wary of doing it because of concerns over improper and unauthorized access to their data by the cloud services provider.
A survey by HyTrust last year in fact showed that many organizations consider uncontrolled and unmonitored access to their data by cloud administrators as the top risk of migrating workloads to the cloud.
Google announced Access Transparency Logs entered a beta evaluation phase in March. At the time the company described it as a technology for providing organizations with an audit trail of actions taken by Google’s support and engineering staff when interacting with their data and systems configurations. Such interactions typically occur when a customer calls Google for support and the company opens a ticket to investigate the issue.
When such interactions do occur, Google customers can get access logs that are generated in near real-time and delivered to their Google Stackdriver Logging console. Administrators will be able to review and take action with the logs as they do with any other cloud audit logs, according to the company. The logs provide information on what resources were accessed and the operations that were performed on those resources along with justification for those actions, Google has noted.
According to Valente, Google had to expend a considerable amount of effort into delivering the access transparency capability. For example, he noted that Google had to build a binary authorization technology to ensure that any code used to access customer data is properly authenticated. Similarly the company had to build enhanced data protection controls to automatically check the business justifications for accessing customer data.
Access Transparency Logs are currently available only to organizations that have signed up for Google’s Platinum or Gold enterprise support packages. Such customers can enable the feature automatically with a click of a button in the Google Cloud console, Valente said.