Google Boosts Cloud Security, Transparency and Identity

At Google Next, new and enhanced services debut to provide organizations with improved visibility and control over cloud resources, to help limit potential security risks.

Google Next Security

The way Google sees it, one of the primary ways to grow cloud adoption is by increasing trust and security in the cloud.

At its Google Next event on April 10, Google announced new and enhanced services that look to improve security in the cloud as well as provide better security and transparency of the Google Cloud platform itself. Among the enhanced services announced at Google Next is the Cloud Security Command Center dashboard, Access Transparency, Security Health Analytics and Policy Intelligence for cloud workloads.

"Overall, our mission here is to build the most trusted cloud," Michael Aiello, director of product management for Cloud Security at Google Cloud, said during a briefing with press.

The security announcements come on the second day of the Google Next conference. The first day of the event was marked by the launch of new managed open-source service offerings and the general availability of the Anthos, Google Cloud Services’ multi-cloud offering.

Among the most tenuous and controversial aspects of public cloud services in general is the ability of the cloud operator to peek into client workloads. It's an issue that Google is now addressing with new access transparency efforts that will alert organizations when a Google Cloud employee needs to access a client's resources. Aiello said that Google is launching an Access Approval feature in beta for Google Compute Engine, Google App Engine and Google Cloud Storage that will give organizations the choice to approve and enable Google employee access.

Cloud Security Command Center

While transparency helps address concerns about the security of the underlying cloud platform, organizations still need to deal with security in their own cloud instances and resources. That's where the enhanced Cloud Security Command Center fits in, providing a single dashboard that provides visibility and control over an organization's Google Cloud resources.

Beyond just visibility, the command center also integrates with threat intelligence feeds and third-party security tools that an organization might be using to further secure their cloud resources.

Security Health Analytics

Intelligence and visibility are complemented by the new Security Health Analytics service that can help cloud administrators identify and then fix the most frequent causes of security incidents in the cloud.

"To protect our customers from misconfigurations, the Google security team has gone through and evaluated all of the different types of configurations that typically lead to breaches," Jess Leroy, director of product management, Cloud Security at Google Cloud, said. "And we've created scanners that will go through and help customers find and mitigate those types of configuration issues."

Among the configuration issues that Security Health Analytics can help detect are misconfigured firewall policies and publicly exposed cloud storage buckets. 

Policy Intelligence

Another type of issue that can be challenge in the cloud are resources that have more permissions and access privileges than what are needed. By having too much access, the attack surface and potential for misuse are larger, which is why Google is trying to limit that risk with its new Policy Intelligence services.

Leroy explained that that the policy recommender feature uses machine learning to understand all of the different access attempts over time to learn what permissions are actually required. Google will then recommend exactly the right permissions required for a given service to run with the least amount of privilege and associated risk. In addition to the policy recommender, there is a new policy troubleshooter service.

"Oftentimes, a user will come to an administrator looking for help gaining access to something that won't work," Leroy explained. "The administrator has to wade through all of the different access policies that apply in order to understand how best to provide access."

Leroy said the new policy troubleshooter uses Google artificial intelligence (AI) to automate the troubleshooting process and provide the permissions that will grant access, while not opening up additional attack surface. 

Cloud Identity

Many organizations already bring their own user identities with them as they move to cloud, often tied to Microsoft's Active Directory. To help support that and provide a new way for organizations to run Active Directory, Google announced a new managed service for Active Directory running in Google Cloud.

Going the other way, Google also wants to enable organizations to use Google-powered identity management within other apps and services, which is where the general availability launch of the Google Identity Platform fits in. The Identity Platform was formerly known as Cloud Identity for Customer and Partners (CICP) while it was in beta deployment.

"It provides great Google-powered identity and identity management capabilities embedded directly into the app or the service at Google scale," Leroy said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.