Enterprises using Google’s cloud load balancing to distribute their application workloads now have more control over how the service secures connections to client systems.
Google this week announced Secure Sockets Layer Policies for HTTPS and SSL Proxy Load Balancers, a new capability that gives administrators a way to specify the TLS version and profile of features Google’s load balancer must use when connecting with clients.
The goal is to give organizations more flexibility for addressing diverse security needs in the cloud, said Google software engineer David Gingold in a blog Feb.28. “When you use a load balancer as an HTTPS or Transport Layer Security (TLS) front end, you need to be able to control how it secures connections to clients,” he noted.
The new policy control feature allows administrators to consider what TLS capabilities they want the load balancer to negotiate and how the settings need to be managed. It is designed to address situations where compliance and internal security requirements might restrict the TLS protocol versions and the ciphers that a load balancer can use, Gingold said. In some cases, an organization with legacy clients might need the load balancer to support older SSL features.
SSL and TLS are widely deployed protocols for encrypting data and communications between client systems and servers on the Web. In the more than 20 years that SSL has been in use the protocol has morphed into multiple versions of TLS, with each version packing new cryptographic and performance enhancing features.
When servers and clients establish a connection with each other using TLS, they first negotiate exactly which version of TLS and which cipher suite they must use to communicate, Gingold noted. Google’s SSL proxy load balancing and HTTPS load balancing service typically perform this negotiation by default to ensure the most robust security.
However, there are situations where an organization might want more control over which SSL or TLS versions and ciphers an application should use when establishing a secure connection. Google’s new SSL Policies feature gives organizations a way to achieve this, he said.
According to Google, to set an SSL policy for HTTPS and Proxy Load balancers, administrators simply specify the minimum TLS version and associated profile—or set of features—they want to enable.
Administrators can choose from three Google-managed profiles, or they can set a customized profile to specify the features they want enabled in the load balancer. Organizations that want a custom profile for their load balancer will be able to individually choose the SSL/TLS features that they want enabled, Google said.
Organizations that go the managed profile route have a choice between what Google calls ‘Compatible’, ‘Modern’ and ‘Restricted’ profiles. The Compatible profile supports the broadest range of clients including those using outdated SSL features; the Modern profile supports a somewhat narrow set of modern clients; while the Restricted profile supports a reduced and selected set of SSL features.