Google has introduced a new context-aware access control capability and hardware key based authentication support for enterprises using its cloud-computing platform (GCP).
The new features are part of a broader set of security updates to its cloud services that Google announced at the company’s Next ’18 partner conference in San Francisco this week. Other major updates include a cloud-hosted hardware security module (HSM) service for hosting encryption keys and a so-called Shielded VMs feature for monitoring the security of virtual machines.
The new features this week add to the more than 20 security updates that Google announced last March as it competes with Amazon and Microsoft for a larger percentage of the enterprise cloud market.
The goal is to provide organizations with a scalable and highly secure foundation for running their cloud workloads, wrote Jennifer Lin, director of product management at Google Cloud, in a blog July 25. “As your organization moves workloads to the cloud, trust in the underlying infrastructure is critically important,” she noted.
Helps Implement Beyond Corp Zero-Trust Approach
The new context-aware access support for cloud customers that Google announced this week implements many elements of BeyondCorp, a zero-trust approach to security that Google uses internally to control employee access to its data and services. The idea behind BeyondCorp is that access to enterprise assets should not be based solely on where a user is logging in from but also on a thorough vetting of the user’s identity and of their device.
With context-aware access, organizations will be able to define and to enforce more granular access policies to Google cloud-hosted resources based on a user’s identity, location and an understanding of the context in which access is being sought, Lin said. The feature is currently available in limited fashion for organizations using Google Virtual Private Cloud (VPC) Service Controls but will become available more broadly soon, she noted.
Google is offering its new key-based authentication service via the Titan Security Key, a hardware key featuring firmware developed by Google. Organizations can use the Titan Security Key to implement two-factor authentication to their cloud workloads on G Suite and GCP. The Security Key gives organizations an authentication mechanism that is stronger and more phishing resistant than two-step authentication via text messaging, Lin said.
Options for Storing Encryption Keys
The new Cloud HSM meanwhile will give organizations an option for storing their encryption keys and carrying out cryptographic operations in FIPS 140-2 Level 3 certified hardware security modules. The Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard developed for use by federal agencies. Systems certified under the standard are generally considered to have a high-degree of security protections.
The new Cloud HSM service is integrated with Google’s existing Cloud Key Management Service (KMS) and makes it easier for organization to generate, managed and protect encryption keys for protecting their most sensitive workloads, Lin said. The service will help businesses better demonstrate their compliance with data protection and privacy mandates without the operational overhead of running and maintaining their own HSMs, she noted.