New tools and services will help make it easier for enterprises to manage security with Google products as well as in rival Amazon Web Services and in their own private clouds and applications.
"The mission here is to build the most trusted cloud," Michael Aiello, product management director for Google Cloud, told Data Center Knowledge.
In 2018, he said, Google launched more than 70 new security products or enhancements. "Today, we're announcing 30 new things. There's a huge volume of stuff coming through, and we're continuing to invest heavily here."
For example, Google Cloud will now have context-aware access at no additional charge. In addition, some G Suite customers will have access to a beta version of this feature.
The feature was previously only available in beta on the Google Cloud Platform, he said.
Google is also working on making its products easier to set up and configure in a secure way.
"We agree with analysts that the biggest issues in the future are that it's tough to configure and set this up in a safe way," said Aiello. "Our goal is to make this simpler and simpler and simpler."
For example, Google's virtual private cloud security controls, previously in beta, are now generally available. These let Google's cloud customers define security perimeters around specific resources such as cloud storage buckets, BigTable instances and BigQuery datasets.
They're part of the Google Cloud Security Command Center, first introduced last year, which now enters general availability.
That helps companies defend against attacks specifically designed to go after cloud infrastructure, said Aiello.
For example, just last week a security firm discovered more than half a billion Facebook records stored in AWS were accidentally exposed.
"The Amazon services were configured insecurely and this enabled attackers to steal Facebook data," said John Pescatore, director of emerging trends at SANS Institute.
The new Google features are a big deal, he said. "There is a constant stream of these news items about AWS S3 buckets, several breaches a month.”
In addition to more native security features, Google is partnering with outside vendors for additional capabilities.
For example, StackRox offers detailed insights and security configuration support for Kubenetes containers. Previously, Google cloud customers who wanted to use StackRox tools would have two separate management panels – one for Google's own tools, and one for StackRox.
Today, the StackRox data will be available via Google's Cloud Security Command Center.
And it's not just for containers deployed on Google own platform, said Michelle McLean, VP of product marketing at StackRox. The security data can come from any private or public cloud service provider offering Kubernetes containers, as well as more limited data from providers offering non-Kubernetes containers.
"We can paint a much richer picture if we can talk to Kubernetes," said McLean.
According to McLean, there are several areas of potential vulnerability with containers.
The first one is that Kubernetes by default allows any asset to talk to any other asset. That makes it easier for developers to build their applications and makes the platform backward-compatible with older systems. The downside is a larger-than-necessary potential attack surface.
StackRox can analyze an application’s traffic patterns, identity which communication lines are being used and which can be shut down, handling the necessary configurations automatically. "We took a super complicated problem and we've made it automated and instant," said McLean.
Another potential security issue is access to the Kubernetes native management dashboard.
Last year, she said, hackers used Tesla’s Kubernetes platform to generate new containers to run cryptomining software. "They didn't steal Tesla data, but Tesla was paying the bill for cryptominers because of these exposed Kubernetes dashboards," said McLean.
According to Gartner, by 2020, 95 percent of cloud breaches will be caused by configuration issues.
In addition to working with third-party vendors like StackRox, Google is building out its own configuration management tools, said Jess Leroy, Google's director of product management for cloud security.
"The Google security team has gone through all the different types of configurations that typically lead to breaches and created scanners that allow customers to go through and look for things like public buckets that shouldn't be public," he said.
Altogether, 32 such detections have already been built, as well an intelligent security policy recommendation tool and troubleshooter.
"It's common for customers to over-grant privileges," he said. "It means that there's a much broader attack surface."
Google's own tools will also ingest data from non-Google platforms, such as private cloud deployments and Amazon Web Services.
But Google isn't out to compete with enterprise SIEM vendors, said Leroy. "We don't consider this to be a SIEM product," he said. "And most of our customers continue to use their own SIEM products."
Customers can export data to one of Google's SIEM partners or get custom exports to other platforms.
"We did a custom exporter for Splunk because many of our customers really wanted to push data to Splunk," said Leroy.
Authentication and Phishing Protection
The biggest security threat vectors today are compromised credentials and phishing emails.
Google has been working to protect its own services and users on both these fronts. For example, Gmail automatically filters or blocks suspected phishing emails, the Chrome browser protects users from visiting suspected phishing websites, and two-factor authentication is available for most of Google's products.
Enterprises now have access to these tools in a variety of different ways.
For example, it can take weeks, or months, for a company to shut down a malicious website that spoofs their official one to trick visitors into giving up credentials or downloading malware. Google now allows companies to submit spoofed sites so it can immediately block them for its billions of users.
Google is also expanding its authentication services to companies to use with their own apps. And its Android-based strong authentication, a separate, secure alternative to text messages, is now also available.
Key fobs and similar physical security keys can be easily lost or left at home, said Rob Sadowski, trust and security marketing lead at Google, and SMS-based verifications can be hacked.
"Our security keys are actually immune to those attacks," he said. "And we pretty much always have our phones. That makes it easy to use and always available."
This could be a good security feature for data centers to use for their administrators and other privileged users, said SANS Institute's Pescatore. But rolling it out to all enterprise users in general could be more difficult, he added, since not everyone has Android phones.