In March, Google announced more than 20 security enhancements, deciding that apparently, that number wasn’t enough today they are announcing:
- Context-aware access capabilities, available now for select customers in beta for VPC Service Controls, and coming soon to beta for Cloud IAM, Cloud IAP and Cloud Identity
- Titan Security Key, available now to Cloud customers, and coming soon to the Google Store
- Shielded VMs, available now in beta
- Binary Authorization, coming soon to beta
- Container Registry Vulnerability Scanning, coming soon to beta
- Cloud Armor geo-based access control, available now in beta
- Cloud HSM, coming soon to beta
- Access Transparency, soon to be generally available
- G Suite security center investigation tool, available now via Early Adopter Program
- G Suite data regions, now generally available
With Binary Authorization, coming soon to beta, you can enforce signature validation when deploying container images. Signing each individual part of your CI/CD pipelines to ensure images are properly built and tested prior to deployment, but more than that, by having each staged signed, you can invalidate everything dependent on a stage in your pipeline. In practice, this means you can build your containers the way google compiles its code, when something changes that everything is dependent on, you re-compile everything below it and force the old versions out of your clusters. By adding Container Registry Vulnerability Scanning to your CI/CD layers, you are able to secure and test each stage and ensure that you aren’t introducing known vulnerabilities. Container Registry Vulnerability Scanning automatically performs vulnerability scanning for Ubuntu, Debian and Alpine images to ensure your images are safe to deploy.
In what seems like a response to growing data sovereignty laws and restrictions, Google is releasing context aware access, which can for example block a given user from accessing a service in a given region (GDPR is a good example of this) Context-aware access allows organizations to define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS apps based on a user’s identity, location, and the context of their request. Context-aware access capabilities are available for select customers using VPC Service Controls, and are coming soon for customers using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity.
After internally not seeing a single successful phishing attack since 2017, google is now releasing Titan Security Key so that everyone else can avoid them too. Titan Security Keys, a FIDO security key, are available now to Google Cloud customers and will be available for anyone to purchase on the Google Store soon.
Shielded VMs (now in beta) leverage advanced platform security capabilities to help ensure your VMs have not been tampered with. With Shielded VMs, you can monitor and react to any changes in the VM baseline as well as its current runtime state.
On the, among other really good reasons reasons, anti DDOS front, geo-based access control for Cloud Armor, available now in beta, which allows you to control access to your services based on the geographic location of the client trying to connect to your application. In effect, you can deploy application-level DDoS defense at scale based on your unique requirements.
Turns out, its a lot easier to get several certifications (HIPPA) if you have a FIPS 140–2 Level 3 certified HSM. In the spirit of helping those poor souls building PCI/HIPPA systems, google is releasing Cloud HSM, a managed cloud-hosted hardware security module (HSM) service.
A fully managed service, The Cloud HSM service is tightly integrated with Cloud Key Management Service (KMS), making it easy to create and use keys that are generated and protected in hardware and use it with customer-managed encryption keys (CMEK) integrated services such as BigQuery, Google Compute Engine, Google Cloud Storage and DataProc.
Access Transparency is being released into GA soon, actually telling you when someone at google is looking at your data on their platform.
For G Suite customers, Google is launching the investigation tool which lets you know when someone’s trying to take and sell your data to a competitor for example for security center — the investigation tool. With this new tool, admins can identify security issues within their domain and take rapid action to remediate. (Sign up for early access here)
For those operating in countries with strong data sovereignty, or who dont want to send their data across regions. Google is releasing, data regions for G Suite which makes it possible for G Suite Business and Enterprise customers to designate the region in which primary data for select G Suite apps is stored when at rest — globally, in the U.S., or in Europe.
Overall these represents a very nice leap in what google is offering to the cyber teams of its customers, Im sure at least one enterprise cyber team is going to love this set of news.