Google expands cloud security capabilities, including simpler configuration

New tools and services will help make it easier for enterprises to manage security with Google products as well as with Amazon and in their own private clouds and applications.

Maria Korolov Apr 11th 2019

Google has announced 30 new features or enhancements of its Google Cloud platform that are designed to improve the ability of organizations to manage security not only for the Google platform, but other cloud-based services and applications as well. "The mission here is to build the most trusted cloud," said Michael Aiello, product management director for Google Cloud, at a press conference announcing the new features.

For example, Google Cloud will now have context-aware access at no additional charge. In addition, some G Suite customers will have access to a beta version of this feature. The feature was previously only available in beta for the Google Cloud Platform, he said. Google is also working on making its products easier to set up and configure in a secure way.

"We agree with analysts that the biggest issues in the future are that it's tough to configure and set this up in a safe way," said Aiello. "Our goal is to make this simpler and simpler and simpler." Google's virtual private cloud security controls, previously in beta, are now generally available. These let Google's cloud customers define security perimeters around specific resources such as cloud storage buckets, BigTable instances and BigQuery datasets. They're part of the Google Cloud Security Command Center, first introduced last year, which now enters general availability.

That helps companies defend against attacks that go after cloud infrastructure, said Aiello. For example, just last week a security firm discovered more than half a billion Facebook records were accidentally exposed through AWS. "The Amazon services were configured insecurely and this enabled attackers to steal Facebook data," John Pescatore, director of emerging trends at SANS Institute, tells CSO.

The new Google features are a big deal, Pescatore says. "There is a constant stream of these news items about AWS S3 buckets, several breaches a month."

Google partners with third parties for container security

In addition to more native security features, Google is also partnering with outside vendors for additional capabilities. For example, StackRox offers details insights and security configuration support for Kubenetes containers. Previously, Google Cloud customers who wanted to use StackRox tools would have two separate management panels — one for Google's own tools, and one for StackRox. Today, the StackRox data will be available via Google's Cloud Security Command Center.

It's not just for containers deployed on Google’s own platform, Michelle McLean, vice president of product marketing at StackRox, tells CSO. The security data can come from any private or public cloud service provider offering Kubernetes containers, as well as more limited data from providers offering non-Kubernetes containers. "We can paint a much richer picture if we can talk to Kubernetes," says McLean.

According to McLean, there are several areas of potential vulnerability with containers. First is that, by default, Kubernetes allows any asset to talk to any other asset. That makes it easier for developers to build their applications and makes the platform backward-compatible with older systems.

The downside is that the potential attack surface is larger than it should be. StackRox can analyze the traffic patterns of an application, identity which communication lines are used and which can be shut down, and can automatically handle the necessary configurations. "We took a super complicated problem and we've made it automated and instant," says McLean.

Another potential security issue is access to the Kubernetes native management dashboard. Last year, McLean says, Tesla was hit by an attack where hackers were able to use their Kubernetes platform to generate brand new containers to run cryptomining software. "They didn't steal Tesla data, but Tesla was paying the bill for cryptominers because of these exposed Kubernetes dashboards."

New configuration management tools

According to Gartner, by 2020, 95% of cloud breaches will be caused by configuration issues. In addition to working with third-party vendors like StackRox, Google is also building out its own configuration management tools, said Jess Leroy, Google's director of product management for cloud security, at the press conference. "The Google security team has gone through all the different types of configurations that typically lead to breaches and created scanners that allow customers to go through and look for things like public buckets that shouldn't be public," he said.

Altogether, 32 such detections have already built, as well an intelligent security policy recommendation tool and troubleshooter. "It's common for customers to over-grant privileges," Leroy said. "It means that there's a much broader attack surface."

Google's own tools will also ingest data from non-Google platforms, such as private cloud deployments and Amazon Web Services. However, Google isn't out to compete with enterprise SIEM vendors, said Leroy. "We don't consider this to be a SIEM product," he said. "And most of our customers continue to use their own SIEM products."

Customers can export data to one of Google's SIEM partners or get custom exports to other platforms. "We did a custom exporter for Splunk because many of our customers really wanted to push data to Splunk," said Leroy.

Better authentication and phishing protection

The biggest security threat vectors today are compromised credentials and phishing emails. Google has been working to protect its own services and users on both these fronts. For example, Gmail automatically filters or blocks suspected phishing emails, the Chrome browser protects users from visiting suspected phishing websites, and two-factor authentication is available for most of Google's products.

Enterprises now have access to these tools in a variety of different ways. For example, it can take weeks, or months, for a company to shut down a malicious website that spoofs their official one to trick visitors into giving up credentials or downloading malware. Google now allows companies to submit spoofed sites to Google so that Google can immediately block them for its billions of users.

Google is also expanding its authentication services to companies to use with their own apps. Its Android-based strong authentication, a separate, secure alternative to text messages, is now also available.

Key fobs and similar physical security keys can be easily lost or left at home, said Rob Sadowski, trust and security marketing at Google, and SMS-based verifications can be hacked. "Our security keys are actually immune to those attacks," he said at the press event. "And we pretty much always have our phones. That makes it easy to use and always available."

This could be a good security feature for data centers to use for their administrators and other privileged users, says SANS Institute's Pescatore. Rolling it out to all enterprise users in general could be more difficult, he added, since not everyone has Android phones.