This week is a busy one for a tech analyst, with major announcements from both Samsung and Google. I’ve been covering Google Cloud Next’s announcements throughout the past couple of months, and have written on the company’s new G Suite features as well as some new partnerships and security/trust capabilities. Tuesday, I tuned into the Security & Trust Session of Google’s Cloud Analyst Summit, the kickoff of the tech giant’s Google Cloud Next ’20: On Air Security Week. If you are counting, this is week four of the event. Only five more weeks to go!
At the summit, the company unveiled several cloud-related cybersecurity announcements. With more businesses and employees than ever depending on the cloud for much of their remote working needs, it’s vital that cloud providers shore up any gaps in their infrastructure that might be vulnerable to attacks. There are always cybercriminals who look to take advantage of the chaos, and the fallout of Covid-19 has vastly expanded this particular attack surface.
Without further ado, today, I’d like to provide an overview of what Google announced. Let’s dive in.
Protecting sensitive data
Google recently announced a new technology it calls Confidential Computing. Basically, this solution functions to encrypt data while it is currently being processed and in use. Built on Asylo, an open source framework, Confidential Computing keeps sensitive data encrypted within memory and other locales outside devices’ CPUs. While an entire portfolio of Confidential Computing solutions are planned, the first and only one currently in beta is Confidential VMs—a method of isolating customer data in the cloud. Utilizing AMD’s 2nd Gen EPYC CPUs, Google believes this technology has potential to do particularly well with customers involved in regulated industries.
Speaking of regulated industries, not many are more regulated than the government. OK, maybe banking. Google unveiled another solution at the summit called Assured Workloads for Government. There are many different security and compliance requirements for government agencies, and this solution purportedly enables customers to easily configure and deploy their most sensitive workloads in accordance with policy. The big differentiator for this solution is that it enables businesses to meet these requirements without compromising organizations’ ability to adopt the latest cloud capabilities from Google. IBM’s is the closest neighbor competitively.
Another new solution that debuted this week is Private Service Connect. To enable Google’s Cloud’s “service-centric” vision of networking, enterprises must be able to connect to an ever-increasing variety of services, across various networks and organizations, and must be able to it all securely. Google says Private Service Connect will enable easy, secure access to Google’s own Cloud services, 3rd party services, and in-house enterprise applications. No proxies, middleboxes, or complicated configurations needed—Private Service Connect allows customers to consume services directly within their virtual networks.
This prevents the exposure of network traffic to the wild west of the public internet, where bad actors are always looking for easy targets. In addition to simplifying the connection to services and protecting network traffic from cybercrime, Google says Private Service Connect will also aid in accelerating enterprises’ cloud migrations. Simply connect to new cloud services, via Private Service Connect, from your secure on-prem infrastructure. If you’re into locking into a networking service and the downsides that come with that to protect your data even more, you should check it out.
Improved visibility into network cybercrime
Google also highlighted a couple of tools designed to give enterprises better visibility into network security threats. First, Firewall Insights seeks to bolster network security by providing proactive management and intelligence. Google says this will give customers increased firewall visibility and the ability to optimize firewall rules. Additionally, the company says customers can leverage the Firewall Insights Module within Google Cloud’s Network Intelligence Center to optimize firewall rules and fortify security boundaries.
The second offering in this category is a tool called Packet Mirroring, which was actually announced back in June. Basically, this solution gives customers full packet capture capabilities that Google says will help organizations pinpoint any network anomalies, whether they occur inside and across VPCs, internal VM-to-VM traffic, traffic in between internet and VM end locations, and lastly, traffic between VMS and Google services that are in production.
These two don’t seem especially differentiated but are services, and credible global CSP needs to have.
A new endpoint security partnership
Also announced was a new partnership between Google and a company called Tanium, who specializes in unified endpoint management and security. Together, the two companies are launching a new solution that combines Google’s own Chronicle offering (a security analytics platform) with Tanium’s Threat Response platform. According to Google, this joint solution was designed to aid in the detection, investigation and scoping of APTs (long-lived, advanced attacks), which can infect an enterprise’s systems and data for, on average, 200-250 days. Google claims that Chronicle’s zero data volume charges and Tanium’s single agent architecture will enable enterprises to save money associated with storage and point tool sprawl for endpoint security.
Tanium is a hot property these days and you can check on a write-up on the company here.
Odds and ends
Additionally, Google unveiled a new service called Cloud Armor Managed Protection Plus, which the company says customers can leverage to secure their websites and apps, while insulating against DDoS attacks (distributed denial-of-service), which can be incredibly costly and disastrous. The solution is now in beta, and early customers will gain access to WAF and DDoS services, curated rule sets, and more, for a monthly subscription free.
Google also announced it is publishing what it calls “a comprehensive new Google Cloud security foundations blueprint,” designed to help automate and construct more secure starting points for Google Cloud. This blueprint is reportedly an integral part of Google’s Cloud Security Best Practices Resource Center, where customers can access Google and its partners’ security expertise.
A new cloud service, called Certificate Authority Service, was also announced. This scalable service essentially seeks to simplify and automate the deployment and subsequent management of private Certificate Authorities, or CAs, in a manner that is simpatico with the needs of modern developers and applications. Traditionally, these private CAs can take months to deploy. Certificate Authority Service should cut that time down to a matter of minutes. It’s probably needless to say, but that is a significant reduction.
G Suite security fortifications
The last category of announcements was those that pertained to improving Google’s G Suite of productivity solutions. Google announced a new standard, called BIMI (Brand Indicators for Message Identification), designed to be a best practice framework for organizations who use DMARC to validate ownership and securely transmit corporate logos to Google. If they pass muster for Google’s anti-abuse safeguards, the logo will then be displayed in the Gmail UI’s existing avatar slots. This is helpful because it gives people better confidence that emails are coming from whom they say they are coming from. This feature only works, of course, on Gmail. Outlook need not apply.
Another new feature likely meant to curtail anything resembling Zoom’s security and privacy woes earlier this year, is a new ability for Google Meet meeting hosts to have more control over “knocking” and who is allowed to join their meetings. If someone has not been included in the meeting’s calendar invitation, they must ask for admission into the meeting by knocking. Furthermore, if someone is booted out of the meeting, they will no longer be able to request access again—only if the host extends an invitation to them again. Additionally, one can only “knock” so many times before they’re automatically barred from requesting access.
In addition to that, more advanced controls are being given to hosts, such as designating which method of joining, whether that’s calendar invite or by phone, gets instantaneous admittance, or must request by knocking. Hosts will also be able to set a control that blocks any anonymous user (those who are not logged into a Google account) from joining the conference. Additional controls include the ability to designate which attendees are allowed to chat or present during a Google Meet meeting.
Google also announced it was extending GMail’s protections against phishing to Chat. Google will cross reference any link received in Chat with real-time Safe Browsing data, and if it appears to be nefarious, it will be flagged. Additionally, users will soon have the ability to both report and block certain Chat Rooms that appear to be malicious.
The last area I’ll mention is Google’s unveiling of new security controls for IT administrators. The company has made it easier to manage devices, through a redesign within the G Suite admin console that makes navigation easier and the ability to display how many devices are being managed by each service.
Another announcement in that vein is the integration of G Suite with Apple Business Manager, which will allow many G Suite admins to easily, safely distribute and manage their organization’s Apple iOS devices.
Lastly, Google shared an enhancement to its Data Loss Prevention feature that enables administrators to leverage automated information rights management, or IRM, controls in the interest of stopping data exfiltration. This solution will block end users who attempt to download, copy and/or print Google Drive files. Additionally, administrators will now be to leverage a new solution called App access control, which Google says will block applications who attempt to access G Suite services through an API, without necessitating an allow list.
Not that Google has been slacking on security, but all of these solutions look to be welcome additions to Google Cloud’s overall security posture. From data protection, to network and firewall visibility, to regulatory compliance, to protecting the integrity of Google Meet meetings, the company continues to solidify its security strategy. It comes at a good time to better protect this year’s influx of remote workers and organizations. Kudos to Google.