Google Cloud Platform security updates buoy enterprise appeal

Google Cloud Platform security upgrades feed enterprise appetites

First, the company introduced VPC Service Controls, a managed service that lets enterprises configure private communication between cloud resources and hybrid virtual private cloud networks. IT teams can use Google's Cloud VPN or Cloud Dedicated Interconnect to secure the perimeter around data in API-based Google services -- such as Cloud Storage, BigQuery and Bigtable -- and create granular access-control policies based on attributes such as user location and IP address.

"The biggest value add with this approach is there is an added level of network isolation between the service and nonallowed clients," said Deepak Mohan, an analyst at IDC.

Google also released the Cloud Security Command Center (SCC) dashboard for services such as App Engine, Compute Engine, Cloud Storage and Cloud Datastore. This also helps address a common challenge among large cloud deployments: orphan resources, which inadvertently still run, Mohan said.

SCC integrates with the now generally available Cloud Data Loss Prevention (DLP) API, a managed service for users to redact sensitive and personally identifiable data, with additional detectors for service account credentials and the ability to build custom detectors. SCC also integrates with Google's Cloud Security Scanner and Forseti toolkit, as well as numerous third-party security tools.

Another security addition, Access Transparency, is an audit log that shows Google's authorized activity in customers' GCP environments and justifications for doing so, such as network updates, load balancing and server adjustments. These logs are generated in "near real time" in the Stackdriver log console and can be exported into BigQuery, Cloud Storage, audit pipelines or security information and event management tooling for further review, the company said.

VPC Service Controls is about to go into beta, while SCC is still in its earliest test phase. Access Transparency is in beta for a number of GCP services, including Compute Engine, App Engine, Cloud Identity and Access Management, Cloud Key Management Service, Cloud Storage and Persistent Disks.

Also part of the Google Cloud Platform security updates is Cloud Armor, a service to harden defenses against distributed denial-of-service and application-aware attacks, in conjunction with Google's existing load-balancing capabilities. And Cloud Identity, which was released in July 2017, is now generally available with enterprise security, application management and device management features.

Build security, and enterprises will come

This slate of features definitely brings them up to the same level [as AWS].

Collectively, these Google Cloud Platform security upgrades patch big gaps in Google's portfolio and pull it alongside with AWS capabilities, said Misha Govshteyn, co-founder and senior vice president of products at Alert Logic, based in Houston. Customers who work in Google Cloud Platform often want to know when Google will be able to match AWS in terms of security capabilities, he said.

"This slate of features definitely brings them up to the same level," Govshteyn said.

Many of these Google security features echo other public cloud platforms' capabilities. Amazon Virtual Private Cloud service endpoints allow access to a service within a VPC from client apps via the internet. AWS GuardDuty sniffs out misconfigurations. Both AWS CloudTrail and Azure Activity Logs similarly improve monitoring and auditing, though Azure arguably has more fine-grained control at the API level. Google's DLP API invokes comparison to Amazon Macie.

Aaron Raddon, CTO and co-founder of Lytics, a personalized marketing and customer data platform in Portland, Ore., said the VPC feature could help convince large enterprises to run his company's SaaS in a stand-alone VPC instance.

Raddon said he sees a sustained uptick in security focus among enterprise companies, so these additions have a lot of appeal. "Financial institutions are pushing us for this hybrid cloud/private model," he said.

Doug Cahill

Lytics now uses Google Cloud Identity for device management and single sign-on across various employee-facing SaaS apps, such as Salesforce and Atlassian Stride. And the firm plans to use the DLP API to detect sensitive data that its customers may inadvertently have.

Access Transparency also likely will resonate with some customers. Cloud providers typically are responsible for everything south of the hypervisor, so customers don't have insight into what's going on within the physical cloud infrastructure, said Doug Cahill, senior analyst at Enterprise Strategy Group in Milford, Mass.

Access Transparency fills in a complete audit trail that can be useful for General Data Protection Regulation requirements, sensitive information around personal healthcare or service controls, or simply an organization's internal compliance rules, he said.

Editor's note: Trevor Jones, senior news writer, contributed to this report.