New programs released aim to improve Google Cloud security

Google has announced a slew of new security and identity features, aimed at bringing more transparency and visibility to Google Cloud security.

New security features include the following:

Access Transparency and Access Approval: Access Transparency provides near-real-time logs when Google Cloud Platform admins access an account, which Google said is only done for contractually obligated reasons. Access Approval (beta) enables admins to approve or deny requests for access from Google employees.

Data Loss Prevention and Virtual Private Cloud (VPC): Google added a beta version of user interface that supports creating, listing, deleting, viewing detail, updating inspection templates, inspection jobs and job triggers. The VPC service controls allows users to set virtual perimeters around Google Cloud platform resources to prevent data exfiltration.

Cloud Security Command Center: This gives users the ability to centralize security management across platforms to identify and mitigate suspicious activity. Users can also integrate third-party security tools, i.e., McAfee, Capsule8.

Apigee (beta): This security reporting program gives users visibility into the security status of APIs by using built-in governance and cryptography to prevent digital transaction risks. It also allows users to require client authentication so only valid users have access to APIs.

Policy Intelligence: This provides tools that use machine learning to make suggestions and provide insights on security. The Recommender uses machine learning to automatically detect overly permissive access and adjust them based on similar users and their access patterns. Troubleshooter allows security admins to see why a resource request may have been denied and makes suggestions on the best way to fix it. The Validator allows admins to create preventative measures so that users are not granted overly permissive access.

Phishing Protection: This program protects against cyberattacks -- the majority of which begin with phishing emails and websites -- by preventing users from accessing phishing sites by identifying various signals of malicious content. Users can also use reCAPTCHA Enterprise to ensure only legitimate customers can gain access.

There are also a handful of new programs to help users secure software supply chain, including Binary Authorization and GKE Sandbox.

• Binary Authorization ensures that only trusted container images are published on Google Kubernetes Engine (GKE) by requiring images be signed by trusted authorities during development, and then enforcing signature validation when deploying.
• GKE Sandbox provides additional defense between containerized workloads on GKE by reducing the need for a container to interact directly with the host. It also adds a layer of isolation between tenants in multi-tenant environments.

Identity features include the following:

• Context-aware access now uses the BeyondCorp security model. Google claims the upgrades will provide granular control for Google Cloud Platform workloads and web applications. Users will be able to access web applications and infrastructure resources from any device using a VPN. However, security admins will still be able to enforce application-level access controls by using Zero Trust to verify users' identities before allowing access.
• Cloud Identity is a platform for security teams to increase end-user efficiency, protect company data and transition to a digital workspace. Using the BeyondCorp security mode, admins can control access to SaaS apps, enforce multi-factor authentication, manage devices and investigate threats. Additionally, admins can enable single sign-on, allowing access to thousands of apps.