Google Cloud

We've been busy! 20+ Google Cloud security announcements from March

POM recap hero image

As Urs said last week, security is one of the biggest issues of our time, and with the cloud, we are able to tackle it together. At Google Cloud, we’re always working to help organizations keep up with evolving threats, protect their sensitive data, and empower innovation—all while giving them control and visibility. That’s why over the past several days we’ve announced a broad range of security products and enhancements. With so much to share, we thought it would be helpful to put all the news in one handy location.

Here’s a recap of our security announcements in March.


Chrome Enterprise

1. New enterprise mobility management (EMM) partnerships

We announced four new partnerships with EMM providers to help IT admins manage and implement security policies across their full fleet of devices from a single place. Cisco Meraki, Citrix XenMobile, IBM MaaS360 with Watson, and ManageEngine Mobile Device Manager Plus now support Chrome Enterprise.


2. Chrome OS Active Directory enhancements

Building on our initial integration with Active Directory last August, we’ve added a number of enhancements to help admins manage Chrome OS alongside legacy infrastructure. These include the ability to authenticate to Kerberos and NTLMv2 endpoints on local networks directly from Chrome OS, support for common enterprise Active Directory setups like multiple domain scenarios, and improved existing certificate enrollment flows.


3. Expanded management capabilities in Chrome Browser and Chrome OS

Chrome Enterprise lets admins fine tune more than 200 security policies and grant secure, authorized employee access to online resources. This month, we added even more controls, including per-permission extension blacklisting, disabled sign-ins, and device-wide certificates.



Cloud Identity

4. Cloud Identity

Cloud Identity is a new, standalone Identity as a Service (IDaaS) solution that offers premium features such as account security, application management and device management in one place. With Cloud Identity, employees get simple, secure access to their business-critical apps and devices, while administrators get the tools they need to manage it all in one integrated console.



Google Cloud Platform

5. Access Transparency

Trust is paramount when choosing a cloud provider, and we want to be as open and transparent as possible. Access Transparency gives you near real-time logs when Google Cloud Platform administrators access your content, offering an audit trail of actions taken by Google engineers and support whenever they interact with your content on GCP.


6. Cloud Armor

Cloud Armor, our new Distributed Denial of Service (DDoS) and application defense service, is based on the same technologies and global infrastructure that we use to protect services like Search, Gmail and YouTube. Global HTTP(S) load balancing provides built-in defense against infrastructure DDoS attacks. Cloud Armor works in conjunction with global HTTP(S) load balancing and enables you to customize defenses for your internet-facing applications. Its capabilities include IP blacklisting/whitelisting, geo-based access control, custom rules via a rules language and defense against application-aware attacks like SQL Injection.


7. Cloud Security Command Center (alpha)

The new Cloud Security Command Center (Cloud SCC) is a security and data risk platform that lets you view, analyze, and monitor an inventory of your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities and review access rights to your critical resources—all from a single, centralized dashboard. Detect threats and suspicious activity with Google anomaly detection as well as security partners such as Cloudflare, CrowdStrike, Dome9, Palo Alto Networks, Qualys and RedLock.


8. The Cloud Data Loss Prevention (DLP) API

Discover, classify and redact sensitive data at rest and in real-time with the DLP API, now generally available. And because it’s an API, you can use it on virtually any data source or business application, whether it’s on GCP services like Cloud Storage or BigQuery, a third-party cloud, or in your on-premises data center.


9. FedRAMP Authorization

GCP, and Google’s underlying common infrastructure, have received the FedRAMP Rev. 4 Provisional Authorization to Operate (P-ATO) at the Moderate Impact level from the FedRAMP Joint Authorization Board (JAB). Now, both G Suite and GCP have FedRAMP Moderate authorizations. Agencies and federal contractors can request access to our FedRAMP package by submitting a FedRAMP Package Access Request Form.


10. VPC Service Controls (alpha)

Currently in alpha, VPC Service Controls help enterprises keep their sensitive data private while using GCP’s fully managed storage and data processing capabilities. VPC Service Controls create a security perimeter around data stored in API-based GCP services such as Cloud Storage, BigQuery and Bigtable. This helps mitigate data exfiltration risks stemming from stolen identities, IAM policy misconfigurations, malicious insiders and compromised virtual machines.



G Suite

11. New advanced anti-phishing capabilities

Updated phishing security controls can be configured to automatically switch on the latest Google-recommended defenses. New default-on protections can:

  • Automatically flag emails from untrusted senders that have encrypted attachments or embedded scripts.

  • Warn against email that tries to spoof employee names or that comes from a domain that looks similar to your own domain.

  • Offer enhanced protections against spear phishing attacks by flagging unauthenticated email.

  • Scan images for phishing indicators and expand shortened URLs to uncover malicious links.


12. Default-on mobile management

Basic device management is automatically enabled for your mobile devices that access G Suite. Employees won’t need to install profiles on iOS and Android devices, and admins get added security management controls including the ability to enforce pass codes, erase confidential data, and see which devices access corporate data.


13. New additions to the security center for G Suite

We introduced the security center for G Suite earlier this year. Security center brings together security analytics, actionable insights and best practice recommendations from Google to help you protect your organization, data and users. Last week we introduced new additions, including:

  • New security charts to show OAuth activity and Business Email Compromise (BEC) scam threats specifically focused on phishing emails that may not have links.

  • New mobile management charts to help IT admins examine activity analytics and detect when devices have been hijacked, rooted or jailbroken.

  • Ways to reorganize the dashboard to focus on what is most important to your organization.

  • Ways to analyze your organization’s security health and get custom advice on security key deployment and protection against phishing scams.


14. Built-in protections and controls for Team Drives

New enhancements to Team Drives provide additional security controls, including the ability to limit file access privileges and add IRM controls to prevent users from printing, downloading and copying files. These new security features will roll out in the coming weeks.



Partnerships

15-25. New and expanded security partnerships

We announced several new security partnerships, including:

  • Dome9, which has developed a compliance test suite for the Payment Card Industry Data Security Standard (PCI DSS) in the Dome9 Compliance Engine.

  • Rackspace Managed Security, which provides businesses with fully managed security on top of GCP.

  • RedLock’s Cloud 360 Platform, a cloud threat defense security and compliance solution that provides additional visibility and control for Google Cloud environments.


As we said last week, we believe a more secure business landscape is better for everyone, and we’re committed to finding new ways to help businesses be more secure. For more information, check out our security webpage.

Editor’s note: As of November 2018, Cloud Armor whitelists and blacklists are now referred to as allow lists and deny lists.