Increasing trust in Google Cloud: visibility, control and automation

Gain insights into the security status of your APIs
APIs exposed to developers inside and outside your organization are another target for attackers. Apigee, Google Cloud’s API management platform, includes new security reporting to help you gain a holistic view of the health and security status of your API programs. You can identify APIs that do not adhere to security protocols and user groups that are publishing the most sensitive APIs. Findings are accessible in the Apigee console and via API for integration with SIEM tools. Apigee API security reporting is coming soon to beta. Learn more.

Security throughout the software supply chain
With containers, you need to trust the images you are running. Today, we’re announcing the availability of several GKE services to help build confidence in your containerized software supply chain.

Finding vulnerabilities early in the deployment cycle avoids patching fire drills later on. Container Registry, our secure, private Docker registry, includes vulnerability scanning, a native integration for GKE that identifies package vulnerabilities for Ubuntu, Debian, and Alpine Linux, so you can find vulnerabilities before your containers are deployed. Originally announced in September, Container Registry vulnerability scanning will soon be generally available.

Before a container is deployed to a GKE cluster, you want to make sure it meets your organization’s deployment requirements. Binary Authorization is a deploy-time security control that integrates with your CI/CD system, gating images that do not meet your requirements from being deployed. In the forthcoming GA release, Binary Authorization can be integrated with Cloud Key Management Service and Cloud SCC, delivering deploy-time control that you can view from the same console that you use to manage other security operations.

Even when you’re working off a known-good foundation, sometimes you want an extra level of security. Coming soon to beta is GKE Sandbox, based on the open-source gVisor project. GKE Sandbox provides additional isolation for multi-tenant workloads, helping to prevent container escapes, and increasing workload security.

GKE also now offers Managed SSL certificates, giving you full lifecycle management (provisioning, deployment, renewal and deletion) of your GKE ingress certificates. Now in beta, Managed SSL certificates make it easier to deploy, manage and operate secure GKE-based applications at scale.

Finally, to harden VM-based workloads, Google Cloud offers Shielded VM, which provides verifiable integrity of your Compute Engine VM instances so you can be confident they haven’t been compromised. Already, more than 21,000 Shielded VM instances are deployed on GCP, and starting today, Shielded VM is generally available, giving you a simple way to reduce the likelihood that anyone can tamper with your VMs.

Controlling and protecting G Suite data
We’re also announcing new ways to help you protect, control, and remediate threats to the business data you create and store in G Suite.

Some organizations require their data to be stored in specific locations, and we’re committed to meeting that need. G Suite Business and Enterprise customers can designate the region in which covered data at rest is stored–globally, in the US, or in Europe. We’re enhancing data regions with coverage for backups.

We’re introducing new (beta) controls for advanced phishing and malware protection. These controls can help admins protect against anomalous attachments and inbound emails spoofing your domain in Google Groups. The security sandbox (available in beta for G Suite enterprise customers) helps provide better protection against ransomware, sophisticated malware and zero-day threats by executing email attachments in a sandbox environment to find out if they are malicious.

Security center and alert center for G Suite provide organizations with best practice recommendations, unified notifications and integrated remediation that help admins take action against threats. We want to help admins work collaboratively to assess their organization’s exposure to security issues. New beta functionality allows admins to save and share their investigations in the security investigation tool. Within the alert center beta, admins can now indicate alert status and severity and assign alerts to other admins. Admins can also create rules within the security center that perform automated actions or send notifications to the alert center, where teams of admins and analysts can work together to take ownership and update status as they work through security investigations. Sign up for the security center beta here and alert center beta here.

Putting it all together with ML
Keeping configurations in-step with your security policies can be a challenge. There are a lot of levers to pull and settings to tweak to get security right, and you may wonder if you’ve done everything you can to reduce your exposure. To help, today we’re unveiling Policy Intelligence. Initially available for Cloud IAM, Policy Intelligence offers three new tools to help you understand and manage your policies and reduce risk:

• IAM Recommender helps admins remove unwanted access to GCP resources using machine learning to make smart access control recommendations.
• Access Troubleshooter enables security administrators to understand why requests were denied and helps modify policies to grant the appropriate access.
• Validator lets admins set up governance and security guardrails that prevent them from granting overly-permissive access.

To get started, sign up for the Policy Intelligence alpha program.

New services to keep your users safe on the web
To protect your business, you need to protect your users. Last month at RSA Conference, we announced the beta of our Web Risk API and now we’re excited to introduce two brand new Google Cloud user protection services:

• Phishing protection. Phishing websites that use things like your name and logo put your users at risk and damage your business. With the Phishing Protection service, you can quickly report unsafe URLs to Google Safe Browsing and view status in Cloud SCC. Once URLs are populated into Safe Browsing lists, users on more than three billion devices will be warned before they click on infected links. Sign up for the beta.
• reCAPTCHA Enterprise. Security teams need to keep bad actors out of their websites, and ensure that their customers can always get in. reCAPTCHA has been defending millions of sites for almost a decade, and our new reCAPTCHA Enterprise service builds on this technology with capabilities designed specifically to address enterprise security needs. You can defend your website against fraudulent activity like scraping, credential stuffing, and automated account creation and help prevent costly exploits from automated software. Sign up for the beta.

Creating environments that are secure–and keeping them that way–is job number one for organizations that run in the cloud. At Google Cloud, we’re committed to ensuring advanced security is an enabler for businesses who need greater agility with improved governance. Visit Google Cloud Security for a complete overview of Google Cloud infrastructure, products, and transparency and trust policies. And be sure to read our identity and access management blog post about new ways to help you improve IT, developer, and end-user efficiency.