21Mar 2017

Google tries to beat AWS at cloud security


Google knows that if enterprises are going to move their critical services to its cloud, then it has to offer something that AWS doesn’t. At Google Cloud Next, the company’s leadership made the case that Google Cloud was the most secure cloud.

At the conference this week, Google unveiled tools that would let IT teams provide granular access to applications, better manage encryption keys, and enforce stronger authentication mechanisms for applications running on Google Cloud. While Google is just playing catch-up to Amazon with the Key Management System for GCP, it is stepping into uncharted territory with Data Leak Prevention API by giving administrators tools that go beyond the infrastructure to protect individual applications. Google is tackling the identity access management challenge differently from Amazon, and it will be up to enterprises to decide which approach they prefer.

Google is clearly looking at security as the way to differentiate itself from other cloud infrastructure providers. It isn’t protecting only the underlying hardware and virtual machines; it will protect the applications running on them, too.


Protecting sensitive data everywhere

The DLP API, now in beta, will let IT teams identify and redact any piece of sensitive information that may be in applications running on GCP. The DLP technology performs deep content analysis to find matches against the list of more than 40 sensitive data types, such as credit card and account numbers or contact information, and it lets administrators decide how best to protect that information. The screenshot in the blog post announcing the new security features shows how DLP API redacts information in a document, such as a person’s name, email address, and mobile phone, Social Security, and credit card numbers.

The key differentiator for Google is the fact that DLP API for GCP is an extension of DLP for Gmail, originally launched in 2015, and DLP for Drive, announced back in January. The combination of the three tools gives IT administrators the ability to write policies that can consistently manage sensitive data across all the platforms: applications running on the cloud infrastructure, messages stored in Gmail, and documents stored in Drive.

Google is providing enterprises with security tools to protect the data on applications running within its cloud. Amazon, while it has invested in data protection, has focused on the server and block storage level.


Control who can access the applications

Right now, IT teams that want to control access to applications rely on VPNs, but that tends to be an all-or-nothing approach. Users who have valid VPN credentials get access to all the applications. Applying more granular access controls has always been a challenge, and when employees are always moving and working on untrusted networks, the VPN becomes an inefficient method to manage access.

That’s where Identity-Aware Proxy (IAP), also in beta, comes in, as it lets IT teams shift from the VPN model to one that assesses risk for each application. Administrators specify which groups of identities can have access to which application, so only authorized and authenticated users are granted access to IAP-protected applications running on Google Cloud.

IAP is an element of the BeyondCorp framework, the enterprise security model that Google developed internally to let its employees work from untrusted networks without worrying about VPN. Users point their web browser to an internet-accessible URL to access IAP-protected applications, and IAP handles the authentication process to verify identity.

Google is tackling the identity question from a different direction than Amazon and its AWS Identity and Access Management service. While AWS IAM lets administrators control access to AWS service APIs and specific resources and lets IT manage users and groups via AWS Active Directory, it doesn’t provide the same level of protection for individual applications the way Google plans to with IAP. There are some overlaps between what Google is offering with SKE and what Amazon already offers with AWS IAM’s account access elements and Cognito’s app integration capabilities.

“With this set of announcements, GCP is going after securing how individuals within an organization use cloud services. AWS has some overlap with individual line items in the announcement, but they are targeting a very different use case,” said Blaine Fleming, senior cloud architect at Armor.


Mandatory two-factor authentication in the cloud

SKE (Security Key Enforcement) for GCP and G Suite, now generally available, lets IT teams require all users to turn on security keys as a two-step verification factor whenever they sign into G Suite or access a Google Cloud Platform resource.

Until recently, users could decide on the individual level whether to go with hardware keys (such as the Yubikey) as part of two-step verification. With SKE for GCP, IT administrators can now make it mandatory, and thus add a secure authentication layer to cloud workloads.

IAP can be integrated with security keys to deter phishing, as well.


Refining its cloud investments

If the announcements at Cloud Next sound familiar, it’s due to Google adding these enterprise-grade tools to G Suite earlier this year. The fact that DLP and SKE were both added to G Suite in January reaffirms Google’s cloud security strategy. In many cases, Google is its own customer on Google Cloud: It rolls out security tools for G Suite and Gmail, then makes them available to enterprises on GCP.

Cloud security is a shared responsibility, with the provider focusing on the physical security of the datacenters and protecting the hardware, and the enterprise in charge of applications and data. Google shifts the conversation by also providing tools to secure access, encrypt content, and prevent the leak of sensitive data within its cloud. For enterprises wondering, “Why should I trust you to run my most critical applications?” those tools may be the answer.