Author Archives: Gerhard Eschelbeck

New ways to secure businesses in the cloud

From collaboration tools that accelerate productivity, to platforms that spur innovation, to AI-powered tools that drive better customer insights, the cloud is increasingly where we turn to transform businesses. It’s also where an increasing number of enterprises are turning to help protect their data and stay secure.

As Urs shared earlier this week, it’s been our belief from the beginning that if you put security first, everything else will follow. We continue to develop new ways to give our customers the capabilities they need to keep up with today’s ever-evolving security challenges. That’s why today we’re announcing more than 20 enhancements aimed to deepen and expand the control businesses have over their security environment. You can read all of our announcements in more detail on our posts covering Google Cloud Platform, G Suite and Chrome Enterprise updates. Here, we’d like to highlight three unique examples of our security functionality.

Unprecedented control to better protect your data

Google Cloud was designed, built, and is operated with security top of mind—from our custom hardware like our Titan chip, to data encryption both at rest and in transit by default. On top of this foundation, our customers have the freedom to deploy their own security controls based on their unique needs and the level of assurance they require. Today, we’re announcing VPC Service Controls to add to our broad set of protections.

Currently in alpha, VPC Service Controls help enterprises keep their sensitive data private while using GCP’s fully managed storage and data processing capabilities. Imagine constructing an invisible border around everything in an app that prevents its data from escaping, and having the power to set up, reconfigure and tear down these virtual perimeters at will. You can think of it like a firewall for API-based services on GCP. Well-defined VPC service controls can give admins a greater level of control to prevent data exfiltration from cloud services as a result of breaches or insider threats.

With this managed service, enterprises can configure private communication between cloud resources and hybrid VPC networks. By expanding perimeter security from on-premise networks to data stored in GCP services, enterprises can feel confident running sensitive data workloads in the cloud.

VPC Service Controls give admins even more precise control over which users can access GCP resources with Access Context Manager. Enterprises can create policies to grant access based on contextual attributes like user location, IP address and endpoint security status. These policies help ensure the appropriate level of protection is in place when allowing access to data in cloud resources from the internet.

Google Cloud is the first cloud provider to offer virtual security perimeters for API-based services with simplicity, speed and flexibility that far exceeds what organizations can achieve in a physical, on-premises environment.


Visibility into data risks, with actionable security insights


As use of cloud services continues to grow, clear visibility into an organization’s cloud footprint and the security status of its infrastructure is more important than ever. Businesses need the right data and actionable insights to stop threats before security incidents turn into damaging breaches. To that end, we’re announcing Cloud Security Command Center, currently in alpha.

Cloud Security Command Center is a security and data risk platform for GCP that helps enterprises gather data, identify threats and act on them before they result in business damage or loss. First, Cloud Security Command Center gives enterprises consolidated visibility into their cloud assets across App Engine, Compute Engine, Cloud Storage and Cloud Datastore. People can quickly understand the number of projects they have, what resources are deployed, where sensitive data is located, and how firewall rules are configured. With ongoing discovery scans, enterprises can view the history of their cloud assets to understand exactly what changed in their environment and act on unauthorized modifications.

Cloud Security Command Center also provides powerful security insights into cloud resources. For example, security teams can determine things like whether a cloud storage bucket is open to the internet or contains personally identifiable information, or whether cloud applications are vulnerable to cross-site scripting (XSS) vulnerabilities—to name just a few.

Finally, Cloud Security Command Center helps enterprises leverage and act on intelligence from Google and other leading security vendors. Administrators can identify threats like botnets, cryptocurrency mining and suspicious network traffic with built-in anomaly detection developed by the Google Security team, as well as integrate insights from vendors such as Cloudflare, CrowdStrike, Dome9, RedLock, Palo Alto Networks, and Qualys to help detect DDoS attacks, compromised endpoints, compliance policy violations, network intrusions and instance vulnerabilities and threats. With ongoing security analytics and threat intelligence, enterprises can better assess their overall security health in a central dashboard or through APIs, and immediately act on risks.

This is just one example of how we’re providing enterprises more visibility. Earlier this year, we announced the security center for G Suite, which provides security analytics and recommendations for our G Suite customers. Today we’re introducing additions to security center, including new charts which highlight phishing threats and suspicious device activity. You can read more about these improvements in our G Suite and GCP posts.

Transparency into how we interact with your data

Trust is paramount when choosing a cloud provider. We want to be as open and transparent as possible, allowing customers to see everything that happens to their data. Cloud Audit Logging helps answer the question of which administrators did what, where, when and why on your GCP projects.

And now, Access Transparency offers an immutable audit trail of actions taken by Google engineers and support whenever they interact with your content on GCP. Access Transparency builds on our already robust controls that restrict Google administrator activity to actions only with valid business justifications, such as responding to a specific ticket our customers have initiated or recovering from an outage.

Together, Cloud Audit Logs and Access Transparency Logs provide a more comprehensive view of admin activity in your cloud environment. We believe that trust is created through transparency, which is why we’re proud that GCP is the first to offer this level of visibility into cloud provider administrative activity.

What cloud security means for businesses

Today’s updates are just a few examples of how we’re making it easier and more secure for businesses to build and grow in the cloud—with many more still to come.

“Businesses’ path to cloud adoption relies heavily on trust; CEOs and CIOs need to feel comfortable that they are gaining significant benefit from the cloud without giving up control,” says Doug Cahill, Senior Analyst, ESG. “With these announcements, Google Cloud is continuing to provide more control and insight to customers—and commendable visibility into administrative activity within their cloud environments through Access Transparency—while offering them the peace of mind that many of the fundamental aspects of security are taken care of and constantly evolving along with the threat landscape.”

Customers like Credit Karma, Lahey Health, and Sanmina Manufacturing are working with Google Cloud to help secure their data.

“A strong security posture plays a critical role in helping us fulfill our mission of helping our members navigate the complex personal finance landscape through a predictive, data-driven recommendation system,” says Credit Karma Chief Technology Officer Ryan Graciano. “User trust is crucial to our business so security was hugely important when selecting a cloud provider. Google Cloud’s end-to-end approach met our high standards. This enables us to spend more time focusing on building the best products for our customers.”

We believe a more secure business landscape is better for everyone, and we’ll continue to develop ways to help businesses be more secure. For a closer look at all our security-related announcements today, read our in-depth posts on GCP, G Suite and Chrome Enterprise.

Source: Google Cloud


Building a safer web, for everyone

Today is Safer Internet Day, a moment for technology companies, nonprofit organizations, security firms, and people around the world to focus on online safety, together. To mark the occasion, we’re rolling out new tools, and some useful reminders, to help protect you from online dangers of all stripes—phishing, malware, and other threats to your personal information.

1. Keeping security settings simple

The Security Checkup is a quick way to control the security settings for your Google Account. You can add a recovery phone number so we can help if you’re ever locked out of your account, strengthen your password settings, see which devices are connected to your account, and more. If you complete the Security Checkup by February 11, you’ll also get 2GB of extra Google Drive storage, which can be used across Google Drive, Gmail, and Photos.

Safer Internet Day is a great time to do it, but you can—and should!—take a Security Checkup on a regular basis. Start your Security Checkup by visiting My Account.

Security check up gif

2. Informing Gmail users about potentially unsafe messages

If you and your Grandpa both use Gmail to exchange messages, your connections are If you receive a message that can’t be authenticated, you’ll see a question mark where you might otherwise see a profile photo or logo: encrypted and authenticated. That means no peering eyes can read those emails as they zoom across the web, and you can be confident that the message from your Grandpa in size 48 font (with no punctuation and a few misspellings) is really from him!

However, as our Safer Email Transparency Report explains, these things are not always true when Gmail interacts with other mail services. Today, we’re introducing changes in Gmail on the web to let people know when a received message was not encrypted, if you’re composing a message to a recipient whose email service doesn’t support TLS encryption, or when the sender’s domain couldn’t be authenticated.

Here’s the notice you’ll see in Gmail before you send a message to a service that doesn’t support TLS encryption. You’ll also see the broken lock icon if you receive a message that was sent without TLS encryption.

Gmail message screen gif

If you receive a message that can’t be authenticated, you’ll see a question mark where you might otherwise see a profile photo or logo:

Authenticated vs unauthenticated

3. Protecting you from bad apps

Dangerous apps that phish and steal your personal information, or hold your phone hostage and make you pay to unlock it, have no place on your smartphone—or any device, for that matter.

Google Play helps protect your Android device by rejecting bad apps that don’t comply with our Play policies. It also conducts more than 200 million daily security scans of devices, in tandem with our Safe Browsing system, for any signs of trouble. Last year, bad apps were installed on fewer than 0.13% of Android devices that install apps only from Google Play.

Learn more about these, and other Android security features — like app sandboxing, monthly security updates for Nexus and other devices, and our Security Rewards Program—in new research we’ve made public on our Android blog.

4. Busting bad advertising practices

Malicious advertising “botnets” try to send phony visitors to websites to make money from online ads. Botnets threaten the businesses of honest advertisers and publishers, and because they’re often made up of devices infected with malware, they put users in harm’s way too.

We've worked to keep botnets out of our ads systems, cutting them out of advertising revenue, and making it harder to make money from distributing malware and Unwanted Software. Now, as part of our effort to fight bad ads online, we’re reinforcing our existing botnet defenses by automatically filtering traffic from three of the top ad fraud botnets, comprising more than 500,000 infected user machines. Learn more about this update on the Doubleclick blog.

5. Moving the security conversation forward

Recent events—Edward Snowden’s disclosures, the Sony Hack, the current conversation around encryption, and more—have made online safety a truly mainstream issue. This is reflected both in news headlines, and popular culture: “Mr. Robot,” a TV series about hacking and cybersecurity, just won a Golden Globe for Best Drama, and @SwiftOnSecurity, a popular security commentator, is named after Taylor Swift.

But despite this shift, security remains a complex topic that lends itself to lively debates between experts...that are often unintelligible to just about everyone else. We need to simplify the way we talk about online security to enable everyone to understand its importance and participate in this conversation.

To that end, we’re teaming up with Medium to host a virtual roundtable about online security, present and future. Moderated by journalist and security researcher Kevin Poulsen, this project aims to present fresh perspectives about online security in a time when our attention is increasingly ruled by the devices we carry with us constantly. We hope you’ll tune in and check it out.

Online security and safety are being discussed more often, and with more urgency, than ever before. We hope you’ll take a few minutes today to learn how Google protects your data and how we can work toward a safer web, for everyone.