Google Cloud Trumpets New Security Capabilities At Next ’19 UK

Google Cloud took the wraps off new data encryption, network security, security analytics and user protection capabilities today in London for the kickoff of its Next ’19 UK conference expected to draw 7,000 attendees as its largest customer event in Europe.

The cloud provider’s announcements come on the heels of the adoption of the General Data Protection Regulation (GDPR), a law regulating data protection and privacy in the Europe Union that was implemented last year.

Google Cloud also announced the general availability of Migrate for Anthos, Apigee hybrid and Cloud Code.

Google Cloud, which launched in Europe in 2012, has cloud regions in Belgium, Finland, Frankfurt, London, the Netherlands and Zurich, where it went live in March. In September, it announced plans for a seventh region in Warsaw, Poland.

“Our cloud is designed to fully empower European organizations’ strict data security and privacy requirements and preferences,” Chris Ciauri, vice president for Google Cloud in Europe, the Middle East and Africa, said in a blog post today. “Where data resides, who has access to customers’ data, and protections for the privacy and security of customers’ data is central to our offering.”

Google Cloud customers can store data in a European region, ensure it’s not moved outside of Europe and prevent users and administrators outside of Europe from accessing their data, according to Ciauri. Customers can manage their own encryption keys and ensure they are stored in a European region.

“And with capabilities we’re introducing today, customers can store their encryption keys outside Google Cloud’s infrastructure, receive a detailed justification each time a key is requested to decrypt data and deny Google the ability to decrypt their data for any reason,” Ciauri said.

External Key Manager

External Key Manager, which will soon be in beta, will allow customers to store and manage encryption keys outside of Google Cloud.

It works with Cloud KMS and lets customers encrypt data in BigQuery and Google Compute Engine with encryption keys that are stored and managed in a third-party key management system outside of Google’s infrastructure.

“External Key Manager provides an audit trail of key access, use and location, so you can document crypto operations for auditors to support your governance and compliance processes,” said Sunil Potti, vice president of engineering for Google Cloud Security.

Key Access Justifications

Key Access Justifications, which let customers decide when and why their data can be decrypted, works with External Key Manager and is coming soon to alpha for BigQuery, Google Compute Engine and at-rest Google Persistent Disk.

“It provides a detailed justification each time one of your keys is requested to decrypt data, along with a mechanism for you to explicitly approve or deny providing the key using an automated policy that you set,” Potti said. “Using External Key Manager and Key Access Justifications together, you can deny Google the ability to decrypt your data for any reason.”

New Google Cloud Armor Web Application Firewall

Google Cloud unveiled new application firewall capabilities for Google Cloud Armor, its distributed-denial-of-service and application defense service.

“You can now configure Cloud Armor policies with geo-based access controls, pre-configured WAF application protection rules to mitigate OWASP Top 10 risks and a custom rules language to create custom Layer-7 filtering policies,” Potti said.

Protecting G Suite and Cloud Identity Users

Google also has opened its Advanced Protection Program – it’s strongest protection for users at risk of targeted attacks -- to G Suite and Cloud Identity customers.

“With the Advanced Protection Program for the enterprise, we’ll enforce a specific set of policies for enrolled users, including security key enforcement, blocking access to untrusted apps and enhanced scanning for email threats,” Potti said.

“We’re also introducing app access control, helping you reduce the risk of data loss by limiting access to G Suite APIs to third-party apps you trust,” he said. “You can also more easily manage and restrict which Google APIs are available for use by third-party and customer-owned apps, and see which apps are verified by Google.

General Availability Of Migrate For Anthos

Google Cloud announced the general availability of Migrate for Anthos, which helps customers to migrate to the cloud and modernize with containers simultaneously. It’s available at no additional cost and can be used with or without an Anthos subscription.

Migrate for Anthos provides a quick, low-friction pathway to move and convert physical servers or virtual machines from sources including on-premise, Amazon Web Services, Microsoft Azure or Google Compute Engine directly into containers in Google Kubernetes Engine, , according to Google Cloud product management vice president Jennifer Lin and Pali Bhat, vice president of product and design.

“Migrate for Anthos makes it easy to modernize your applications without a lot of manual effort or specialized training.,” Lin and Bhat said in a blog post today. “After upgrading your on-prem systems to containers with Migrate for Anthos, you’ll benefit from a reduction in OS-level management and maintenance, more efficient resource utilization and easy integration with Google Cloud services for data analytics, AI and ML and more.”

General Availability Of Apigee Hybrid

Apigee hybrid, which lets users manage application programming interfaces (APIs) on-premises, on Google Cloud Platform or a mix of both, is now generally available.

“To drive modernization and innovation, enterprises are increasingly adopting API-first approaches to connecting services across hybrid and multi-cloud environments,” Lin and Bhat said, noting Apigee hybrid provides for flexibility to deploy API runtimes in a hybrid environment, while using cloud-based Apigee capabilities including developer portals, API monitoring and analytics.

“Apigee hybrid can be deployed as a workload on Anthos, giving you the benefits of an integrated Google Cloud stack, with Anthos’ automation and security benefits,” they said in their blog post.

General Availability Of Cloud Code

Cloud Code, now generally available, allows for easier Kubernetes development, letting developers write, debug and deploy code to Google Cloud or any Kubernetes cluster through extensions to popular integrated developer environments (IDEs) such as Visual Studio Code and IntelliJ.

“Developers are most productive while working in their favorite IDE,” Lin and Bhat said. “By embracing developers’ existing workflow and tools, Cloud Code makes working with Kubernetes feel like you are working with a local application, while preserving the investment you’ve made to configure your tools to your own specific needs. Cloud Code dramatically simplifies the creation and maintenance of Kubernetes applications.”

Cloud Code also speeds up development against Kubernetes by extending the edit-debug-review “inner loop” to the cloud.

“You get rapid feedback on your changes, ensuring that they’re of high quality,” Lin and Bhat said. “And when it comes to moving code to the production environment, Cloud Code supports popular continuous integration and delivery tools like Cloud Build. “

And Cloud Code’s connected debuggers and cluster-wide logging help users diagnose and address issues using their favorite tool, without the need for a deep understanding of Kubernetes, they said.