Published on August 7th, 2019 📆 | 4831 Views ⚑0
Google Makes Cloud Apps, VMs Context Aware
Google added a new security feature that puts context aware capabilities in Cloud Identity-Aware Proxy (Cloud IAP), which controls access to cloud applications and virtual machines (VMs) running on Google Cloud Platform (GCP).
Context-aware access allows companies to define and enforce granular access policies for apps and infrastructure based on a user’s identity and the “context” of their request, such as users’ location, time of day that they are trying to access a particular app, or the security status of the device.
This is good for both the enterprise and its employees: it improves a company’s security posture and means employees have easier access to the cloud and workloads running in the cloud on any device, without using a virtual private network (VPN) client.
With today’s announcement, Google says customers can better protect Secure Shell (SSH) and Remote Desktop Protocol (RDP) access to VMs without giving VMs public IP addresses and without setting up bastion hosts.
Palo Alto Networks has been using this context-aware capability to protect access to their cloud workloads. “Context-aware access in combination with Palo Alto Networks’ endpoint protection enables us to control access to our infrastructure deployed in GCP following zero-trust principles, helping to secure our public cloud workloads while making our work easier and keeping our costs low,” said Karan Gupta, senior vice president for application framework at Palo Alto Networks, in a blog post.
A zero-trust model assigns rules and policies to workloads, VMs, or network connections. It only allows necessary actions and connections in a workload or application and blocks anything else. Google has been championing this security philosophy, which it calls BeyondCorp, for years.
More Google Cloud Security Updates
The new Cloud IAP features are the latest in a series of security updates Google rolled out over the past couple weeks.
Yesterday it announced the general availability of Cloud Security Scanner for Google Kubernetes Engine (GKE) and Compute Engine. This service helps companies find vulnerabilities in web applications running on Google Cloud.
And last week it rolled out four new cloud security capabilities for enterprise users and workloads. It extended its Advanced Protection Program to enterprise customers using G Suite, GCP, and Cloud Identity. This program was already in place to protect personal Google accounts of anyone at risk of targeted online attacks, and now enterprise admins can enroll their users most at risk of targeted attacks. This would include IT administrators, business executives, and employees in security-sensitive verticals such as finance and government.
Google also made available Titan Security Keys in Japan, Canada, France, and the United Kingdom. It made these security keys, which support the FIDO key cryptography protocols, available in the United States last year.
Third, Google added machine learning capabilities to detect potential security risks in G Suite and a new service that lets G Suite Enterprise admins automatically receive anomalous activity alerts in the G Suite alert center.
Finally, it also enabled single sign-on for “thousands” of additional software-as-a-service (SaaS) apps.