Google LLC wants its cloud customers to have more control and visibility over their data, so today it announced a raft of new capabilities around data encryption, network security and security analytics.

The most significant of the updates, which were announced at Google’s Cloud Next UK event in London today, is a new External Key Manager. Designed to work with the company’s Cloud Key Management Service, it allows organizations to store and manage encryption keys outside Google Cloud, Sunil Potti, vice president of engineering at Google Cloud Security, wrote in a blog post.

“Coming soon to beta, External Key Manager works with Cloud KMS and lets you encrypt data in BigQuery and Compute Engine with encryption keys stored and managed in a third-party key management system deployed outside Google’s infrastructure,” Sunil wrote.

The External Key Manager will allow companies to maintain separation between data-at-rest and the encryption keys needed to access it, while still making sure it’s available to be used by a variety of Google Cloud services.

Related to External Key Manager is a new feature Google calls Key Access Justifications, available to customers who use that new service. With Key Access Justifications, companies will receive a “detailed justification” each time one of their security keys is requested to decrypt their data. Companies will also be able explicitly to approve or deny access to those keys via automated, preset policies, Google said.

“Using External Key Manager and Key Access Justifications together, you can deny Google the ability to decrypt your data for any reason,” Potti said. “As a result, you are the ultimate arbiter of access to your data — a level of control not available from any other cloud provider.

Google said Key Access Justifications will be available soon as an alpha test feature for early adopters in its Google BigQuery and Compute Engine/Persistent Disk services, covering both data-at-rest and data-in-use.

Google also announced improvements to its networking defense service Cloud Armor, which offers protection against distributed denial of service attacks that involve overloading networks with thousands of simultaneous requests. Cloud Armor is gaining new web application firewall capabilities that add another layer of protection against DDoS attacks on specific applications.

“You can now configure Cloud Armor policies with geo-based access controls, pre-configured WAF application protection rules to mitigate OWASP Top 10 risks, and a custom rules language to create custom Layer-7 filtering policies,” Potti said.

In addition, Cloud Armor has been integrated with Google’s Cloud Security Command Center, which means customers will receive notifications of any suspicious application traffic patterns directly in the Cloud SSC dashboard.

Cloud Security Command Center itself gets new features too, including new Event Threat Detection and Security Health Analytics capabilities. The former is meant to help customers detect threats targeting their cloud resources using logs, sending details of any incidents to their Security Information and Event Management or SIEM system for further investigation. The latter helps users to prevent incidents by identifying potential misconfigurations and compliance violations in their GCP resources, and by suggesting appropriate corrective actions.

Moving on, Google is debuting a new Packet Mirroring service in beta that allows customers to monitor and inspect network traffic to and from Google Compute Engine and Google Kubernetes Engine.

“With this service, you can use third-party tools to more proactively detect threats, better respond to intrusions with signature-based attack detection, and better identify zero-day attacks with anomaly detection,” Potti said.

The last of today’s updates pertains to Google’s Advanced Protection Program, which is an identity management service for Google Accounts that have a high risk of falling victim to targeted attacks, such as those belonging to system administrators and company executives.

Advanced Protection is now being rolled out to G Suite and Cloud Identity customers for the first time. It enables a specific set of policies to be applied to enrolled users, including security key enforcement, blocking access to untrusted apps and enhanced scanning for email threats.

“Security remains the key area that infrastructure-as-a-service providers need to keep pushing for two benefits,” said Holger Mueller, an analyst with Constellation Research Inc. “For one it’s key to ease executives and cloud doubters’ concerns in regards of cloud safety. It’s also a quickly evolving area with both capabilities and threats in a constant duel for leadership. Today its Google Cloud’s turn to push its security capabilities further, fittingly at a European event, where general cloud skepticism tends to be higher than in North America or APAC.”

Photo: SiliconANGLE