A day after Google LLC talked about making its cloud services more accessible to greater numbers of people, today it’s focusing on keeping people away — the bad guys, that is.

Security is one of the most important concerns for any company thinking of moving its applications and data to the cloud — the No. 1 concern, according to Google Cloud Chief Executive Diane Greene. That’s why Google today is announcing no fewer than 10 updates designed to boost the protection of these assets.

The most intriguing of these announcements is Google’s new Titan Security Key (pictured below), which is a physical key that’s used alongside two-step verification, allowing customers to restrict access to the most secure parts of its cloud. The Titan security keys are particularly effective against so-called “phishing” attacks, in which hackers set up fake websites that ask for two-step verification codes, in order to steal those credentials.

“We’ve long advocated the use of security keys as the strongest, most phishing-resistant authentication factor for high-value users, especially cloud admins, to protect against the potentially damaging consequences of credential theft,” Jennifer Lin, product management director at Google Cloud, said in a blog post.

Patrick Moorhead of Moor Insights & Strategy agreed that the Titan key was one of the most interesting of Google’s security innovations. “It adds physical security requiring users to have the dongle to get access to the most secure areas,” he said.

Along with physical security, Google is giving cloud administrators more tools to establish policies in order to control access to different parts of its cloud. Context-aware access, which borrows many aspects of Google’s BeyondCorp security philosophy, allows admins to define and enforce granular access to Google Cloud Platform application programming interfaces, its G Suite productivity tools, third-party software-as-a-service apps and more, based on the user’s identity, location, device and the context of their request.

Google said the context-aware capabilities are being made available to its VPC Service Controls users first, before being added to its Cloud Identity and Access Management, Cloud Identity-Aware Proxy and Cloud Identity services later.

Protecting virtual machines and containers

On the infrastructure side, Google is introducing Shielded VMs in beta, a new service that allows users to monitor their virtual machines inside GCP to ensure they’ve not been tampered with. Meanwhile, for those running software containers, which are an alternative to VMs that enable applications to be built once and run anywhere, Google is touting a new Binary Authorization feature that works to ensure container images have been built properly and tested before they’re deployed. That feature can also be combined with a new Container Registry Vulnerability Scanning tool that’s able to detect vulnerable packages inside those images, Google said.

The company’s networking defense service Cloud Armor, which is used to protect services including Gmail and youTube, has also been updated with new geo-based access controls. With this, admins can now control access to different services based on the geographic location of the client that’s trying to connect with them, Google said.

Google is also offering a new and enhanced encryption service for data stored in its cloud. The company said Cloud HSM, which stands for “hardware security module,” will allow customers to host their own encryption keys for securing highly sensitive workloads without worrying about managing the HSM cluster themselves.

Covering every base

In today’s keynote Google also gave a nod to the fact that cloud admins themselves are not always responsible for data loss and security leaks. In many cases, security breaches are the result of regular employees’ mistakes – falling victim to phishing attacks, malware and so on – which is why Google is continually baking more security into the services these people frequently use, such as its G Suite productivity suite.

Google touched on this Tuesday when it announced new investigation tools for G Suite’s security center that can help companies keep a better handle on their data. The new tools use AI to help admins quickly identify any users within an organization who might be infected by a virus or malware, see what documents have been shared, remove access to any specific files and perform other security-related administration tasks.

In today’s announcement, Google expanded on that by adding new data regions for G Suite that allow admins to specify which region primary data should be stored in when it’s not being used.

Google said it’s also making its newly redesigned Gmail service available to G Suite users, having previously given them early access. The new Gmail also beefs up security with redesigned warnings for spam and malicious emails, as well as other features including Snooze, Offline Access and more.

G Suite also gains further upgrades in the form of newer Cloud Search functionality that should help companies intelligently index and secure third-party data, as well as Google Voice capabilities for admins to manage users, provision and port phone numbers, access detailed reports and set up call routing functionality more easily.

Finally, Google Drive now has a standalone enterprise version. Garrick Toubasi, vice president of engineering for G Suite, said in a press briefing that enterprise use has helped Drive grow to more than a billion users, the eighth such business in Google’s portfolio.

IoT gets a boost

Google rarely delivers a keynote these days without touching on artificial intelligence and machine learning, and today was no different as the company made time to discuss its efforts in bringing intelligence to “internet of things” devices and sensors at the network edge.

The main announcement today in that vein was the launch of a new hardware accelerator chip for such devices called the Edge TPU (pictured, above, by Injong Rhee, vice president of IoT at Google Cloud), short for its Tensor Processing Unit, plus a new software stack called Cloud IoT Edge, which brings Google’s AI technology to gateways and connected devices. The idea is that companies can build and train ML models in its cloud, run those models on the Cloud IoT Edge stack, and boost them using the Edge TPU hardware accelerator.

Rhee said the combination of these new technologies is opening up “new possibilities” for IoT, but Antony Passemard, head of product management for Cloud IoT, was more pointed in the briefing, declaring, “We think this is a game changer for IoT.”

“With powerful data processing and ML capabilities at the edge, devices such as robotic arms, wind turbines and smart cars can now act on the data from their sensors in real time and predict outcomes locally,” Rhee wrote in a blog post.

Yet another announcement: Google is now enabling people to use standard SQL queries to pluck information directly from data in its BigQuery data warehouse, without moving that data — essentially making it easy for many more people to create machine learning models. Miguel Angel Campo-Rembado, senior vice president of data science and analytics at 20th Century Fox, demonstrated setting up a query for audience analysis in 30 seconds, providing information on who’s most likely to want to see its movie “Maze Runner.”

With reporting from Robert Hof

Featured and Titan photo: Google; Edge TPU: Robert Hof/SiliconANGLE