Google brings DDoS protection and other new security features to its cloud

For the longest time, enterprises worried about how secure their data would be in the cloud, and for some, that was a major roadblock for moving out of their own data centers. At this point, most major cloud providers have shown that security isn’t an issue and that they are quite capable of securing their customers’ data. Security is an ever-changing field, though, so there’s always more to be done. As if to hammer this point home, Google today is announcing a slew of new security features for both the Google Cloud Platform and G Suite.

Let’s start with the Cloud Platform updates. The highlight of the launch is the new VPC Service Controls tool for protecting API-based services. I know that name doesn’t scream excitement, but it basically provides businesses an additional security layer for their API-based services on GCP. The idea here is to prevent attackers from exfiltrating data from cloud services. Here is how Google’s VP for security and privacy Gerhard Eschelbeck describes it: “Imagine constructing an invisible border around everything in an app that prevents its data from escaping, and having the power to set up, reconfigure, and tear down these virtual perimeters at will.”

To give its users deeper insights into their security posture, Google also is launching its Cloud Security Command Center today. This new tool will give enterprises deeper insights into their security posture across Google Cloud services like App Engine, Compute Engine and Cloud Storage. The service provides insights into where sensitive data is stored, but also which apps may be vulnerable to cross-site scripting attacks. In addition, the service scans firewall rules and regularly looks for changes in a company’s security settings and alerts operators of changes to make sure those weren’t unauthorized.

One of the more interesting aspects of this service is that Google is also partnering with a number of security vendors like Cloudflare, CrowdStrike, RedLock, Palo Alto Networks and Qualys to detect DDoS attacks, policy violations, network intrusions and other threats. 

As far as DDoS attacks go, Google also today announced a new service called Cloud Armor (see, GCP can do naming right sometimes!). Cloud Armor is both a DDoS and application defense service that provides all the usual IP white- and blacklisting tools and integrates with Google’s Global Load Balancing service.

Other Cloud Platform security updates include new logging tools, updates to the Data Loss Prevention API and new tools for managing access to GCP resources. The Google Cloud Platform is now also FedRamp certified at the Moderate Impact level, though unless you work for the U.S. federal government or a state or local agency, you probably don’t care much about that.

As for G Suite, Google is launching a couple of new charts in that product’s security center dashboard (for Oauth activity and Business Email Compromise scan threats) and users can now customize the dashboard, too. Exciting stuff. What’s probably more interesting is that Google now defaults to turning on features like flagging emails from untrusted senders with encrypted attachments or embedded scripts. The service will now also warn users of emails that try to spoof employee names from domains that look similar to your official one and, among other things, it’ll now default to expanding shortened URLs to scan for malicious links.

There are a couple of more updates here, but the main point Google is clearly trying to make is that it takes security very seriously. I don’t think anybody doubted that before, though, given the company’s investment in various security efforts over the years, but if there’s nothing like announcing a few dozen major and minor updates to remind people.