Tips for Increasing Visibility and Control with Google Cloud

Google administrators often struggle with the monumental task of making sure that everything is flowing smoothly in the business. That means not only keeping track of how well technology is performing but also examining what kind of tools and software your team relies on most when it comes to accomplishing their goals on the cloud.

While there are many things that a good Google admin needs to thrive in their job, two of the most valuable of all are visibility and control. Fortunately, the Google team is constantly working to provide customers with higher levels of control and visibility when it comes to everything from data, to team performance.

Let’s take a look at just some of the tools and solutions that you can use within the Google Work Space (G Suite) environment to take your visibility efforts to the next level.

Storing Encryption Keys with External Key Manager

In November 2019, Google used Cloud Next as an opportunity to announce a range of updates to the way that administrators can control and manage keys on the cloud. With a wide selection of encryption options to choose from, admins have more choice when it comes to balancing risk, security, operational efficiency and security in the cloud.

As standard, the Google cloud automatically encrypts customer data at rest. You also get access to various solutions for managing and controlling encryption keys. For instance, the External Key Manager works with the Cloud KMS solution, allowing teams to encrypt their data in both Compute Engine and Big Query. Your encryption keys are stored and manage in a third-party system deployed outside of the infrastructure that you already rely on with Google.

The benefit of this solution is that it allows you to maintain a separation between the data that you hold at rest, and your encryption keys, while still having access to all of the power of the Google cloud environment for computing and analytics. To make access even easier, Google even partnered with leading key management vendors like Equinix, Unbound, and Ionic.

More Control Over How Data is Accessed

Another update announced at the end of 2019 that has continued to gain traction in 2020, is the arrival of Google Cloud’s transparency solution for data management. Key Access Justifications are a feature designed to work with your External Key manager. Basically, this technology offers an in-depth justification, perfect for auditing purposes, whenever a key is requested for the decryption of data.

This allows administrators to access a greater level of transparency when dealing with data on the cloud and storing information. There’s also a mechanism built in that allows you to approve or deny the request to use the key using an automated policy established by your team.

By using Key Access Justifications and External Key Manager together, you can also decide if you want to deny Google the option to decrypt your data too. This means that you have complete control over your information. That’s a level of control that you just can’t get from any other cloud provider. The changes to encryptions that Google introduced in 2019 also complemented other updates like:

• Cloud HSM availability in all Google Cloud regions.
• Key importing solutions for Cloud HSM
• Application layer secrets encryption support for GKE
• Customer managed encryption keys for GKE disks
• Customer managed encryption for Cloud SQL keys.

Handling Internet and Network Threats

It’s not just encryption that Google provides more control and visibility over for customers. When you create applications on the Google Cloud environment, you also get the benefit of web attack and DDoS protection at scale. Google Cloud Armor – the security solution available from Google, works with global load balancing to provide an always-on solution for attack detection and mitigation.

Google introduced a new web application firewall solution for Cloud Armor in 2019 that helps to protect applications against distributed and targeted internet threats. You can now create policies in Cloud Armor with location-based access controls, pre-configured WAF policies with location focused controls, WAF app protection, and custom rules language to create custom filtering policies.

Cloud Armor also integrates with the Cloud Security Command Center provided by Google. This notifies customers of any unusual traffic patterns that appear within the Cloud SCC dashboard.

On top of that, Google has also introduced technology that allows companies to analyse and monitor their traffic more effectively when managing performance and security. In the public cloud, managing network traffic in a reliable environment has often been a challenge. Google’s packet monitoring service allows companies to collect and inspect network traffic for both GKE and compute engine. The solution is available in all machine types in all regions.

Additionally, Google has partnered with a host of experts to ensure that companies can use packet monitoring with third-party tools like those from Cisco, Netscout, Keysight, and many others.

Protecting G-Suite and Cloud Identity Users

Advanced Protection from Google Work Space (G Suite is one of the strongest solutions that the company offers for users risking targeted attacks. In the enterprise environment, this includes supporting both executives and IT administrators alike. The advanced protection program is already companies around the world to defend their G Suite and cloud identity users.

Since 2019, Google has been helping brands to enforce specific policies for enrolled users, spanning from security key enforcement, to blocking trusted app access. Google also offers increased app access control for enterprise admins that need to reduce data loss risks by ensuring limited access to Google Work Space (G Suite APIs. This feature ensures that you can more easily restrict and manage which Google APIs should be available to customer-owned and third-party applications.

At the same time, Google is still building products that are committed to helping customers benefit from the techniques that the Google team uses itself. If you’re using the Cloud Security Command service to monitor your data, then you’ll be able to tap into the benefits of threat detection and prevention capabilities exclusively available from Google too.

The arrival of Event Threat Detection in the Google landscape means that administrators can detect some of the threats that are targeting their cloud resources with the use of logs. This means that you can send incident information to your Security Information and Event management tools for further analysis. Event threat detection technology takes advantage of Google intelligence so that users can easily spot and eliminate problems before they cause business loss or damage.

All the while, Security Health Analytics in the Google landscape help companies to prevent incidents by identifying compliance violations and misconfigurations in your Google Cloud Platform resources. If an issue is detected, then Google can even tell you what kind of action you need to take to improve the system and prevent further problems.

For businesses really taking G-Suite and Cloud Identity protection to the next level, there’s also access available to the Chronicle Backstory product. This item, designed by the former professionals in the Google security landscape, enables anyone to use the kind of techniques that Google’s IT team uses to detect and investigate security threats too. This ensures that your team has world-class data analytics solution to help secure your data.

Securing your Data with More Control Over Devices

There are numerous organizations in the current business landscape where administrators need to manage both on-premise and cloud-based solutions for data protection. This can make it difficult to collect and store information from various systems and tie individual events together to analytics. Fortunately, Backstory can assist with this, providing a deeper level of comprehensive intelligence.

On top of that, the Google landscape also comes with support that allows IT admins to unlock simpler strategies of managing access to devices and controlling those devices. At the end of October 2019, Google announced the arrival of new endpoint security solutions for even deeper control. Many of these features are turned on by default for both Cloud Identity and G Suite, to reduce the burden that IT admins face when it comes to ensuring that their teams have the right level of protection.

For instance, you can control devices in the Google landscape with fundamental management features. Google believes that securing your devices is one of the most important things you can do when it comes to keeping data safe. With fundamental desktop management, companies can get more management control over all of the devices that use the G Suite.

The feature comes automatically enabled on all desktop devices with access to G Suite, so that employees and agents don’t have to install new software on their tools. The secure fundamental management solution also means that administrators get a wider range of security controls to explore. You can check which devices have access to corporate data in a comprehensive dashboard, sign users out from desktop devices remotely, and allow multiple user accounts to operate on the same device.

Dynamic Access Control on the G Suite

Want even more control and visibility over your Google users? Why not take advantage of the latest solutions within the G-Suite too? Based on Google’s zero trust security model, and the implementation of Google Beyond Corp, the new context-aware access feature allows more secure access for users. With context-aware access – generally available to all Google Work Space (G Suite Enterprise customers, administrators can seamlessly and dynamically control access to all G Suite applications based on user identity and the request that they make.

You can also choose to apply specific controls to various organizational units within the enterprise and apply policy-based controls to your Google Work Space (G Suite applications too. There are various kinds of access controls that can be enforced through the context-aware access functionality. For instance, you can decide to only allow users from corporate-owned devices and corporate IP addresses to access the information stored on your Google Drive. You can also decide that you want to only allow users from high-trust organizational units to access drive when they’re not using a corporate IP address.

Although Context Aware Access only arrived within the Google landscape at the end of last year, many Cloud Identity and Google Work Space (G Suite customers are already using the technology to protect their employees and users.

Google even gives administrators greater access to automation within their security environments too. The security center from Google Work Space (G Suite already provides today’s administrators with he tools that they need to protect their organizations with high-level recommendations and analytics straight from Google. Within the Security Center, admins get a unified security dashboard, as well as an investigation tool that they can use to take action on security and privacy issues in a domain with ease.

However, for the start of the new decade, Google also introduced more features for automation into the mix. This means that admins can create automatic rules that remediate any issues found by the security center. You can also set up notifications to send automatically to the alert center when necessary too.

This ensures that teams of analysts and administrators can work together seamlessly on security investigations based on the alerts that occur. It also means that it’s easier to evaluate and manage any threats that emerge with actions that are automated already. You can even improve your tracking strategies by making sure that the right data is sent to the right environments. This makes a huge change to the security posture of the organization.

Control and Visibility in Google

As you can see from all the features above, the security and control capabilities of the Google Work Space (G Suite and Google Cloud just keep getting better. As we look forward to a new decade of Google Cloud solutions, and a digital Google Cloud Next experience this year, it’s likely that we’ll see even more opportunities for security and privacy management emerging from the tech giant.

In the meantime, if you want to learn more about how to get the most out of the admin features available from Google, contact  Apps Admins today!