Google Cloud unveils its custom security chip, new security features

Its innovations in security should not only allay concerns but encourage cloud migration, Google says at the Google Next conference.
Written by Stephanie Condon, Senior Writer

Titan, Google's custom built security chip. (Image: Google)

Business leaders are growing more comfortable with the idea of moving to the cloud, but security remains one of their top concerns.

Google, however, is arguing that its innovations in security should not just allay concerns about security but in fact encourage cloud migration. The company announced several new security developments on Thursday at the Google Next conference in San Francisco, Calif.

Google unveiled a new data loss prevention API for the Google Cloud Platform (GCP), as well as a more sophisticated alternative to VPNs. Google also announced general availability of its encryption key management system for GCP, of its security key enforcement for GCP, and of Vault for Google Drive. Additionally, stressing its commitment to transparency, Google described the security chip it's designed to use within its servers.

"We're innovating in security, and we want that to be a major reason for moving the cloud," Jennifer Lin, director of product management for GCP, told ZDNet.

Google has built security right into its own Google servers, with a custom chip called Titan. It's a low-power microcontroller designed specifically for hardware security. The chip gives a cryptographic identity to a machine. During Thursday's keynote address, Urs Hölzle, SVP of technical infrastructure for Google Cloud, actually wore the chip on his earring to demonstrate how small it is.

"Low prices doesn't mean low security standards," Hölzle said.

Meanwhile, Google's data loss prevention API, now in beta, addresses one of the specific major concerns large customers have about the cloud: How is sensitive data handled? Leveraging machine learning algorithms, the API can identify personally identifiable information (PII), such as Social Security numbers or email addresses. The customer can choose to have the information classified or redacted. The API has clear applications in industries like finance or health care.

The Identity-Aware Proxy for GCP is also now in beta after several years of internal use at Google. Rather than connecting to a VPN, it allows customers to grant access to applications based on certain risk factors. It's easier to deploy than end-user VPN, and it allows users to securely access applications from anywhere.

The GCP key management system now generally available gives customers control over how and when keys are rotated or deleted. Security key enforcement is also now generally available. It allows customers to require security key second-factor authentication for accessing GCP applications. Security key enforcement provides strong prevention against phishing, and "no other cloud provides you this protection against what is probably the number one problem for enterprises," Hölzle said.

Additionally, Vault -- which provides eDiscovery and archiving for G Suite -- is also generally available.

Across the cloud stack, security is "deeply rooted into the philosophy of Google of how developers work," Lin said.

For businesses accustomed to managing their own data centers, handing over responsibility for security to a third party can be hard, she said. Yet it gives an enterprise the freedom to focus on other aspects of their business.

"Our goal is to make sure it's there, but we don't burden our customers with the management of it," Lin continued. "Managing [security] at scale is not for the faint of heart."

VIDEO: Google gives Gmail a boost

Editorial standards