Google Cloud Rolls out New Security Services with Focus on Open-source Software and Zero Trust Security

Highlights –

• Google also introduced BeyondCorp Enterprise Essentials, designed to help organizations start deploying Zero Trust implementation quickly and easily.
• One of the major services introduced at the summit was the Assured OSS service which will be made available as a preview in Q3 2022.

At its annual Google Cloud Security Summit event, Google Cloud revealed that it would be rolling out a few new security services. These services have been designed especially to address enterprise challenges, including securing open-source software and accelerating the adoption of zero-trust architectures.

The company said it’s following up on its Invisible Security effort that assures to bake security into tools and services mostly used by enterprises and other customers.

The announcements focus on software supply chain security, zero trust, and tools that make it easier for enterprises to adopt Google Cloud’s security capabilities.

To cite an example, at the summit, Google Cloud announced the launch of its Assured Open Source Software (AOSS) service, which gives enterprises and government organizations the advantage of accessing the same vetted open-source packages that Google uses in its projects.

Google reported that these packages are scanned, analyzed, and fuzz-tested for vulnerabilities regularly. It is built with Google Cloud’s Cloud Build service with evidence of SLSA-compliance (Supply-chain Levels for Software Artifacts, a framework for safeguarding artifact integrity across software supply chains).

Google usually signs these packages and distributes them through Google’s secured registry.

Google mentioned, “Assured OSS helps organizations reduce the need to develop, maintain and operate a complex process for securely managing their open source dependencies.”

“Today patching security vulnerabilities in open-source software often feels like a high-stakes game of whack-a-mole: fix one, and two more pop up,” wrote Sunil Potti, Vice President and General Manager of Google Cloud Security, in a blog about the new services.

“This helps explain research done by Sonatype software that shows that there’s a 650% year-over-year increase in cyberattacks aimed at open-source software (OSS) suppliers.”

Potti added, “The scale of Google’s ongoing effort to find OSS vulnerabilities would be challenging for any organization to construct and operate. We continuously fuzz 550 of the most commonly-used open-source projects, and as of January 2022, that process has found more than 36,000 vulnerabilities.”

The Assured OSS service will mostly be made available as a preview in Q3 2022.

When it comes to zero trust, Google introduced BeyondCorp Enterprise Essentials, which has been designed to help organizations quickly and easily start deploying Zero Trust implementation.

The solution brings context-aware access controls for SaaS applications and other apps connected through SAML-connected services (Security Assertions Markup language), an XML-based protocol that supports real-time authentication and authorization across federated Web services environments. It also comes with threat and data protection capabilities, including data loss prevention, malware, phishing protection, and URL filtering, integrated into the Chrome browser.

“It’s a simple and effective way to protect your workforce, particularly an extended workforce or users who leverage a ‘bring your device model,” Potti stated. “Admins can also use Chrome dashboards to get visibility into unsafe user activity across unmanaged devices.”

BeyondCorp Enterprise includes an app and client connector that can simplify connections to apps running on other clouds such as Azure or AWS without the need to open firewalls or set up site-to-site VPN connections, Potti stated. He added that the client connector enables zero-trust access to non-HTTP, thick-client apps hosted on-prem or in other clouds.

Some other new security tools and services delivered by the company include –

• Security Foundation is designed to help enterprises adopt Google Cloud’s security capabilities more easily. It will allow customers to access Google guidance on setting up data protection, security monitoring, network security, and other features.
• New custom detection capabilities for Google’s risk management platform, Security Command Center, enable customers to bring their own detection rules and perform configuration checks based on specific needs.