It's day two of Google's Cloud Next 2018 conference in San Francisco – and the Chocolate Factory has been unveiling its defenses to thwart hackers and malware.
Top of the list is the Titan two-factor authentication widgets Google is going to start shipping later in the year, consisting of a pair of USB and Bluetooth key fobs. They're familiar to those of us who are signed up to Google's Advanced Protection Program. The web ads giant wants to put them on general release so netizens can buy and use them to secure their Google accounts online.
The keys follow the FIDO standards used by other two-factor gadgets, such as YubiKeys. In addition, Google services will check the firmware of a key every time it's used to make sure it's legit. Google has eaten its own dog food with this tech, and insists its 85,000-plus staff use the gadgets to log into their work accounts. It apparently has not had a single successful intrusion via phishing in the last year as a result.
Google hoping for wider adoption than it has had with phone-based two-factor authentication. So far only 10 per cent of Gmail users have multi-factor protections enabled seven years after the security was added to the webmail service.
2FA? We've heard of it: White hats weirded out by lack of account security in enterpriseREAD MORE
The founder of Yubico, which makes the YubiKey, Stina Ehrensvärd said in a blog post that her company welcomed the announcement, and that better security was good for all. But she questioned Google's decision to include a Bluetooth as well as a USB key.
"Google’s offering includes a Bluetooth (BLE) capable key," she said. "While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience."
The Chocolate Factory has also promised a host of new cloud security features to come soon.
Select users of Google's Cloud IAM, Cloud IAP and Cloud Identity services can now try out a beta of contextually aware security, which allows admins to lock down accounts if it looks like someone's a bad actor by cross referencing their location. It's also introducing a beta of geolocation blocking in its Cloud Armor suite, which will stop overseas scammers from successfully logging in.
G Suite users will also now get access to a G Suite security center investigation tool. It's also going to spin up Cloud HSMs – hardware security modules – so customers can "host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs."
On the container front, people using Kubernetes will be able to sign up for a beta of Google's Binary Authorization system, which will insist on valid digital signatures for containers before powering them up. In addition there will also be a Container Registry Vulnerability Scanning facility that checks Ubuntu, Debian, and Alpine images for exploitable flaws.
Folks can also beta test Shielded VMs on Google's cloud. This tries to detect and prevent virtual machines from being subverted or interfered with.
All this stuff is going to come, Google has promised, but firm release dates haven't been forthcoming. ®