Security

Google Cloud's Intrusion Detection Service attempts to make security 'invisible' but cost will be the big giveaway

Fancy new system shown off at online summit


Google has introduced a new Intrusion Detection Service together with "Adaptive Protection" for its cloud firewall, but such services make security a costly feature.

The Chocolate Factory's inaugural digital security summit ran yesterday, where the company talked up its notion of "invisible security". CEO Thomas Kurian encouraged businesses to transfer their "digital assets" to the cloud in order to benefit from "cloud-native security." According to GM and VP of Cloud Security Sunil Potti, invisible security means "security technologies are designed in... security operations as a silo disappears."

It was soon apparent that achieving this goal is some distance away. The big announcement at the event was a new service called Google IDS (Intrusion Detection Service), which requires security operation skills to set up and maintain.

Network security on Google Cloud prior to the introduction of IDS

Google Cloud already has a Cloud Armor firewall (controls traffic between the internet and a customer's Virtual Private Cloud) and VPC Firewall (control traffic within a VPC). At the summit, the company introduced Cloud Armor Adaptive Protection, in preview, which detects and alerts DDoS and application-level attacks (Layer 7 or L7 in the OSI model) such as SQL injection.

Adaptive Protection can also generate a custom firewall rule to block the traffic. It uses machine learning to power its detection mechanism. Free while in preview, Adaptive Protection will require a premium Managed Protection Plus subscription when generally available. The solution also requires integration with logging and alerting to be useful. Having a SQL injection attack logged is only useful if the information is acted on, and this is where a SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation and Response) service is needed, or at least an alert which an engineer can respond to.

Managed Protection Plus became generally available in May this year and costs $3,000 per month for up to 100 protected resources. A protected resource is the backend services behind a load balancer.

Diagram showing the role of Google IDS in securing network traffic

As for the Intrusion Detection Service, this is another threat detection analyser which works by packet mirroring of network traffic both into and within a VPC. Such a service is already available by enabling packet mirroring to a third-party service, such as one provided by ExtraHop, Cisco, Netscout or Check Point. However Google networking product manager Peter Blum said at the event that while "we always want to provide customer choice, and enabling our customers and partners to integrate with our cloud and packet mirroring is a great example... customers wanted us to provide an easier path to network threat protection built into our cloud."

It is a common big tech pattern, providing first-party services to replace third-party services, but the twist here is that IDS is also powered by a third party, in this case Palo Alto Networks. The way it works is that admins set up a cluster running the Palo Alto detection software by creating an IDS instance within their VPC. They are then able to attach sources of network traffic which will be mirrored to the IDS instance. IDS will fire alerts to a logging service, and as with Adaptive Protection, it is for the user to decide how to handle the alerts, such as to a SIEM or SOAR service. IDS will not block traffic on its own.

A Google spokesperson told us: "For example, Cloud IDS integrates with Palo Alto Networks Cortex XSOAR to enable blocking malicious traffic." It would also be possible to set up a Google Cloud Function to take action such as shutting down a service or taking other actions on receipt of a critical alert.

There is a snag with packet mirroring. How can IDS detect threats in encrypted traffic? According to the documentation, "Cloud IDS needs to see decrypted traffic. You can decrypt traffic at the L7 load balancer, or deploy a third-party appliance... Because external HTTP(S) load balancer require SSL certificates, SSL traffic between the load balancer and the client is encrypted. Traffic from the GFE to the backends is standard HTTP traffic, which Cloud IDS can inspect."

This is a security quandary: encrypted traffic is generally a good thing, except when it needs to be inspected to check for malicious intent. Google told us: "Cloud IDS can detect a range of malicious attacks without needing to decrypt the traffic, for encrypted traffic, it can still protect against command and control access and provide protection against malicious IP and URL filtering."

What will Cloud IDS cost? Google would not tell us, but said that "pricing is pay as you go and based on two metrics," these being the number of IDS endpoints and the volume of traffic inspected. Judging by the cost of Managed Protection Plus it will not be cheap. It is free during preview, though.

Many recent security incidents such as Hafnium, SolarWinds, and PrintNightmare involve Microsoft products and Windows servers or endpoints, making it easy for Google to pitch its cloud-first services, along with its Chrome OS clients, as a more secure approach – though issues like supply chain attacks and application vulnerabilities can affect software wherever it is running.

There is perhaps some tension over the extent to which security is becoming a premium feature, on Google's cloud and elsewhere, potentially putting it out of reach of smaller organisations. ®

Send us news
8 Comments

Cloud server host Vultr rips user data ownership clause from ToS after web outrage

We know the average customer doesn't have a law degree, CEO tells us

HPE bakes LLMs into Aruba as AI inches closer to network takeover

But don't worry, the models are here to help summarize technical docs and answer your questions ... for now

Pressuring allies not to fulfill chip kit service contracts with China now official US policy

Xi Jinping warns 'no force' can stop country's science and tech progress

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Vendor takes hardline approach to patch disclosure to new levels

University of Washington's Workday woes leave research grants in limbo

$340M finance upgrade still working out the kinks

FTX crypto-crook Sam Bankman-Fried gets 25 years in prison

Could have been worse: Prosecutors wanted decades more

Nvidia's newborn ChatRTX bot patched for security bugs

Flaws enable privilege escalation and remote code execution

Intel's green dream is chips without any dips in Mother Nature's health

Sustainability Summit pushes industry partners to reduce their environmental impact, including harmful chemicals

US critical infrastructure cyberattack reporting rules inch closer to reality

After all, it's only about keeping the essentials on – no rush

How a single buck bought bragging rights in the battle to port Windows 95 to NT

It reached the desktop and then ...

Canonical cracks down on crypto cons following Snap Store scam spree

In happier news, Ubuntu Pro extended support now goes up to 12 years

Progress outbids private equity in offer for MariaDB plc

MySQL sibling saga continues as 40-year-old infrastructure software firm enters the fray