The theme of today’s Google Cloud update is all about security. We have two really neat security-focused updates this week!
Cloud HSM service now available in beta
For most of us, the default Google managed encryption of cloud resources is more than sufficient. However, some organizations need to provide their own encryption keys in order to meet compliance requirements, which they currently can using Google’s Cloud Key Management service. Even then, some organizations have even stricter encryption requirements that requires specialized physical hardware known as a hardware security module (HSM) for their encryption. For these even more extreme requirements, Google has announced a new managed service called simply Cloud HSM.
So why does hardware-based encryption matter? There is a really strict compliance standard called FIPS 140-2 Level 3 which basically states that encryption operations must be performed in a specialized physical hardware environment, and this specialized hardware is the hardware security module we just talked about. The newly announced Cloud HSM service supplies these hardware security modules as a managed service that integrates with the existing Cloud Key Management Service. With the Cloud HMS service, you can create a wide variety of encryption and decryption keys in a restricted hardware environment. The service just launched in public beta, so go check it out if custom encryption is important to you.
GKE Binary Authorization now available in public beta
Let’s move on to container security. One of the top concerns of enterprise security and DevOps professionals is whether or not they can trust what is running on their production infrastructure, especially when working with containers. For large scale enterprises that have to manage and deploy hundreds of containerized microservices per day, it can be difficult to stop the introduction of malicious code that is either accidentally or purposely slipped into production.
But fear not! With the newly announced binary authorization feature built into Kubernetes Engine, this just became easier. Binary Authorizations seeks to automate the management of large scale container deployments to keep out “the bad stuff”.
So how does this work? Binary authorizations keeps bad code out by 1. Only allowing digitally signed and trusted code into production. 2. Whitelisting known first-party images while blocking unpatched third party software. Binary authorization on Kubernetes Engine integrates with existing deployment tools, is built on open source software, and allows for so-called “breakglass” deployments for emergency fixes when you don’t have time to go through the authorization process.
Binary authorization for Kubernetes Engine is currently available in beta, so you can get started right away.
Thanks for reading, and we can’t wait to give you more awesome Google Cloud news next week! Watch this edition of Google Cloud Weekly here:
Check out the previous episode of Google Cloud Weekly (8/22/2018), and here’s the next episode (9/14/2018)