Google Cloud Next UK: Google Highlights European Data Protections

Google has expanded its cloud offerings for European customers in the past year, as well as delivering additional data encryption, network security, security analytics, and user protection tools.

Google announced the developments at the Google Cloud Next UK event currently being held at ExCel in London, as evidence of how it is seeking to protect European data, even from Google itself.

Google also included a commitment to its European customers to protect their data with an expansion of its compliance certifications, most recently adding HDS, TISAX, and obtaining an ISAE 3000 report (relating to FINMA compliance) to its compliance list.

European expansion

The Google Cloud has been available in Europe since 2012, but in the past year it has added to its existing cloud region footprint of Belgium, Finland, Germany, the Netherlands, and the UK by launching its new cloud region in Zurich.

There are also plans for another new region in Poland, although no timeframe has been mentioned at the time of writing.

Google says that its platform “is designed to fully empower European organisations’ strict data security and privacy requirements and preferences.”

This means that the European Google Cloud customer can decide where their cloud data resides, who has access to the data. Customers can for example store data in a European region, ensure data is not moved outside of Europe, for compliance reasons.

And access to that European data can be limited, so that users and administrators outside Europe cannot access the data. Customers can also manage their own encryption keys and ensure they are stored in a European region.

To this end Google Cloud has also announced today that customers can store their encryption keys outside Google Cloud’s infrastructure. Businesses can receive a detailed justification each time a key is requested to decrypt data, and deny Google the ability to decrypt their data for any reason.

This is designed to give firms increasing levels of control and visibility over their data.

The ability to store and manage encryption keys outside of Google Cloud is thanks to the ‘External Key Manager’ tool, designed to help protect cloud workloads.

Google Cloud said it was the first cloud provider to offer customers the ability to bring their own encryption keys for use in its cloud.

The new External Key Manager is coming soon as a beta offering, and it works with Cloud KMS and lets customers encrypt data in BigQuery and Compute Engine with encryption keys stored and managed in a third-party key management system deployed outside Google’s infrastructure.

External Key Manager also provides an audit trail of key access, use, and location, so customers can document crypto operations for auditors for governance and compliance requirements.

Another security feature is the ‘Key Access Justifications’ (coming soon), which allows administrators to decide when and why their data can be decrypted. It provides a detailed justification each time one of the keys is requested to decrypt data, along with a mechanism for the customer to explicitly approve or deny providing the key using an automated policy that they set.

The combination of the External Key Manager and Key Access Justifications, essentially gives customers the ability to deny Google the ability to decrypt their data for any reason.

External protections

And Google also took the opportunity to highlight that when businesses set up their applications on the Google Cloud, they benefit from DDoS and web attack protection.

“Google Cloud Armor works with our global Cloud Load Balancing infrastructure and provides always-on attack detection and mitigation so you can run your business without interruption,” said the search engine giant.

To this end it also announced Cloud Armor’s new web application firewall (WAF) capabilities, which are designed to help protect applications against targeted and distributed internet threats. Cloud Armor policies can be configured with geo-based access controls, and pre-configured WAF application protection rules to mitigate risks.

Cloud Armor also now integrates with Cloud Security Command Center (Cloud SCC), notifying customers of suspicious application traffic patterns directly in the Cloud SCC dashboard.

Google is also offering new Packet Mirroring service (in beta) that allows for the collection and inspection of network traffic at scale, available for all machine types in all of Google’s European regions.

This can be used with third party tools from the likes of Awake Security, Check Point, Cisco, Corelight, cPacket Networks, ExtraHop Networks, Flowmon, Ixia by Keysight, Netscout, and Palo Alto Networks.

Google also said that its Advanced Protection Program is generally available for G Suite and Cloud Identity customers; and it has also introduced app access control, helping businesses to reduce the risk of data loss by limiting access to G Suite APIs to third-party apps they trust.

There is also a beta tool called ‘Event Threat Detection’ to help customers detect threats targeting their cloud resources using logs; and there is ‘Security Health Analytics’ to prevent incidents by identifying potential misconfigurations and compliance violations in a customer’s GCP resources and suggesting appropriate corrective action.

Google is therefore working hard to convince European businesses that it has their best interests at heart. But there may be some work still to do.

Last month European officials urged the creation of a local alternative to the cloud computing services offered by Amazon AWS, Microsoft Azure and Google Cloud.

The finance ministries of France and Germany had issued a joint statement calling for an European alternative.

Quiz: What do you know about Google?