Cloud storage is a foundational technology for many modern businesses, helping to store vast amounts of data that users can easily access and use to power modern data projects. At Google Cloud, we continually invest in protecting our customers’ data across all our products, including Cloud Storage.
For every Google Cloud product, security is always a top priority. As enterprise storage needs grow, our security and compliance protections grow too. Cloud Storage secures data by default with rich security controls and the ability to audit as needed. Features like Bucket Lock, Cloud Key Management Service (KMS), and Access Transparency already help keep your data safe in Cloud Storage. We’re announcing further product updates, now generally available, to protect your data, even in complex, multi-cloud environments. Let’s take a look at some of the new security features available in Cloud Storage.
What’s new with Cloud Storage security
V4 signature support with Cloud Storage
We are happy to announce the GA launch of V4 signature support with Cloud Storage. This is a critical multi-cloud security capability for our customers and partners. V4 signature capability enables customers to generate signed URLs (also referred to as pre-signed URLs) with limited permissions and duration, which they can issue to their clients/users who don’t need to have a Google identity. Signature-based authentications, especially through signed URLs, is a very common security posture used for content storage and delivery, SaaS platforms and applications, and analytics (enterprise data warehouses and analytics pipelines). You can take a look at a signature-based multimedia content storage and distribution setup example here.
Hash-based message authentication (HMAC) for Cloud Storage service accounts
You can now manage and use hash-based message authentication (HMAC) credentials associated with Cloud Storage service accounts, rather than user accounts. This feature strengthens your authentication and security by not having to rely on credentials tied to the user accounts. This feature also lets you interoperate seamlessly among multiple cloud vendors with regards to security and authentication setups and practices.
Uniform bucket-level access for Cloud IAM
Cloud Storage’s support for Cloud Identity and Access Management (Cloud IAM) enables you to apply access policies by role to Cloud Storage users, along with other Google Cloud products. The new uniform bucket-level access feature lets you uniformly configure access through Cloud IAM Policies to your Cloud Storage resources, allowing for manageability at scale. When it’s enabled on a bucket, only bucket-level Cloud IAM permissions grant access to that bucket and the objects it contains.
Putting Cloud Storage security best practices into action
Securing your enterprise storage data requires thinking ahead to protect your data against new threats and challenges. We often hear best practices and tips from Cloud Storage users on how they use Google Cloud products to enhance their company’s security posture.
Here are five recommendations to use these new features and help prevent data leaks or hacks:
1. Turn on uniform bucket-level access and its org policy
Uniform bucket-level access for Cloud Storage buckets lets you configure and enforce uniform Cloud IAM policies for your buckets. Turning this feature also ensures that you are safeguarded against any object-level ACLs, which become a challenge to manage access, especially at scale. This feature also offers an organizational policy that lets you enforce the use of uniform IAM access policies on all new buckets, if desired. Enforcing IAM policies at the bucket level can help prevent inadvertent public exposures, which can happen in the absence of this feature if users make individual objects public.
This feature has been very useful for our customers in particular from financial services and big tech industries. It lets you manage uniform permissions at scale in situations where there are lots of developers/employees who need to access the data, but it can’t be exposed outside the company.
2. Enable domain-restricted sharing
Once you’ve turned on uniform bucket-level access, another useful tool in Cloud Storage is to enforce the domain-restricted sharing constraint in an organization policy to prevent accidental public data sharing, or sharing beyond your organization. With this feature, organizations and development teams can move quickly, while security and governance teams can enforce security at scale and trust that resources have the right controls in place. Domain-restricted sharing can be used in conjunction with uniform bucket-level access to configure rock-solid access control policies and safeguard against accidental public exposures.
3. Encrypt your Cloud Storage data with Cloud KMS
Regulations for data access and control are increasingly becoming more strict. For example, GDPR made many companies change the way they collect, store and process personal information. An important piece of this puzzle is encryption key management. Cloud KMS is a cloud-hosted key management service supported by Cloud Storage that lets you manage encryption keys for your cloud storage data. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. This feature offers state-of-the-art encryption management and can help you with various regulations.
4. Audit your Cloud Storage data with Cloud Audit Logging
Cloud Audit Logs bring visibility into user activity and data access across Google Cloud, including Cloud Storage. Cloud Audit Logs reside in highly protected Cloud Storage, resulting in a secure, immutable, and highly durable audit trail. You can also use Operations (formerly Stackdriver) APIs for programmatic access and ingesting Cloud Storage audit logs into your threat detection analytics systems.
5. Secure your data with VPC Service Controls
With VPC Service Controls, you can configure security perimeters around the resources of your Cloud Storage service and control exfiltration of data across the perimeter boundary. For example, a VM within a VPC network that is part of the service perimeter can read from/write to a Cloud Storage bucket. Any attempt to access data from outside the perimeter will be denied. With your Cloud Storage buckets behind a VPC Service Control security perimeter, you have a private cloud-like security posture for your Cloud Storage data.
To learn even more about Cloud Storage and ways to enhance data protection and security, check out the access control documentation and our presentation at Cloud Next ‘19.