Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/20/2018
03:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Google Updates: Cloud HSM Beta, Binary Authorization for Kubernetes

Google's latest cloud security rollouts include early releases of its cloud-hosted security module and a container security tool to verify signed images.

Google is kicking off its week with a few cloud security updates: the beta release of Cloud HSM, a managed cloud-hosted hardware security module (HSM) service, and the introduction of binary authorization for its Google Kubernetes Engine to secure production infrastructure.

The idea behind Cloud HSM is to give Google Cloud Platform (GCP) users another option to protect their sensitive data and meet compliance requirements, explains product manager Il-Sung Lee in a blog post. Users can host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs to protect workloads without managing an HSM cluster.

HSM clusters require management, scaling, and upgrades, contributing to operational overhead. The Cloud HSM service is managed via regular Cloud KMS APIs, and it handles patching, scaling, and clustering without the added downtime, Lee writes.

Because the service is integrated with Google Cloud key management service (KMS), users can secure data in Google Compute Engine, BigQuery, Google Cloud Storage, DataProc, and other encryption key-enabled services with a hardware-protected key. On the compliance side, users will be able to verify cryptographic keys were created within the hardware boundary.

In addition to the beta release of Cloud HSM, Google is also announcing asymmetric key support for both Cloud HSM and Cloud KMS. Now, in addition to creating symmetric key encryption using AES-256 keys, users can create different types of asymmetric keys for signing processes or decryption. Lee reports RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 keys will be available for signing; RSA 2048, 3072, and 4096 keys can decrypt blocks of data.

Binary Authorization for Google Kubernetes Engine
Google is also rolling out a beta release of Binary Authorization for its Kubernetes Engine, reports product manager Jianing Sandra Guo, so users in enterprise security and DevOps can trust content running on their production infrastructure.

Binary Authorization is a container security feature baked into the Kubernetes Engine deployment API, Guo writes in a blog post on the news. Its purpose is to provide a "policy enforcement chokepoint" so only signed and authorized images are used in the environment.

It's especially handy in the age of containerized microservices, she explains. Many businesses run hundreds to thousands of jobs in production, often containing valuable data. While they could use identity-based control to restrict which people can deploy, this strategy relies on human operational knowledge that can't be scaled for businesses with automated build and release structures, running hundreds of deployments each day across dozens of teams.

Binary Authorization runs on three principles, Guo says: establishing preventative security by only running trusted code, simplifying governance with a single path for code to move from development to production, and using open source to keep CI/CD tools interoperable. She also adds the feature is based on internal Google tech the company uses to protect deployments.

How it works: Binary Authorization integrates with desired CI/CD stages to produce signatures as images pass through, and it blocks those that don't meet the organization's criteria. On top of signature-based verification, the tool also lets users whitelist images using name patterns.

Unpatched third-party software is a common source of production vulnerability, Guo explains. Whitelisting lets users specify a repository, path, or set of images that are allowed to deploy, limiting the opportunities for compromise via third-party images. This option provides a centralized list of third-party images so users can identify which are vulnerable.

If you want to review failed deployment attempts, Binary Authorization also integrates with Cloud Audit Logging to record failures for further analysis, Guo adds.

With today's beta release, users can create Kubernetes Engine clusters with Binary Authorization to access deploy-time policy controls. Users can set "attestors," or authorities to verify images. Deployment policies can be set at both project and cluster levels for different levels of control — for example, if you want separate policies for dev and compliance clusters.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...