Over the past few years, most of the enterprise cloud story has been focused on AWS and Azure, while Google was often pushed to the background with comments like “it is a great platform/technology, but it is just not ready for the enterprise.”
In a recent interview with TechCrunch, Google Cloud CEO Diane Greene reflected on how things looked when she took the reins back in 2015: “We didn’t have all the audit logs. We didn’t have all the fine-grained security controls. We didn’t have the peer-to-peer networking. We didn’t have all the compliance and certification.” In the three years since, Google Cloud has matured its technology, hired a sales team to support its growth, partnered with key players and made strategic acquisitions to grow and improve its enterprise position.
This article explores the recent changes to Google Cloud Platform (GCP), including its strategic acquisitions, recent technology announcements, key differentiators and common areas of concern, to identify whether or not GCP is, in fact, enterprise-ready.
Recent Google Acquisitions
Over the past 18 months, Google has made a number of strategic acquisitions to extend its capabilities, specifically targeting the enterprise space.
In September 2017, Google acquired enterprise-grade identity management company, Bitium. This acquisition forms a key part of their Google Cloud Identity vision and represents a step toward providing enterprise clients with “…a comprehensive solution for identity and access management and single sign-on (SSO) that works across their modern cloud and mobile environments.” Specifically, the acquired technologies assist in the management of enterprise cloud implementations for applications working across the GCP and G Suite offerings.
In May 2018, Google acquired a leader in enterprise cloud migration technology, Velostrata, to help its clients migrate their on-premises workloads to GCP. This streaming-based migration technology promises to provide a more streamlined approach for lift-and-shift migrations.
Also in May 2018, Google acquired big data analytics company Cask Data, to help its clients more easily build and run big data solutions. The development of Cask’s core product, the Cask Data Application Platform (CDAP), will now form part of Google’s ever-increasing suite of open-source technologies, and will likely offer much deeper integration with GCP going forward.
Recent Technology Announcements and Key Differentiators
Like most cloud providers, Google supplies an almost continuous stream of new features and capabilities. Recently there has been a significant increase in features aimed squarely at the needs of enterprise customers.
Many clients have strict compliance policies requiring that virtual machines (VMs) not share a hypervisor or hardware with another organization. In June, Google announced a sole-tenant option for deploying instances. This allows clients to reserve the entire hypervisor for their sole use, thereby addressing these isolation requirements. While currently still in beta, GCP’s new Shielded VM capability provides a mechanism to verify that compute instances have not been tampered with. In addition, GCP provides the unique capability for clients to define their own custom VM configurations. All these features, coupled with GCP’s strong performance and consistency, make compute on GCP very competitive with the AWS and Azure offerings for enterprise workloads.
Advances in Networking
Google has always had an advantage when it comes to network performance due to their Andromeda SDN technology. The main gaps to adoption in the past were the lack of both an internal load balancer (LB) and an interproject network model. GCP’s new internal LB released in early 2017 addresses this gap well, especially considering it has the same strong performance/scaling characteristics as the existing regional external LB. Coupled with GCP’s global external LB capabilities, it provides an excellent load balancing toolkit that rivals the AWS and Azure offerings.
GCP’s interproject networking support comes in the form of its Shared VPC. This acts like the hub in a hub-and-spoke model, allowing multiple projects to be connected without the need to traverse the public Internet or use VPN-based solutions. Additionally, since the Shared VPC exists in its own project, the model enables clients to completely separate network administration from application management. While this represents a different paradigm from AWS and Azure, the clear separation of duties is a useful feature.
In addition to these two new features, GCP has also introduced Private Access, which gives clients the ability to connect directly to GCP services from inside the VPC without traversing the public Internet. Some extensions to this capability are currently in beta, such as private services access to hybrid scenarios (via VPN or private interconnect), and limiting access to GCP APIs to specific sources (based on the context, such as IP range, GCP project, etc.).
Google also recently announced a new service called Cloud Armor (currently in alpha) that provides a mechanism for clients to apply security policies to their load balancers via a whitelist/blacklist.
Generally, the networking capabilities of GCP fare extremely well when compared with either AWS or Azure, especially in relation to performance and scalability. There is, however, still room for improvement in GCP’s logging capabilities at the network layer.
The majority of enterprises are leveraging some form of SSO capability, or are in the process of implementing it. Consequently, SSO functionality is a major factor in choosing a cloud provider. Much like Azure, GCP supports SSO (SAML 2.0-based) for both the console and command line tools (gcloud, gsutil, etc.). Although clients previously needed a G Suite subscription to enable this capability (which was overkill for many organizations who were not using the rest of the G Suite tools, such as Gmail, Google Docs and Google Drive), this all changed when Google decoupled the identity portion of G Suite into a separate free offering called Cloud Identity. Google also partners with SSO providers to enable Cloud Identity to act as an identity provider (IdP) to services such as Ping and Okta, or to enable access to other third-party services such as ServiceNow, Trello, Slack and others. If Cloud Identity does not fit into their architecture, clients can leverage third-party IdPs to enable access to GCP services. Together, these identity federation features bring GCP in line with the capabilities of both Azure and AWS.
Cloud IAM and Permissions
In the past, GCP offered a rather light security model with simple owner/editor/viewer roles (referred to as primitive roles). This was far from ideal for the enterprise where more granular access controls are necessary. In early 2016 Google added predefined roles and, more recently, custom roles. Together, these change the game significantly, as they allow for granular access management via a series of predefined roles (and custom roles where necessary). These features represent a great move in the right direction, launching GCP into the same enterprise ballpark as AWS and Azure, which have had these capabilities for a while.
Alongside the addition of these granular controls, Google has also incorporated the concepts of “organizations” and “folders.” These logical constructs allow clients to define a tiered structure that aligns with their business and to propagate IAM policies down that structure. For example, clients could define a folder for each business unit (BU) in their organization, and place each of the BU applications in a project under that folder. By simply assigning permissions at the BU folder level, clients can manage a large portion of their cloud footprint. While there are some complexities to keep in mind, such as the operation of inheritance, this is a very powerful tool that is worth the time to master.
Encryption and Key Management
Data encryption is always a key area of concern for enterprises looking to move to the cloud. By default, all data stored in GCP is encrypted using keys managed by Google, similar to the Azure model. While this is a great fit for a large portion of the data being stored, it does not offer the level of control that many enterprises require for their more sensitive data and workloads.
Google offers clients two options for obtaining more control of their keys and the data they protect. The first option, Customer Managed Encryption Keys (CMEK), provides a mechanism via the Cloud Key Management Service (Cloud KMS) to control the key lifecycle, including key creation, deletion and both automated and at-will key rotation. This is a relatively new offering and is in general availability for BigQuery, Google Compute Engine (GCE), Google Cloud Storage (GCS) and in beta for Cloud Dataproc. The second option, Customer Supplied Encryption Keys (CSEK), is similar to the AWS SSE-C capability, whereby the key is provided to the service in each API call. While this model enables full control of the keys and their lifecycle/storage, it comes with large implementation overheads. CSEK is currently available for GCE and GCS.
Also in the key management space, Google’s new, managed hardware security module (HSM) offering, Cloud HSM (currently in beta), provides a solution for those with regulatory commitments necessitating FIPS 140-2 compliance. Unlike other managed HSM solutions, Cloud HSM provides integration with existing key management capabilities in GCP.
Overall, depending on the specifics of the workloads being hosted, providing sufficient protection of sensitive data is now viable in GCP. While these offerings are not quite as mature as their equivalents in AWS and Azure, they are a big step in the right direction and will only improve as Google extends the capabilities of their encryption services.
Is GCP Ready for the Enterprise?
Google has made great strides in making GCP increasingly appealing to the enterprise market and it is no surprise that several enterprise clients have already jumped on board, including: “born in the cloud” companies, such as Twitter, Spotify and Snap; data centric companies, such as Schlumberger, HSBC and Disney; and brick-and-mortar businesses, such as Home Depot, that are acknowledging the need to undergo their own digital transformation to remain competitive. Google’s strategic decisions, acquisitions and updates over the past 18 months, in conjunction with its already strong performance and consistency characteristics, data analytics capabilities and machine learning services, have positioned GCP as a strong contender in the enterprise cloud market.