In many industries, products and services are becoming ever more customizable and specific to individual consumers. Shoes, cars, golf clubs, food, whatever the product, there’s probably myriad providers willing to allow you to shape it to your own needs and tastes.
Security is one of the exceptions to this trend. In general, security systems are designed to protect large user populations with similar needs against a body of known threats. That’s the way it has to be in most cases. Even the largest organizations with the fattest security budgets can’t afford to tailor their defenses to small groups of users. One size usually has to fit all for security.
But usually isn’t always. Google has the scale and the talent and the money to bend a lot of rules to its will, and the company is now doing that to provide better protection for some of its users who are at higher risk of compromise, including journalists, activists, and others who often are targeted by various attackers. Google is offering a higher level of security for these users, called Advanced Protection, and it includes a number of separate elements designed to make it much more difficult for attackers to gain access to targeted Google accounts.
“We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety,” Dario Salice, advanced protection product manager at Google, wrote in a post outlining the new features.
“Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.”
The Advanced Protection system relies on the use of security keys, hardware tokens that users employ for two-step verification to access their Google accounts. On a laptop or desktop machine, a user would employ a USB security key, such as a Yubikey. On a mobile device, there’s a wireless key that communicates with the user’s device. In either case, anyone trying to access an account protected by Advanced Protection would need both the account password and the token.
The system also includes a feature that prevents any apps aside from whitelisted Google apps from gaining full access to a user’s account. This feature will help protect users who accidentally or unknowingly allow access to their accounts to malicious apps. That often happens in phishing attacks, especially mobile attacks, and once that kind of compromise occurs it can be maddeningly difficult to unwind. Limiting full Gmail or Drive access to trusted Google apps can stop users from being tricked into handing over the keys to their accounts.
And if an attacker tries a different attack by impersonating the user and pretending to be locked out of his account, Advanced Protection also includes an extra set of reviews of the account. All in all, the system comprises a significant security and safety upgrade for Gmail and other Google services. And the best feature is that Advanced Protection is available for any user who wants to sign up for it, not just for the high-risk users.
This level of security might be a little restrictive for many users, but for those who have a higher level of risk or are concerned about a specific threat, it may be a good option.
