Jump to Content
Security & Identity

Introducing Cloud CISO perspectives

April 12, 2021
https://storage.googleapis.com/gweb-cloudblog-publish/images/Google_Cloud_security.max-2600x2600.jpg
Phil Venables

VP, TI Security & CISO, Google Cloud

Since I joined Google Cloud as Chief Information Security Officer three short months ago, I’ve seen firsthand the unique point of view we have to improve security for our customers and society at large through the cloud. I started in this new role as the security industry was rattled by a major breach impacting the software supply chain, and I was reminded of one of the reasons I joined Google - the opportunity to push the industry forward in addressing challenging security issues and helping lay the foundation for a more secure future

Today, I’m excited to begin a new blog series that we will use to share our perspectives on the biggest announcements and trends in cybersecurity from Google Cloud and from across the industry - whether it's conference highlights, new research or achievements from our Google-wide security teams. My hope is this series serves as your one-stop-shop to learn about our most important security updates and why they matter straight from a CISO’s perspective. 

Thoughts from around the industry

  • Global Supply Chains in the Era of COVID-19 - Last month, I participated in a Council on Foreign Relations panel about the supply chain risks brought on by the COVID-19 pandemic. One of the biggest takeaways is the need for organizations and governments to discuss the ongoing steady state of risk management of supply chains as they exist today, such as risk mapping across a global supply chain. Just as physical supply chains have to prepare for natural risks, every supply chain has a digital element that could be disrupted and requires thinking through cyber prevention measures. 

  • IDC Multicloud Paper - We supported IDC in their work to investigate how multicloud can help regulated organizations mitigate risks of using a single cloud vendor. The paper looks at different approaches to multi-vendor and hybrid clouds taken by European organizations and how these strategies can help organizations address concentration risk and vendor-lock in, improve their compliance posture and demonstrate an exit strategy.

  • Operational resilience is a key area of focus for financial services firms, and regulators around the world have been evolving their guidance on the use of outsourcers, including cloud service providers, in this context. We’ve worked closely with our FSI customers in this area and as a result produced a new paper on how migrating to cloud can help ensure the operational resilience required by customers, shareholders and regulators.

  • #ShareTheMicInCyber - We celebrated an important industry effort called  #ShareTheMicInCyber for Women’s History Month, co-founded by one of our very own Googlers Camille Stewart. The benefits of DEI apply in all domains, but especially cyber, where we’ve learned first hand that diverse security teams are more innovative, produce better products and enhance our ability to defend against cyber threats. 

Google security corner 

  • Spectre proof-of-concept - Google’s security team published results from recent research on the exploitability of Spectre against web users. The research presented proof-of-concept (PoC) written in JavaScript which could leak information from a browser's memory. There is immense value in sharing these types of findings with the security community. Additionally the team’s work highlighted protections available to web authors and best practices for enabling them in web applications, based on our experience across Google.

  • Open Source Security - We continue to see tremendous activity and support for the work of the Open Source Security Foundation that Google helped establish. Membership is open to all to help drive security on many critical projects. Learn how to get involved here. We also welcomed the announcement of sigstore, a new project in the Linux Foundation that aims to improve software supply chain integrity and verification.

Google Cloud security highlights 

Our Cloud security teams have been busy this quarter. We hit major milestones with product announcements like BeyondCorp Enterprise, Risk Protection Program and launched our new Google Cloud Security podcast. Here are some of my biggest takeaways:

  • BeyondCorp Enterprise - Earlier this year, we announced our comprehensive zero-trust offering, BeyondCorp Enterprise, that brings our modern, proven BeyondCorp technology to organizations so they can get started on their own zero trust journey. 

  • Trusted Cloud - We outlined our vision to deliver a truly trusted Cloud built on three pillars: transparency and sovereignty, zero trust, and shared fate.

  • Risk Protection Program - Google Cloud announced a partnership with two leading insurers to provide specialized cybersecurity insurance coverage for Google Cloud customers who adhere to specific security best practices and provide automated documentation of their security posture through our platform.

  • Active Assist account security recommendations - Active Assist provides recommendations for our users on how to optimize their cloud deployments. We launched a new “Account security” recommender that will automatically detect when a user with elevated permissions, such as a Project Owner is not using strong authentication. They will see a notification prompting them to enable their phone as a phishing-resistant second factor, helping to further protect their account. 

  • New Security Best Practices documentation - We released two new comprehensive papers: A CISO’s Guide to Cloud Security Transformation and updated our Google Cloud security foundations guide.

Over the next few months, we’ll be busy working on a number of new papers on cloud risk management for Risk and Compliance Officers and Heads of IT Audit as well some pieces on reimagining the Security Operations Center of the future. Thanks for checking out our first post in a series of many. I look forward to sharing more CISO perspectives with you soon.

Posted in