Cloud CISO Perspectives: April 2022
VP, Chief Information Security Officer, Google Cloud
This month marks one year of our Cloud CISO Perspectives Series! Over the past year, we’ve discussed many milestones and challenges across our industry. I’m most proud of the work our collective security teams at Google Cloud are doing everyday to help improve security for our customers and society at large through the cloud.
Below, catch up on the latest updates from our Google Cybersecurity Action Team, open source software security progress, and don’t forget to register for our Google Cloud Security Summit…
Google Cloud Security Summit
On Tuesday, May 17, we will host our second annual Google Cloud Security Summit to introduce the latest advances in our portfolio of security solutions and share our vision for the future of security. Major themes of the sessions include how we are helping customers move to zero trust architectures, new solutions that help strengthen software supply chain security, resiliency frameworks to help defend against ransomware and other emerging threats and new products and capabilities in cloud governance and digital sovereignty. You’ll also hear directly from our Google Cloud customers who are solving some of today’s biggest business challenges with our security solutions and services. Don’t miss these sessions:
Managing the risks of open source dependencies in your software supply chain
A comprehensive strategy for managing sensitive data in the cloud
Register for the event here.
Open Source Software Security
In February, Google announced support for the OpenSSF’s Alpha-Omega Project to help improve improve the security posture of open source software. The announcement came after our participation, alongside many other industry leaders, in the White House Summit on open source software security.
Earlier this month, OpenSSF announced that it has selected Node.js as the first open source project to receive support through the Alpha-Omega Project, committing $300,000 throughout 2022 to enhance Node.js security resources and vulnerability maintenance. It's exciting to see the progress being made since the log4j vulnerabilities to support better open source security standards and practices for all. We still have a lot of work to do in this area, and Google remains committed to advancing the future of open source software security.
Google Cybersecurity Action Team Highlights
Here are the latest updates, products, services and resources from our cloud security teams this month:
Secured data warehouse blueprint: At Google Cloud, we take an active stake to help customers achieve better security through our shared fate vision, which drives us to make it easier to build robust security into their cloud deployments. One way we do help customers is by providing best practices and opinionated guidance in the form of security blueprints. Earlier this month we announced the latest addition to our portfolio of blueprints - the Secured Data Warehouse Blueprint guide and deployable Terraform - to help accelerate our customers' cloud data warehouse deployments.
Automatic DLP for BigQuery: Continuing on our mission to deliver secure products, not just security products, the Google Cloud Security team released Automatic DLP for BigQuery in general availability. This is a fully-managed service that can continuously scan data across an entire cloud organization to provide general awareness of what data exists and specific visibility into where sensitive data is stored and processed, ultimately helping customers prevent unintended exposure.
Chronicle MSSP Program: We introduced the new Chronicle MSSP Program, which will offer MSSPs around the world the ability to help provide scalable, differentiated, and effective detection and response capabilities with our cloud-native SIEM product, Chronicle.
Chrome Browser Cloud Management for Mobile Devices: As hybrid work becomes the reality for many organizations today, employees more than ever before need easy access to business apps and data - anytime, anywhere, and on their devices. For IT admins, they need to be able to manage their tech stack across various devices and operating systems. In Chrome Browser Cloud Management, IT admins can manage and help secure their organization’s browser from the cloud across Windows, Linux, macOS and now, Android and iOS as well.
API Management Security: API connectivity between business applications intra- and inter- enterprise is more prevalent than ever, and we see security as the number one consideration for this connectivity. Apigee outlined other considerations in a recent trends piece.
Cloud Network Design: While we focus on workload security, identity, and access controls and application security, it’s important to remember the foundational controls in cloud networking. These controls include the use of shared VPCs to provide for separation of duties between the security and other teams over network policy configuration and the valuable use of VPC Service Controls to establish not just defense in depth from attacks, but also defense in depth from configuration errors. Learn more about our best practices for network design in this blog post.
Confidential VMs in healthcare: The Idea Evolver and AstraZeneca teams recently discussed how they are using Google Cloud products and services like Confidential VMs for their Technology-Assisted Cholesterol Trial in Consumers (TACTiC), a Software as a Medical Device (SaMD) application designed to ensure that only the candidates in the trial with an appropriate level of risk are eligible to access the appropriate medicine. Confidential VMs allow for encryption of data while in use, helping to protect the confidentiality of personal health data.
TIC compliant solutions on Google Cloud: Trusted Internet Connections (TIC) is a federal cybersecurity initiative established in 2007 to enhance network and boundary security across the federal government. The new TIC version 3.0 broadens the concepts of the program to accommodate cloud and mobile applications. As part of our commitment to supporting U.S. Federal Agencies, we shared several resources to help agencies design and deploy TIC 3.0 compliant solutions on Google Cloud. We prepared these artifacts to align with the controls, use cases, and assumptions provided in the Cybersecurity & Infrastructure Security Agency (CISA) TIC 3.0 core guidance documents.
Compliance & Controls
Managing Cloud Encryption Keys: One of Google Cloud’s biggest differentiators is the breadth of customer controls for managing data on Google Cloud. These key controls includes our Cloud External Key Manager (Cloud EKM) solution, which can allow customers to protect their data in Google Cloud with encryption keys that are stored and managed in a third-party key management system outside Google Cloud’s infrastructure. The Cloud EKM team has added several features to Cloud EKM, including:
Cloud EKM over VPC: Cloud EKM support for Virtual Private Cloud (VPC) networks is now available, allowing Cloud EKM to connect via a secured private network to help provide customers stricter control over network access to their external key manager.
Support for asymmetric keys: Cloud EKM now recognizes both RSA and Elliptic Curve asymmetric keys created in a supported external key manager in addition to symmetric encryption keys.
Protection level organization policy: A new organization policy available for Cloud KMS that allows for fine-grained control over what types of keys are used.
2021 CCAG customer pooled audit: We work closely with our customers, their regulators, and appointed independent auditors who want to verify the security and privacy of Google Cloud. One example of how the Google Cybersecurity Action Team supports customers’ risk management efforts is our recently completed annual audit with the Collaborative Cloud Audit Group (CCAG). The pooled audit executed by CCAG is an example of customers working together to efficiently deploy their resources and gain detailed information and assurances of Google Cloud’s trust posture. The annual engagement lasts approximately six months and is a comprehensive assessment of the design and the effectiveness of Google Cloud security and privacy controls.
Help meet Canadian compliance requirements with Protected B Landing Zone: As part of our commitment to serving the Canadian government with the security capabilities and controls they need, we’ve developed a set of open-source recommendations that map Google Cloud capabilities and security settings to Canadian Protected B regulatory requirements.
We’ll be back next month with more important updates on our efforts to secure open source software and to recap highlights from our Cloud Security Summit. We hope to see you there. To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.