Cloud CISO Perspectives: August 2021
VP, TI Security & CISO, Google Cloud
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.Free trial
We’re more than halfway through 2021 and cybersecurity continues to be one of the most pressing issues facing organizations around the globe. As a major cloud provider, we have the opportunity to help address these challenges by delivering high levels of security in the platforms and services we offer. This remains a top priority for Google Cloud today.
In this month's post, I’ll recap how we are working with governments and enterprise customers to scale security defenses, share new product updates across Google Cloud’s security portfolio and provide industry highlights from our financial services and public sector organizations.
Thoughts from around the industry
- Joint Cyber Defense Collaborative: Earlier this month, Google Cloud joined as an initial partner for the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborative (JCDC). This initiative, which aims to prevent and reduce the impact of cyber threats on the public and private sectors, is an essential step to further our efforts to strengthen our collective defensive security posture. We’re excited to expand on these critical areas through the JCDC initiative in the coming months with state, local and federal government agencies and the security community.
- White House Summit on Cybersecurity: Yesterday, Google & Alphabet CEO Sundar Pichai joined CEOs from the technology, financial services, insurance and education sectors to convene on pressing security topics like software supply chain security, cybersecurity workforce development and training and more. Google’s SVP of Global Affairs Kent Walker summarized our commitments in the key areas we will work with the U.S. government to help improve the nation’s cybersecurity preparedness and response for current and emerging threats. Additionally as part of this commitment, we announced that Google will invest more than $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security. We are also pledging, through the Google Career Certificate program, to train 100,000 Americans in fields like IT Support and Data Analytics, learning in-demand skills including data privacy and security. We look forward to continuing this conversation with the President and his administration to both acknowledge the pace of threats facing federal agencies and enterprises and a clear call to action to work together to constructively address them.
- OpenSSF’s Allstar: I’ve spoken before about Google’s support of the OpenSSF’s critical efforts to improve open source security. This month, OpenSSF announced Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository. Allstar will help the open source community proactively reduce security risk while adding as little friction as possible.
- Google Cloud Financial Services Study: A recent survey Google Cloud commissioned with Harris Poll found that cloud adoption is increasing among financial institutions, but the complexity of industry compliance frameworks and fragmentation continue to present a hurdle for wider adoption. I’ve long held the viewpoint that cloud is not solely a risk to be managed but instead a means of managing and reducing risk within an organization. The report summarizes ways in which regulators can better support financial service institutions to help remove these barriers to accelerate cloud adoption including additional clarity and guidance and aligning regulatory reviews across agencies to avoid fragmentation. A broader discussion of how cloud can positively impact the risk and security posture of financial services organizations can be found in our paper on strengthening operational resilience.
Must reads / listen security stories and podcasts
It's time for our second rendition of security media and podcast highlights from industry voices and leaders across Google. Don’t miss these insightful conversations since our last update:
- SC Magazine on improving the software supply chain: Google Cloud’s VP of Infrastructure Eric Brewer and Google VP of Security Engineering Royal Hansen recently published an op-ed that discusses the importance of investing in the open source ecosystem in order to improve software supply chain security. Their recommendations encourage the industry and society at large to think more deeply about supply chain security risks. Our work with the Open Source Security Foundation (OpenSSF) to formalize criteria around software supply chain integrity with best practices like SLSA is a critical step in laying the foundation for a more secure software supply chain for all. Related, Google Cloud held a virtual event Container Security: Building trust in your software supply chain dedicated to this topic earlier this month. If you didn’t attend, you can now view the sessions on-demand.
- Tech Matters Podcast - Making the Secure Path the Easier Path: I caught up with PayPal’s EVP/CTO Sri Shivananda for his latest Tech Matters podcast where we had an engaging conversation on the current and future state of the cloud security and practical advice for both companies and individuals on how to reduce security risks.
- Communications of the ACM on Fixing the Internet: My colleagues Royal Hansen and Bikash Koley, VP of Networking at Google Cloud are featured in the August issue of the Communication of the ACM where they unpack how our networking and security teams at Google are helping to incorporate better security practices for the internet at large by ensuring BGP can continue to be a secure routing protocol. It's also a great reminder that everyone can help by asking your ISPs/telcos/cloud providers and others if they have adopted MANRS.
- McKinsey spotlight on Security as Code: The team at McKinsey Technology and McKinsey’s Risk Practice published an article on the ways managing security as code enables companies to create value in the cloud securely. Alongside my CISO peers at other major cloud providers, we talked about the benefits of this approach from our own experiences. One of my key takeaways reflects on the trend that “The pace of security enhancement and extent of security-feature additions to our products (our theme of secure products, not just security products) are accelerating. Many other cloud providers have made similar progress. This massive, global-scale competition to keep increasing security in tandem with agility and productivity is a benefit to all.”
- Google Cloud Security Podcast: Our team continues to collaborate with voices from across the industry in our podcast. This month, episodes explored the application of ML and AI to security problems, detection engineering, and running a SOC in a large, complex organization.
Google Cloud Security Highlights
- A unified and proven Zero Trust system: Recent conversations about Zero Trust have put a limiting frame on the term. At the core of a Zero Trust approach is the idea that implicit trust in any single component of a complex, interconnected system can create significant security risks. Instead, trust needs to be established via multiple mechanisms and continuously verified. While end-user access is a domain to which this model can be applied to gain significant security improvements, it can just as readily be applied to domains such as the end-to-end process of running production systems and protecting workloads on cloud-native infrastructure. We published a deep dive look at how Google has delivered Zero Trust principles across our organization and processes. With BeyondCorp we secured who has access to which resources. With BeyondProd we extended this to service to service access. With the SLSA framework we extend this to the software ecosystem. We believe the solution to a successful Zero Trust environment can benefit from drawing on the years of proven experience from Google, our partners, and third parties in software security.
- Unattended Project Recommender: Thousands of cloud projects can be unattended in large organizations, presenting security risks. To help address this, we recently announced the Unattended Project Recommender feature in Active Assist. It analyzes usage activity on projects in your organization and provides recommendations that help you discover, reclaim or remove unattended projects which can help to improve your cloud security posture while reducing costs as well.
- New Cloud Secret Manager Capabilities: Google Cloud’s Secret Manager service provides a secure and convenient way to store API keys, passwords, certificates, and other sensitive data. We announced new updates for the service that include a free tier, an increased SLA, expanded availability of Secret Manager in all Google Cloud regions, new compliance use cases including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS, and HIPAA and support for Customer-Managed Encryption Keys (CMEK). Secret Manager also integrates with popular tools and technologies used throughout the application development lifecycle like Cloud Code and can run on GKE or Anthos using the Secret Manager CSI driver.
- OWASP Top 10 Guide: As customers replatform or build new apps using cloud infrastructure, we get frequent requests for guidance on how to use our tools to mitigate application risks. In response, we recently released OWASP Top 10 mitigation options on Google Cloud, a comprehensive cross-product guide aimed at helping customers mitigate the web application security risks defined in the OWASP Top 10. This guide covers how to block attacks before they arrive using Cloud Armor and Apigee as well as preventative measures using other Google Cloud Security Products.
- Anthos Config Management Updates: I’ve been talking a lot about the theme of more secure products, not just security products. Our Anthos Config Management solution lets you prioritize modernizing your IT architecture, which is even more crucial when configuration as code and controls as code come together. We recently announced new features for Anthos Config Management like Config Controller, a hosted service to provision and orchestrate Google Cloud resources. In addition to using Anthos Config Management for hybrid and multicloud use cases, it is now available for Google Kubernetes Engine (GKE) as a standalone service. The end result of these new features is a powerful combination of security, agility, usability, developer productivity and efficiency.
- Cloud Privacy Resource Center: At Google, we have an integrated risk, security, compliance and privacy team. We prioritize the integration and alignment of all these disciplines as can be seen in our new Cloud Privacy Resource Center, which collects all of the resources we provide to cloud customers on meeting their global privacy obligations.
- Google Identity Services: Earlier this month the Google Account Security team launched a new family of Identity APIs called Google Identity Services, which consolidate multiple identity offerings under one software development kit. The new Google Identity Services combine Google's industry leading security with the ultimate convenience of easy sign-in to deliver an experience that keeps users safe, while facilitating new user acquisition and seamless sign in for returning users. Google Identity Services products like the new One Tap are also engineered to protect against vulnerabilities like click-jacking, pixel tracking, and other threats, which help give users peace of mind when they navigate across websites or apps.
That wraps up another month of my cybersecurity thoughts and highlights. If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up. And don’t forget to register for Google Cloud Next ‘21 conference happening October 12-14 virtually. We’ll see you in September!
Cloud CISO Perspectives: July 2021
Keep reading below for the highlights and learnings from our Security and Government Security Summits, Google-wide efforts to protect users from online threats and our continued progress securing the software supply chain and open source software security.
By Phil Venables • 8-minute read