Cloud CISO Perspectives: December 2021
VP, Chief Information Security Officer, Google Cloud
This is our last Cloud CISO Perspectives of 2021. It's been an eventful year for the cybersecurity industry, both good and bad, and I welcome the opportunities and challenges we will continue to address together in 2022. In this final post, I’ll share the latest updates from the Google Cybersecurity Action Team, new reports from Google’s security research teams and more information on Google Cloud’s Log4j impact and assessment.
Update on Log4j vulnerability
Google Cloud continues to actively follow the evolving security vulnerabilities in the open-source Apache “Log4j” utility and we are providing regular updates to our security advisory page. Responding to these vulnerabilities can be especially stressful, even more so when reaching the end of the year. We encourage everyone using vulnerable versions of Log4j, in any environment, to upgrade as soon as possible and according to guidance published by Apache, found here. As the entire industry works through its response to Log4j, the Google Cybersecurity Action Team also continues to publish and update recommended actions for mitigating exposure to the Log4j vulnerabilities.
The state of open source software security
What recent events have taught us and will continue to teach us into 2022 is that we owe our thanks to the volunteers and maintainers of open source software. More than ever, we need continued industry investment and commitment to support them.
For years, Google has been focused on addressing this challenge. Our open source security team helped found the Open Source Security Foundation (OpenSSF). Over the past year, we have doubled down on our investments in open source software security; from tools to frameworks to funding maintainers of open source software projects to focus on security. This past August, we committed $10 billion to advancing cybersecurity for organizations and governments globally where a major part of that commitment is focused on securing the open source software ecosystem, including $100 million in investments to third-party organizations like Linux Foundation and OpenSSF. One of the primary challenges facing defenders at this very moment is simply getting a handle on where Log4j dependencies exist within their organization’s codebases. Our Supply-chain Levels for Software Assurance (SLSA) project, which we open sourced in partnership with the OpenSSF, is an end-to-end framework to manage supply chain integrity and security, and its implementation would greatly aid organizations in this kind of situation.
Last week, Google’s Open Source Insights team published an analysis on the impact of the Apache Log4j vulnerability where they pulled together a list of 500 affected packages with some of the highest transitive usage and encouraged maintainers or users helping with the patching effort to maximize impact and unblock more of the community. Improvements such as these could qualify for financial rewards from the Secure Open Source Rewards program. You can explore your package dependencies and their vulnerabilities by using Open Source Insights.
We all can do our part to support this critical function of our software ecosystem, and I look forward to seeing how organizations, governments and individuals work together to make improvements in the coming year.
Google Cybersecurity Action Team Highlights
Below I’ll recap the latest updates, new services and resources across our Google Cybersecurity Action Team, Google Cloud Security product teams and Google security research efforts since our last post.
Q4 Cloud Security Talks Recap: We hosted our final Google Cloud Security Talks event of 2021 where our security teams focused on zero trust and covered everything from Google’s history with BeyondCorp to our strategic thinking when it comes to applying zero trust principles to production environments. We also shared product updates across the portfolio and talked about how zero trust fits into our invisible security vision. Check out the recap in this blog post and watch the sessions virtually on-demand.
Autonomic Security Operations: Our Autonomic Security Operations solution continues to resonate with organizations and security professionals widely as teams look for more ways to modernize their security operations. Dr. Anton Chuvakin and Iman Ghanizada from the Google Cybersecurity Action Team recently published a whitepaper on how organizations can work towards a 10x transformation of their SOC. Their first blog post in a series of many looks at what security teams can learn from Site Reliability Engineering (SRE) principles and philosophies to begin their journey towards modernizing the SOC.
Software-Defined Community Cloud: Our Google Cloud compliance team outlined a new concept for how the industry can address challenges within legacy community cloud implementations. Our Assured Workloads product implements a novel approach to help customers meet compliance and sovereignty requirements through a software-defined community cloud. A software-defined community cloud is designed to deliver the benefits of a community cloud in a more modern architecture. Google Cloud’s approach provides security and compliance assurances without the strict physical infrastructure constraints of legacy approaches.
Continuous Compliance: Following the Google Cybersecurity Action Team’s launch of the Risk and Compliance as Code solution, our customer engineering teams shared some timely case studies on how Google Cloud customers are reaching continuous compliance, encompassing real-time attestation and notification. The key learning: the more familiar control owners become with our GCP capabilities, the more confident they feel to automate their controls.
Secured Data Warehouse blueprint: Google Cloud customers can jump start the migration and analysis of sensitive business data by using the new Google Cloud Secured Data Warehouse blueprint. This opinionated guidance consists of both documentation and deployable Terraform assets. It is built around BigQuery and incorporates Cloud DLP, Cloud Storage, PubSub, Dataflow, Data Catalog, and CMEK to implement security best practices across data ingestion, storage, processing, classification, encryption, logging, monitoring and governance.
Security Foundations Blueprint v2.5: And we're excited to announce the next version of our Security Foundations Blueprint. New content provides further control for data residency and also supports Assured Workloads for enhanced native platform guardrails. We review the guide and corresponding blueprints regularly as we continue to update best practices to include new product capabilities.
Controls and Products
Network-based Cloud threat detection with Cloud IDS: We announced the general availability of our Cloud IDS solution that helps enterprises detect network-based threats and helps organizations meet compliance standards that call for the use of an intrusion detection system. With the general availability, Cloud IDS now has the following enhancements: service availability in all regions, detection signatures automatically updated daily and new compliance support for customers’ HIPAA compliance requirements and ISO27001 certification.
New zero trust features in BeyondCorp Enterprise: The BCE team released the Policy Troubleshooter feature in general availability. The tool provides support for administrators to triage blocked access events and easily unblock users within an organization, which is an essential tool for admins as employees continue to work remotely or in hybrid and need ways to access corporate resources and information securely.
Keyless Authentication from GitHub Actions: Following GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can now authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key. New functionality like this is a part of Google Cloud's ongoing efforts to make security invisible and our platform secure-by-default. Learn more in the blog post.
Combating cyber crime at scale: In December, Google took action to disrupt Glupteba, a sophisticated botnet targeting Windows machines. This was also the first lawsuit against a blockchain enabled botnet, where the attackers protected itself using blockchain technology. Google’s Threat Analysis Group took steps to detect and track Glupteba’s malicious activity over time and we launched litigation which we believe will set a precedent and help deter future activity. The details in TAG’s analysis and our litigation demonstrate that crime on the internet is sophisticated, and at Google, we feel a responsibility as part of this ecosystem to play a part in disrupting this activity to help everyone on the Internet be safer.
iMessage zero-click exploit: In a recent blog post, Google’s Project Zero researchers show for the first time how an in-the-wild zero-click iMessage exploit works and how it is used by NSO.
Earlier this month, the Google Cloud Security podcast hit a major milestone: 46 episodes in its first year! Check out this post to see the top themes from our podcast throughout 2021, including episodes on zero trust security, cloud threat detection, how to make cloud migrations more secure and data security in the cloud.
This wraps up the year for Cloud CISO Perspectives in 2021! We’ll be back in 2022 with continued updates from our Google Cybersecurity Action Team and more. If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up.