Cloud CISO Perspectives: December 2022
VP, Chief Information Security Officer, Google Cloud
Welcome to December’s Cloud CISO Perspectives. This month, we’re going to look back at the most important security lessons of 2022 with my colleagues in our Office of the CISO and on the Google Cybersecurity Action Team.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
How lessons from 2022 can guide us in the new year
Like a puzzle whose pieces kept changing shape, 2022 was the year that cloud security sharply reflected the increasing sophistication of the cloud ecosystem. While I talked at the beginning of the year about eight security megatrends that are creating a flywheel of innovation and development, we also spent the year working through some of the opportunities that come with those vital megatrends – such as the integration of multicloud and hybrid cloud, the nuanced and layered challenges of supply chain security, and the heterogeneous landscape of organizations taking on cloud transformations.
I'd like to share takeaways from seven of our Office of the CISO experts at Google Cloud on their 2022 lessons learned that will inform their decisions in the months ahead.
DEI is a must-have, not a nice-to-have
Nick Godfrey, senior director
Godfrey focused on several important issues, including that diversity, equality, and inclusion is vital to solving the talent shortage and improving the overall efficacy of cybersecurity technology. “Multicloud security is not a sideshow, but actually the main event. All large businesses are having to deal with this and it is proving challenging for many organizations,” he said. “Technology is not the problem, but rather organization and operations… [and] diversity is critical. [The focus should be on] organization, operation, and technology (OOT) not technology, operation, and organization (TOO) if you want to transform security.”
Raising awareness about risk
Alicja Cade, financial services director
Cade said that the financial services industry (FSI) also worries about how to fill empty cybersecurity roles, but the education and awareness of cloud needs to happen across the business to enable digital transformation. “Financial services institutions need to better understand their risk landscape,” she said. “Not surprisingly, they are very concerned about developing a more nuanced model of the risks of cloud technology. They need to recognize the relevant scenarios they face and they need to be fluent in playbooks on cloud service provider-related operational incidents.”
Quality and security are the new power couple
Taylor Lehmann, healthcare and life sciences director
Lehmann said that security outcomes have an increasingly important and direct impact on safety, quality, and reliability of systems. “Forward-thinking security leaders are beginning to see a more clear linkage between product quality and the impact security plays. Quality and security are increasingly viewed as synonymous, and ensuring that quality management processes integrate security are crucial, especially in healthcare and manufacturing, to ensure outcomes meet regulations and keep customers safe.”
Two areas that Lehmann said need additional attention are supply chains and Zero Trust. Supply chain security, he said, is “one of the most important business disciplines” to focus on. “We've seen issues in this space for a while, but 'solving' for supply chain security requires cooperation across engineering, procurement, compliance, and security to be successful. This isn’t just a security problem, and it isn’t something for the CISO alone to fix.”
Meanwhile, he believes that achieving a Zero Trust posture is getting easier, “but we're still working to help customers understand that this is a journey, not solved overnight and certainly not something you can simply just go buy and be done with. Start now, insist new initiatives start with a ‘Zero Trust first’ model for granting access, and get a plan in place to migrate over the next few years.”
Know your customer (and their needs)
Anton Chuvakin, senior staff security consultant
Chuvakin pointed to ongoing efforts to meet customers “where they are” to help them grow more. “We learned that many organizations are still learning the cloud, and think of cloud security in very on-premise ways.”
For Chuvakin, part of that transformational thinking means solving thorny, inscrutable problems such as data security modernization and Security Operations Center automation. “Organizations love our Autonomic Security Operations vision for SOCs, yet they are not confident they can get there on their own. We need to guide them more gently and with more detailed guidance.”
Successful security teams help successful transformations
David Stone, solutions consultant
Stone said that the most successful business transformations are at organizations which go all-in on security best practices. “Forward-thinking leaders who adopt a cloud-first strategy with their partners are often positioned to better manage the risks. These are the teams that are seeing the greatest benefits in 10x their security departments, as indicated by this year’s DORA report,” he said. “The top need in 2023 is to continue fostering a great security team and look after your security talent to ensure a successful transformation.”
Leaning into open source
Bill Reid, solutions consultant
Reid agreed that securing the software supply chain is “a concern,” rooted in the basics of writing secure software, from threat modeling to hardened build processes. Security professionals need to work more with developers to help transform the way that software is built, and Google Cloud has an important role to play in that regard. “The work we are doing with the open-source software community and Assured Open Source Software, Software Bill of Materials and the Supply-chain Levels for Software Artifacts (SLSA) framework, and Software Delivery Shield is unlike what I have seen elsewhere,” Reid said.
There is a better way
Bob Mechler, telecommunications, media, and entertainment director
Mechler highlighted that many organizations are still struggling with risk management. “Some customers still see cloud as yet ‘another risk to be managed’ as opposed to ‘a better way to manage risk’,” he said. This underscores the importance of the need for better communication from cloud service providers about how organizations should pursue their digital transformations.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams this month:
Why diversity is a cybersecurity imperative for GCAT: Diverse threats call for diverse teams, says MK Palmore, director at Google Cloud’s Office of the CISO, and a more diverse, equitable, and inclusive cybersecurity workforce will be better able to solve security’s toughest problems. Read more.
How SolarWinds still affects supply chain threats, two years later: Mandiant experts detail the lessons that the SolarWinds supply chain security incident continues to teach security teams and leaders. Read more.
Report: 5 steps to help make your software supply chain more secure: We need a more holistic approach to strengthen defenses against software supply chain attacks, and frameworks such as SLSA are helpful in securing the software supply chain, concludes a new Google Cloud report. These findings come with 5 recommended actions for security teams to take. Read more.
Security Talks on today’s toughest SOC challenges — and more: If you missed December’s Google Cloud Security Talks, you can still catch up with the conversation. How to modernize your SOC, how to deploy secure code without trust, and fighting mobile fraud were all part of the discussions. Read more.
Overcoming objections and unblocking the road to Zero Trust: Tim Knudsen, director of Zero Trust for Google Cloud Security, talks with Jess Burn, senior analyst at Forrester, about common challenges CISOs face when planning their Zero Trust journeys. Read more.
Google’s virtual desktop of the future: Did you know that most Google employees rely on virtual desktops to get their work done? Learn the history of virtual desktops and the security benefits Google has seen from their implementation. Read more.
Build your API security strategy on these 4 pillars: A new Google Cloud report explores API security insights and trends, and offers recommendations on how to create an effective API security strategy. Read more.
IT predictions from Google Cloud experts: As part of an ongoing series, we present three Google Cloud expert takes on what’s coming for cloud security in the next few years. Take a look at what we see in the crystal ball for open-source software curation, why multicloud is an important phase for cloud providers, and why the majority of SecOps workloads will be automated by 2025.
How Google’s secure enterprise browsing can help your organization: Securing enterprise web browsing is vital to the security posture and requirements of many organizations. Google Chrome, which is used by billions of people, is at the forefront of that evolution. Here’s four ways we can help you. Read more.
Google Chrome’s year in review: 2022 was a busy year for the Chrome team, and they added and expanded a robust list of security and usability capabilities to help organizations stay even more secure in the browser. Read more.
Google Cloud security tips, tricks, and updates
Google Cloud Trust Update: December 2022: As part of our commitment to be the most trusted cloud, we continue to pursue global industry standards, frameworks, and codes of conduct that tackle our customers’ foundational need for a documented baseline of addressable requirements. Here’s a summary of our efforts over the past several months: Read more.
How we validated the security controls of Confidential Space: Confidential Space, our new solution that allows you to control access to your sensitive data and securely collaborate in ways not previously possible, is now available in Preview. Here’s some of its security properties. Read more.
Everything you wanted to know about building reliable infrastructure (and now you don’t have to ask): Reliable infrastructure is a critical requirement for workloads in the cloud, and this guide on building reliable infrastructure with Google Cloud has the answers you need, from the nitty-gritty on zones and regions to helping you conduct broad reliability assessments. Read more.
Low-latency fraud detection with Cloud Bigtable: Learn how to build a low-latency, real-time fraud detection system that scales seamlessly by using Bigtable for user attributes, transaction history and machine learning features. Read more.
Audit GKE Clusters across your organization: Keeping an eye on cluster configuration is an important task. Here’s how to run GKE Policy Automation in a serverless way. Read more.
Implementing IAM access control as code with HashiCorp Terraform: Digital transformation requires security transformation, and Identity and Access Management (IAM) can be used as the first line of defense in your Google Cloud security strategy. Here’s how to use it with HashiCorp Terraform. Read more.
4 new Active Assist features can help automate idle resource management: Several new capabilities that can help you make idle project remediation a part of your company’s day-to-day operations and culture land in Unattended Project Recommender. Here’s what you need to know. Read more.
Protect your educational institution with Security Command Center: Academic institutions are becoming more susceptible to security breaches in the ever-expanding ecosystem of IT services. Here’s how our Security Command Center can help. Read more.
How to reduce microservices complexity: Learn how you can use Apigee and Anthos Service Mesh to help standardize and secure your microservices. Read more.
Compliance & Controls
Announcing support for Impact Level 5 (IL5) workloads: Google Cloud is proud to announce our Department of Defense Impact Level 5 (IL5) provisional authorization (PA) for several Google Cloud services — an important milestone that enables us to support additional workloads for U.S. public sector customers. Read more.
ANZ Bank turns to Apigee to execute a secure and compliant API strategy: One of Australia’s top four banks and the largest bank in New Zealand by market capitalization, ANZ Bank chooses Google Cloud Apigee to deliver mission-critical compliance requirements, as well as strong ease of use, feature-completeness, and support for multiple coding languages. Read more.
Reporting Google Cloud logs to CISA’s National Cybersecurity Protection System: Here’s our guidance for how agencies can collect, enrich, and report logs to CISA in alignment with the telemetry cycles described in the NCPS Cloud Interface Reference Architecture program documentation. Read more.
Google Cloud Security Podcasts
We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed:
Sunil Potti on building cloud security at Google: Sunil Potti, general manager and vice president of security at Google Cloud, goes deep on the mindset shift from building security because we think security is good to building security as a business. We talk about invisible security, and the debate between secure products and security products. Listen here.
Cloud threat detection lessons from a CISO: Jim Higgins, CISO at Snap and formerly the CISO at Square, discusses how he prioritizes between on-premise resources and cloud resources, how he scales teams, processes, and technology for Snap’s cloud footprint, and his views on detecting threats in the cloud. Listen here.
Accelerate State of DevOps Report and software supply chain security: How security, developers, and DevOps should come together to respond quickly to new vulnerabilities, and what we learned from this year’s DORA report, with John Speed Meyers, security data scientist at Chainguard, and Google’s Todd Kulesza, user experience researcher. Listen here.
To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.