Cloud CISO Perspectives: Early August 2023
Phil Venables
VP/CISO, Google Cloud
Welcome to the first Cloud CISO Perspectives for August 2023. Today I’ll be discussing why I consider myself a short-term pessimist, long-term optimist when it comes to cybersecurity — which may come as a surprise to many.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
IT modernization means we should be optimistic about cybersecurity’s future
When you live in a world of incessant and increasing threats, it’s easy to become pessimistic. In the immediate future, there are good reasons to be concerned about the cyberthreat landscape because adversaries are becoming progressively sophisticated.
To highlight just a few examples, threat indicators are trending up — whether you’re looking at new malware families, financially-motivated attacks, ransomware, attacks against the supply chain, or against critical infrastructure by nation-state-backed actors.
Although I expect enterprise approaches to addressing cyberthreats to continue to be robust, stopping malicious actors is a substantial challenge. This influx of malicious activity, coupled with the ongoing cybersecurity talent shortage, makes a job in cybersecurity no easy feat.
That all said, I’m optimistic about where cybersecurity is headed long-term. Collectively, the industry is making it harder for attackers to achieve the same level of success they were once accustomed to. While the number of recorded security incidents has been increasing, we’re also identifying more threats across a larger attack surface than ever before.
I see more organizations intentionally working towards building and using modern technology platforms. More organizations are adopting systems that have been purpose-built with stronger security at the foundational level, the same approach that we at Google have been prioritizing for decades. We believe that our investment in IT modernization will further encourage adoption of security as a “built-in” element of infrastructures, instead of a “bolt-on” after-effect.
We’re seeing adoption continue to grow across the industry for technologies we pioneered, such as Safe Browsing and BeyondCorp. Much of our more recent work builds on that secure foundation, including our support for Confidential Computing, Titan and FIDO 2 U2F tokens and keys, and supply chain security.
C-suites and boards of directors across industries are starting to ask the right questions and acknowledge cybersecurity as a critical component of their business… they are beginning to view cyber-risk through the lens of overall business risk.
I also see recent announcements from the White House, CISA, and other government organizations supporting foundational approaches to security, including Zero Trust, security by design, and defense in depth, that validate this approach. As public and private sector collaboration grows, we’ll see deeper coordination between agencies and big tech organizations in how they implement cybersecurity protections, which is encouraging. Increased knowledge-sharing between public and private organizations will heighten transparency and protection around today’s biggest threats.
Many organizations have already begun to reap the benefits of the cloud, utilizing software-defined infrastructure to deliver the promise of controls-as-code. For businesses, tapping into the constant security updates the cloud provides will be like tapping into a global digital immune system that is constantly growing in strength.
C-suites and boards of directors across industries are starting to ask the right questions and acknowledge cybersecurity as a critical component of their business. While these leaders have not traditionally been hyper-focused on cybersecurity, they are beginning to view cyber-risk through the lens of overall business risk, integrating cybersecurity and resiliency into their overall business strategy, risk management practices, budgeting, and resource allocation.
Even with short-term challenges, infrastructure modernization, security innovation, and industry collaboration make me encouraged that we’re heading in the right direction. While I’m guarded in my optimism and know that we have a long road ahead, I see the scales beginning to tip in our favor.
It’s not a stretch to think that our roles are quite simply about defending people's lives and livelihoods, defending the free flow of capital and ideas that are essential for human progress. If you buy into this mission, then all else is worthwhile.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Get ready for Google Cloud Next: In just two weeks, we’ll see you at this year’s Next in San Francisco. Next ‘23 comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. Check out our scheduled security sessions, and register now.
Security at Next ‘23: Get a preview of our security keynotes, presentations, announcements, and more at Next ‘23. Read more.
Network security at Next ‘23: Want to do a deeper dive on network security at Next? This guide has you covered. Read more.
Top 5 IT pro challenges, ranked — and how Next ’23 can help you slay them: Here are five scenarios that might be on your plate right now, and how content at Next can help you address them. Read more.
Add threat intel to your risk assessments for added insight: A new Mandiant report details the added value that threat intelligence can provide to risk assessments. Here's how it can help your organization. Read more.
Protecting Chrome Traffic with Hybrid Kyber KEM: Teams at Google are working hard to prepare the web for the migration to quantum-resistant cryptography, which is why Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116. Read more.
Protect your business with Zero Trust security on Android: With more than 100 unique signals across 30 APIs on Android devices, Android Enterprise's Zero Trust capabilities can help protect data and devices. Read more.
Introducing Personalized Service Health to up-level incident response comms: Our new Personalized Service Health service can provide fast, transparent, relevant, and actionable communication about Google Cloud service disruptions. Read more.
New security certifications for Google Maps: We now have ISO 27001, SOC 2 and SOC 3 security certifications for 25 Google Maps Platform products. Read more.
How to sustainably transform while minimizing risk: How can organizations sustainably transform so that they continually adapt to maximize their resilience while reducing risk? Google Cloud Ready - Sustainability seeks to help organizations adapt to a net-zero future with solutions that reduce risk, support growth, provide competitive advantages, and positively impact the bottom line. Read more.
Additional IL5 services available for DoD with Assured Workloads: Department of Defense (DoD) customers can now deploy DoD SRG Impact Level 5 (IL5) workloads on Google Cloud through Assured Workloads in any of Google Cloud’s U.S. regions — including one of the world's largest publicly available machine learning hubs. Read more.
Introducing new IAM capabilities to Workforce Identity Federation: New security features, management options, and product integrations for Workforce Identity Federation, our Identity and Access Management offering, that allow you to rapidly onboard user identities from external identity providers (IdPs) for direct, secure access to Google Cloud services and resources. Read more.
Announcing general availability of Cloud NAT support for network services: We are excited to announce general availability of Cloud NAT support for Standard Tier Egress, which can help customers benefit from Cloud NAT with additional cost savings. Read more.
Announcing Chronicle CyberShield for government agencies: Chronicle CyberShield can provide governments with a security solution that integrates threat intelligence, detection, and response. CyberShield was developed in partnership with the Israel National Cyber Directorate. Read more.
Expanding our data processing commitments for Google Cloud and Google Workspace: At Google Cloud, we are committed to meeting our customers’ data processing and security needs. We are pleased to announce the next version of the Cloud Data Processing Addendum. Read more.
News from Mandiant
Google named a leader in the External Threat Intelligence Service Forrester Wave™: Google was named a Leader in The Forrester Wave™: External Threat Intelligence Service Providers, Q3 2023. Forrester identified 12 top companies in the threat intelligence space and Google received the highest possible score in 15 out of the 29 criteria. Read more.
Threat Horizons for August 2023: Cloud-focused cybersecurity recommendations: Our researchers present their latest metrics, analyses, and guidance on the threat landscape, including findings that, in the first quarter of 2023, more than 60% of compromises reported involved credential issues, while 19% involved misconfigurations, and less than 3% involved vulnerable software. Read more.
Indicators of Compromise scanner for Citrix ADC zero-day: We are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to the zero-day vulnerability CVE-2023-3519, which affects Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances. Read more.
Now hear this: Google Cloud Security and Mandiant podcasts
How to prioritize the user experience for security: The relationship between UX and security is best described as “complicated.” To help us make better sense of their important but often-misunderstood interactions, hosts Anton Chuvakin and Tim Peacock hear the low-down from Steph Hay, director of user experience, Google Cloud Security. Listen here.
Engineering chaos, improving software resilience: Learn more about “chaos engineering,” how it relates to software resilience, and why it intersects with cloud security. Is this combo like peanut butter and chocolate? Or peanut butter and pickles? Jump in as Anton and Tim talk with Kelly Shortridge, senior principal engineer in the Office of the CTO, Fastly, to find out. Listen here.
Alert! Even more SRE lessons for security: SRE and security have a shared problem when it comes to alerts. Notably, there’s been a reluctance to reduce that noise. Anton and Tim talk about this shared problem between SRE and security, and how each side’s resolution to the problem are different, with Google Cloud’s Steve McGhee, reliability advocate, and Aron Eidelman, developer relations engineer. Listen here.
Threat Trends: Implications of the MOVEit compromise: Charles Carmakal, CTO, Mandiant Consulting, joins host Luke McNamara to discuss the long-tail impact of FIN11's compromise of the MOVEit file transfer solution. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.