Cloud CISO Perspectives: January 2023
Phil Venables
VP/CISO, Google Cloud
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Free trialWelcome to January’s Cloud CISO Perspectives. This month, we’re going to catch up with a few of the cloud security megatrends that I described a year ago, and see how they and the cloud security landscape has evolved.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
Checking in on two megatrends
In January 2022, I described eight security “megatrends” that drive technological innovation and improve the overall security posture of cloud providers and customers. I posited that while it’s true – with significant effort and resources – an on-premise computing environment can achieve the same level of security as a cloud environment, the base security of the cloud coupled with a suitably-protected customer configuration is stronger than most on-premise environments.
These megatrends are unique because they’re going to guide security and technology development for far longer into the future than a traditional trend cycle – hence, the “mega.” While in the original blog, I explored economies of scale, shared fate, the value of healthy competition, increasing deployment velocity, simplicity, and sustainable sovereignty, I’d like to focus today on two of the most vital megatrends: the cloud as a digital immune system and software-defined infrastructure.
All of these megatrends are interconnected in one way or another, but the idea of the cloud as a digital immune system drives home the point that improving security in the cloud can improve it for all, even those organizations who don’t operate in the cloud. In order for defenders to succeed in tamping down on threat actor innovations, the defender’s Observe-Orient-Decide-Act (OODA) loop must outpace the attacker’s OODA loop. The fast feedback loop of global attack observability and rapid cloud response helps tilt the advantage in favor of defenders.
Taking advantage of the cloud as an immune system can happen almost passively. When cloud providers such as Google Cloud update products with new security features or even stronger default configurations, there’s often not much action that a customer organization must take in order to take advantage of the new features.
In 2022, Google Cloud took many steps to advance the cloud-as-immune system. We expanded our vulnerability rewards program, which so far has rewarded more than 13,000 submissions with more than $38 million, to include Google’s open-source software. We partnered with AMD to leverage their chip technology to reinforce cryptographically-secure isolation. And our friends at the Google Threat Analysis Group disrupted more than 50,000 instances of the spammy influence network Dragonbridge.
Along with those innovations, consider that we ship hundreds of security enhancements to customers every month. These can include enhancements to default settings or vulnerability patches, but are ultimately informed by real threats, potential threats, or concerns that our customers have told us about. But just because your IT team hasn’t experienced a security problem first-hand doesn’t mean you have to wait to take advantage of a security update that eliminates or protects against that problem.
When we understand that the cloud can function as a digital immune system, it can help reduce and even eliminate security threats as more organizations move to the cloud and undergo their digital transformations. It will continue to help protect organizations in 2023 and beyond.
The software-defined infrastructure megatrend, which is part of the overall shift towards infrastructure-as-code, also drives the advantage of cloud over on-prem. This means that cloud configurations are inherently declarative and programmatically configured. Configuration code can be overlaid with embedded policy intent, creating policy-as-code and controls-as-code.
This is vital to cloud security because it can help you verify that the configuration an IT team is using exactly corresponds to its specific security requirements. Policy-as-code and controls-as-code can help prevent breaches that occur due to a control not being deployed when it should have been.
Google Cloud’s security blueprints and Anthos Configuration Management are examples of how we can use software-defined infrastructure to build resilient security products and Google Cloud instances. Our security foundations blueprints codify Google Cloud's opinionated best practices for deploying cloud infrastructure with Infrastructure-as-Code automation. These blueprints can help organizations quickly deploy a secure baseline foundation on their first day using Google Cloud. Last year, we demonstrated how to build a secure data warehouse with our security blueprints, and how to implement Identity and Access Management-as-Code with HashiCorp Terraform.
Meanwhile, Anthos Configuration Management ensures that cloud resources are deployed in – and do not drift from – a defined policy baseline. While infrastructure-as-code is common among operations teams, we’re expecting it also to play a bigger role in security operations in the future.
These megatrends will continue to create a flywheel of innovation for security that will drive costs down and accelerate security initiatives. Staying aware of how they are guiding our industry can only help ensure that we are creating a more secure cloud environment for all.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams this month:
Introducing Threat Ready with Mandiant for safer cloud transformations: Threat Ready is a new, three-part strategy for mitigating threats and reducing risks in on-prem and multi-cloud environments. Here’s how we break it down.
CISO Survival Guide: Vital questions to help guide transformation success: Part of being a security leader whose organization is taking on a digital transformation is preparing for hard questions – and complex answers – on how to implement a transformation strategy. Here we offer tips on how to ask the right questions that can help create the conversations that lead to better transformation outcomes for your organization. Read more.
Best Kept Security Secrets: How VPC Service Controls can help build defense in depth: While cloud security skeptics might believe that data in the cloud is just one access configuration mistake away from a breach, the reality is that a well-designed set of defense in depth controls can help minimize the risk of configuration mistakes and other security issues. Our Virtual Private Cloud Service Controls can play a vital role in creating an additional layer of security while also making it easier to manage your data in a way that most cloud services can't do today. Read more.
How Confidential Space and multi-party computation can help manage digital assets more securely and efficiently: Managing digital asset transactions and their often-competing requirements to be secure and timely can be daunting. You can use Google Cloud’s new Confidential Space to deploy multi-party computation (MPC) solutions that can help reduce those risks. Read more.
How Iron Mountain uses Assured Workloads to serve its customers’ compliance needs: Data storage experts Iron Mountain turned to Google Cloud when they wanted to scale their digital business. David Williams, cloud manager at Iron Mountain, explains how Assured Workloads helped Iron Mountain’s InSight product achieve and maintain compliance with government standards and better protect customer data. Read more.
How Palo Alto Networks and Google Cloud help secure the future of omnichannel retail: The dramatic transformation of the retail industry has created a host of new security challenges. Amit Chetal, global retail industry director at Palo Alto Networks, explains how store modernization can provide tremendous opportunities, but ultimately requires an entirely new approach to security. Read more.
Secure your life sciences data from the ground up: With the rapid growth in the quantity of healthcare data available, organizations are able to unlock deeper insights, advance innovation, and increase experimentation. Google Cloud works with industry partners, such as USDM Life Sciences, to help customers sustainably satisfy, scale, and accelerate their compliance and due diligence requirements. Read more.
Google Cloud security tips, tricks, and updates
Introducing Security Command Center’s project-level, pay-as-you-go options: To help our customers apply protection quickly, we’re introducing two new capabilities and a new pricing model for Security Command Center. SCC is our built-in security and risk management solution that helps security and governance teams stay secure by identifying misconfigurations, vulnerabilities, and threats in their Google Cloud environment. Read more.
Get BigQuery encryption on-prem and in the cloud with Tink: Tink, a Google-developed open-source cryptography library, can help Google Cloud customers with hybrid-cloud environments achieve BigQuery-compatible encryption on-premises. Here’s how.
Improved gVisor file system performance for GKE, Cloud Run, App Engine and Cloud Functions: Adding layers of defense can sometimes introduce new performance challenges. We discovered one such challenge when gVisor’s user space kernel required several operations to walk file system paths. To address this and significantly increase gVisor performance, we wrote an entirely new file system layer with performance in mind while retaining the same level of security. Read more.
[Infographic] 4 phases of secure digital transformation in financial services: Adopting cloud computing technologies and services can present financial services institutions with opportunities to address many forms of security risks in new, innovative, and more effective ways. We’ve defined four stages to the process. Read more.
Two networking patterns for secure intra-cloud access: Intra-cloud communication deals with various workloads that reside in a customer's Virtual Private Cloud. Here are two simple networking methods for secure intra-cloud access. Read more.
Compliance and Controls
Announcing support for Impact Level 5 (IL5) workloads: Google Cloud is proud to announce our Department of Defense Impact Level 5 (IL5) provisional authorization (PA) for several Google Cloud services — an important milestone that enables us to support additional workloads for U.S. public sector customers. Read more.
How Google Cloud is preparing for DORA: At Google Cloud, we firmly believe that the new DORA law will be vital to accelerating digital innovation in the European financial services sector. Here’s what we’re doing to help implement it, and how that will help our existing and future customers. Read more.
Google Cloud Security Podcasts
We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed:
The view from the security architect’s perch: Michele Chubirka, senior cloud security advocate at Google Cloud, chats about her favorite cloud migration success stories — and those that didn’t go quite so well. She discusses the important lessons that can be learned from cloud failures, and how even those missteps can make cloud security better. Listen here.
Softbank’s migration and CISO evolutions: Gary Hayslip, CISO at Softbank, talks about his organization's cloud migration, the challenges he faced, how his team designed its security controls, and how the role of the CISO is changing. Listen here.
The Mandiant perspective on security incident response: Nader Zaveri, senior manager of IR and Remediation at Mandiant, now part of Google Cloud, sheds light on cloud security incident response do’s, don’t’s, and do-more-of’s. Listen here.
How do you Zero Trust your workloads? Anoosh Saboori, former Product Manager at Google Cloud, goes in-depth on BeyondProd, how it differs from BeyondCorp, and what we’re talking about when we talk about Zero Trust. Listen here.
To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.