Cloud CISO Perspectives: July 2021
VP, Chief Information Security Officer, Google Cloud
We’ve been busy at Google Cloud this past month working to help businesses and governments around the world address mounting cybersecurity challenges. With so much going on in the security industry, it's essential that we continue to deliver security solutions that help address critical efforts like the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity and also simplify security operations for IT teams so they can focus on securing their most critical data and services.
This is why we have a lot to recap this month. Keep reading below for the highlights and learnings from our Security and Government Security Summits, Google-wide efforts to protect users from online threats and our continued progress securing the software supply chain and open source software security.
Google Cloud Security and Government Summits
This week, we hosted our first digital Security Summit where Google Cloud security experts and industry leaders delivered interactive sessions (now available on-demand) that can help businesses and governments around the globe solve today’s critical security challenges.
During the event, we announced several new product and solution offerings:
Cloud IDS, our cloud-native, managed intrusion detection system that helps detect malware, spyware, command-and-control attacks, and other network-based threats. Built with Palo Alto Networks’ advanced threat detection technologies, customers get rapid deployment and simpler operations with Google managing scaling, availability, and threat detection updates.
Integration of Google Cloud’s industry-leading analytics platforms Looker and BigQuery with Chronicle, our cloud-native security analytics platform.These integrations further advance Chronicle’s capabilities for reporting, compliance, visual security workflows, data exploration, and security-driven data science. In last month’s post, I wrote about how security teams shouldn't be confined in their roles to only use security products. Some of the best tools are large-scale data tools and our use of those at Google connected with security products is amazingly powerful.
Autonomic Security Operations, a prescriptive solution to guide organizations through the process of modernizing their security operations program. Autonomic Security Operations combines products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of our best-in-class technology stack built on Chronicle and Google’s deep security operations expertise. We also released a new paper "Autonomic Security Operations :10X Transformation of the Security Operations Center."
As part of the event, public sector cybersecurity leaders gathered virtually at the Google Cloud Government Security Summit, where we announced a set of services to help U.S. federal government organizations implement Zero Trust architecture in accordance with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity and in alignment with National Institute of Standards and Technology (NIST) standards.
I also got a chance to engage in three executive roundtable discussions as part of our ancillary programming at the event. We brought together top security leaders in the public sector to discuss matters around the current threat landscape, Zero Trust, security analytics, and software supply chain security. You can register to watch all the keynotes and sessions on demand here.
In other Google Cloud Security news this month:
On June 21, the European Data Protection Board (EDPB) published its final Recommendations on supplementary measures in light of the invalidation of the EU-US Privacy Shield Framework. The EDPB’s guidance is important to help organizations address international data transfers and many of the Board's recommendations align with our long-standing practices. In response, the EC published new Standard Contractual Clauses designed to help safeguard European personal data. Google Cloud plans to implement the new SCCs to help protect our customers’ data and meet the requirements of European privacy legislation.
Email functions as part of a large, complex, interconnected ecosystem that we continually invest in and work to protect. After first announcing Gmail’s Brand Indicators for Message Identification (BIMI) pilot last year, we announced the rollout of Gmail’s general support of BIMI, an industry standard that aims to drive adoption of strong sender authentication for the entire email ecosystem.
We announced the general availability of our Certificate Authority Service. Google Cloud CAS provides a highly scalable and available private CA to address the unprecedented growth in digital certificates driven by the rise of cloud computing, the move to containers, and the proliferation of Internet-of-things (IoT) and smart devices (see our whitepaper on this topic). Since our public preview announcement in October, we have seen tremendous reception from the market and innovative use cases for the service from our customers.
We are also releasing a new paper “Assuring Compliance in the Cloud” by Google Cloud’s Office of the CISO focused on modernizing your compliance approach. Organizations can leverage the paper to chart a better course to the safe use of cloud technology and by reducing risk through the use of public cloud services . This complements our previous whitepaper “Risk Governance of Digital Transformation in the Cloud” which helps Chief Risk Officers, Heads of Internal Audit and Compliance Chiefs understand risk, compliance, and audit functions, and how to best position those programs for success in the cloud world.
Safer with Google Spotlight
One of Google’s key differentiators is our secure-by-default approach to cybersecurity. We protect all users with advanced, industry leading security that automatically detects and blocks threats. And we strive to make it easier for developers, enterprises and consumers to do the right thing when it comes to security.
A great example of this effort is our Threat Analysis Group (TAG) that actively works to detect hacking attempts and influence operations to protect users from digital attacks, this includes hunting for these types of vulnerabilities that could be exploited.
This month, TAG published details about four in-the-wild 0-day campaigns they discovered targeting four separate vulnerabilities. After discovering these 0-days, TAG quickly reported to vendors and patches were released to protect users from these attacks. The team has also published root cause analyses (RCAs) on each of the 0-days.
We’re only halfway through 2021 and there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020. This is why groups like TAG and Project Zero are essential for helping organizations and individuals protect against digital threats.
Must reads / listen security stories and podcasts
Cybersecurity dominates the headlines of seemingly every publication and is a regular topic on industry podcasts, so we’re adding a new section to this series of your ‘must reads’ to catch up on the latest topics of interest and also Google Cloud’s experts and voices joining in the conversation.
Cloud Security Podcast: Early this year, Google Cloud’s Anton Chuvakin and Timothy Peacock launched the Cloud Security Podcast where they share stories and insights on security in the cloud, perspectives from people and companies delivering security from the cloud, and, of course, on what we’re doing at Google Cloud to help keep customer data safe and workloads secure. Some recent highlight episodes include:
The Cybersecurity Podcast from PwC UK: I recently joined Kevin Storli, Global CTO and UK Chief Information Security Officer, PwC for a podcast discussion on the changing role of the CISO. We covered some career milestones, ways for CISOs to mitigate security risks while enabling their organization to achieve its goals, current areas of concern for CISOs like supply chain risk and securing the cloud and the skills CISOs need to recruit for over the next few years. Listen to the full episode here.
Wall Street Journal Cybersecurity Pro: I’ve written extensively about both the importance and challenges of corporate board oversight of cybersecurity. During a recent interview with the Wall Street Journal’s Cybersecurity Pro, myself and other security leaders discussed how board oversight of technology investment can help minimize cyber risk within an organization.
Security Conversations: Google’s Senior Director of Information Security Heather Adkins recently appeared on the Security Conversations podcast with Ryan Narraine to talk about securing the software supply chain, zero-trust architecture and the future of modern desktop computing. They also discuss how building security principles into an organization’s underlying foundation is critical. This is covered at length in our latest SRE Book: Building Secure and Reliable Systems - don’t forget to get a free download here.
CSO on the future of cloud security: Earlier this year Google Cloud launched a first-of-its-kind program called the Risk Protection Program with Allianz and MunichRe to help our cloud customers reduce security risk and get access to specialized cyber insurance coverage exclusively for Google Cloud customers, called Cloud Protection +. I talked more about the importance of this program and its Risk Manager tool in a recent Q&A with CSO, where we also covered topics like compliance reporting and how the economy of scale of the cloud is fundamentally changing the game of security.
In recent research, IDC found confidence in the security of cloud infrastructure is extremely high, with 85% of respondents stating they feel secure (or more secure) than on-premises infrastructure—compared to just 15% who believe on-premises is still safer. This is encouraging, as we’ve spoken extensively about the benefits of cloud in security transformation and will continue to push for security and IT modernization with the cloud.
Our continued progress securing the software supply chain and open source software initiatives
Today's software supply chains are still far away from a state where users can meaningfully assess the supply-chain risks associated with software they deploy. Google continues to make significant investments and impact in this area.
Last month, we proposed a solution to supply chain integrity attacks, Supply Chain Levels for Software Artifacts (SLSA, pronounced “salsa”), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use for the past 8+ years and is mandatory for all of Google's production workloads. The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, users can make informed choices about the security posture of the software they consume.
We’re also continuing our collaboration with the Open Source Security Foundation community with the launch of Security Scorecards V2 where we added new security checks, scaled up the number of projects being scored, and made this data more accessible for analysis.
Next week, we’re hosting a Google Cloud half-day event dedicated to software supply chain and container security, where voices in the software supply chain security community at Google and beyond will discuss how we can build trust in today’s processes. Register for the keynotes and sessions here.
That wraps up another month of thoughts and highlights. If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up.