Cloud CISO Perspectives: Late May 2023
Phil Venables
VP/CISO, Google Cloud
Welcome to the second Cloud CISO Perspectives for May 2023. I hope you all enjoyed our previous newsletter from my Office of the CISO colleague MK Palmore, on Google’s new cybersecurity certification and how it can help prepare aspiring cybersecurity experts for their next career steps.
Before I jump into my column today, I’d like to encourage everyone to sign up for our annual Security Summit, coming in just a few weeks on June 13-14. This year, we’ll explore the latest technologies and strategies from Google Cloud, Mandiant, and our partners to help protect your business, your customers, and your cloud transformation. You can register for the broadcast in your choice of two time zones here. We hope to see you there.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
Integrating digital sovereignty with cloud security
Today, I’d like to talk about one of the more complex and important topics in our current cloud discourse: digital sovereignty. Simply put, digital sovereignty is an organization’s intention to retain control over their data and how that data is stored, processed and managed when using third-party services — including cloud providers.
Organizations should feel that they have control over their data. When those controls have been designed well, they should encourage even more organizations to use the cloud and benefit from all that the cloud offers.
Digital sovereignty is a subject that we feel strongly about, and over the past few years, Google Cloud has worked extensively with customers, partners, policy makers, and governments to understand their evolving sovereignty requirements.
We take an expansive view of sovereignty requirements encompassing data, operations, and software. We also see the control of encryption as vital to addressing these requirements and have engineered leading encryption solutions. Along with having these solutions in our cloud, we also have led the industry on establishing partnerships with trusted local partners to address concerns of working with foreign providers.
Google Cloud has been leading dialogue and developing digital sovereignty solutions since 2019. Our ongoing discussions in the market have taught us that designing a digital sovereignty strategy that balances control and innovation is challenging because of four main reasons:
Foundational concepts are not always well-understood, including regulatory requirements, legal safeguards, and risk management.
Many organizations struggle to articulate their specific requirements, particularly when it comes to how sovereign strategies enable digital transformation.
Choosing the best technologies and solutions to meet those requirements can be difficult.
A shortage of advisory capacity and expertise in the market can make these challenges even harder to overcome.
While digital sovereignty challenges cross boundaries and oceans, we’ve focused many of our initial efforts in Europe. This has resulted in our “Cloud. On Europe’s Terms” initiative and a broad portfolio of Sovereign Solutions we have already brought to market to help support customers’ current and emerging needs as they bring more workloads to the cloud.
We’ve also developed the Digital Sovereignty Explorer, a tool designed to help you make progress on your understanding of key concepts and potential solutions, which we introduced in March. Initially focused on the needs of European organizations, the Explorer is an online, interactive tool that takes individuals through a guided series of questions about their organizations’ digital sovereignty requirements.
One benefit of our early digital sovereignty investments has been that it has helped strengthen other areas we’re focused on. Confidential Computing has also proven to be a helpful additional control for organizations implementing digital sovereignty strategies, providing an encryption capability, and protection for data-in-use where encryption keys are not accessible by the cloud provider.
Innovating to address digital sovereignty requirements is important to advance digital transformation and technological creativity, and to join in the benefits of the cloud. We’re going to continue to engage with customers, our partners, governments, and regulators to deliver novel solutions that meet local requirements.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 is open now. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Register now.
Partnering with Health-ISAC to strengthen the European healthcare system: We’re growing our relationship with Health-ISAC to include CISOs and security leaders in Europe, the Middle East, and Africa (EMEA), starting with a joint 17-city tour across the region, as part of its European Healthcare Threat Landscape Tour. Read more.
4 ways to improve cybersecurity from the boardroom: Here are four ways that boards and cybersecurity teams can keep their organizations more secure and reduce risk. Read more.
How does Google protect the physical-to-logical space in a data center? Each Google data center is a large and diverse environment of machines, networking devices, and control systems. In these complex environments, the security of your data is our top priority. Learn how we keep it secure. Read more.
Introducing reCAPTCHA Enterprise Fraud Prevention: We are pleased to announce the general availability of reCAPTCHA Enterprise Fraud Prevention, a new product that uses Google's own fraud models, machine learning, and intelligence from protecting more than 6 million websites to help stop payment fraud. Read more.
How Apigee can help government agencies adopt Zero Trust: Securely sharing data is critical to building an effective government application ecosystem. Rather than building new applications, APIs can enable government leaders to gather data-driven insights within their existing technical environments, which Google Cloud’s Apigee can help achieve. Here's how.
News from Mandiant
New OT malware possibly related to Russian emergency response exercises: Mandiant identified COSMICENERGY, a novel operational technology (OT) and industrial control system (ICS)-oriented malware possibly related to Russian emergency response exercises, which has demonstrated a cyber impact to physical systems. Read more.
Don't @ me: URL obfuscation through schema abuse: Mandiant has found attackers distributing multiple malware families by obfuscating the end destination of a URL by abusing the URL schema. This technique can increase the likelihood of a successful phishing attack. Read more.
A requirements-driven approach to cyber threat intelligence: Mandiant’s latest report on applying threat intelligence outlines what it means to be requirements-driven in practice, offering actionable advice on how intelligence functions can implement and optimize such an approach within their organizations. Read more.
Cloudy with a chance of bad logs: As organizations increasingly move to cloud and security teams struggle to keep up, Mandiant provides a hypothetical scenario of a cloud platform compromise with multiple components that would require investigation. Read more.
Google Cloud Security Podcasts
We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:
The good, the bad, and the epic possibilities of threat detection at scale: Good detection is hard to build, whether defined for a rule or a piece of detection content, or for a program at a company. Reliably producing good detection content at scale is even trickier, so we chatted with Jack Naglieri, founder and CEO, Panther Labs. Listen here.
Firewalls in the cloud: Nevermind the difference between firewalls and firewalling (although we discuss that, too) — does the cloud even need firewalls? Our own senior cloud security advocate, Michele Chubirka, gets us grounded on all things cloud firewall. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back at the end of the month with more security-related updates.