Cloud CISO Perspectives: March 2023
Phil Venables
VP/CISO, Google Cloud
Welcome to Cloud CISO Perspectives for March 2023. The Biden-Harris Administration released its National Cybersecurity Strategy on March 2, so this month I’d like to discuss how the strategy aligns with our approach to security at Google Cloud. While the strategy is intended to guide American cybersecurity efforts, it could have global implications for how the security industry interacts with governments around the world — and encourage more collaboration between policy makers and private enterprise on cybersecurity matters.
Before we dive in: Starting in April, we’ll be switching to a new publishing cadence and delivering this newsletter to your inbox twice a month. I’ll author the first newsletter each month, and then at the end of the month you’ll receive the second newsletter featuring a guest column from one of our incredibly talented security experts at Google.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
U.S. government supports secure by design
The U.S. National Cybersecurity Strategy envisions broad “fundamental shifts” for the United States government’s approach to cyberspace. These changes include how the government “allocates roles, responsibilities, and resources,” based on five pillars: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.
The strides that the Biden-Harris Administration has taken to acknowledge and embrace the importance of modern cloud technology is encouraging. The National Cybersecurity Strategy’s recognition of the valuable role these technologies play in digital modernization and resilience – as well as the emphasis in the strategy on security by design is validating and evidence of a shared goal to improve the security of the broader technology ecosystem.
The National Cybersecurity Strategy acknowledges the benefits that cloud services provide to security and resilience and encourages federal entities to “replace legacy systems with more secure technology, including accelerating migration to cloud-based services.” Having a consistent framework for the services that organizations rely on from cloud providers and software-as-a-service providers will be useful. As you move to the cloud, generally you get better security and resilience — this is especially true with Google Cloud.
We take our responsibility as one of the world’s largest tech providers seriously. We agree with the Biden-Harris Administration that increased collaboration between companies like Google and the public sector is vital to improving cybersecurity, including through efforts to mitigate the ability of malicious actors to leverage such technologies for nefarious purposes. We welcome the Administration’s efforts to collaborate with industry on these issues such as through the National Security Telecommunications Advisory Committee study on abuse of domestic infrastructure.
The strategy also highlights the administration’s intent to pursue legislation to establish software liability, including a safe harbor provision to protect entities that prioritize security in the design and maintenance of their products. That security should be built in, not bolted on, is a core Google value that defines us as a technology provider and is a crucial part of our security mission: Secure the Cloud (not only Google Cloud), Secure the Customer (shared fate), and Secure the Planet (and beyond).
Google’s secure-by-default and secure-by-design approach is part of our efforts to address core security challenges for existing products, and build strategic capabilities to prevent these issues arising in new products and solutions.
It's about defense-in-depth in the platform itself, where security is built in — not bolted on. It’s about deep architectural defenses to thwart whole classes of attacks. Beyond that, it’s about designing and building systems so that they keep users safe from mishaps — even if they make mistakes.
It is also about defense-in-depth from configuration errors, which can help prevent mistakes through enforced security patterns for solving problems (invariants) that have been built into development and production workflows.
This is where the cloud can help. Secure-by-default in the cloud can help scale strong baseline security across more of an organization’s infrastructure footprint. The cloud service provider can develop its platform and applications taking into consideration customer use cases to further align controls and guardrails to real world use and risks.
An industry that broadly embraces the secure-by-design approach is one that’s core infrastructure has been designed, built, and operated with security in mind.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams this month:
Join us at the RSA Conference in San Francisco: Join Google Cloud and Mandiant together for the first time at April’s RSA Conference 2023. We’re excited to bring our joint capabilities, products, and expertise together, so you can better defend your organization against today’s threats. See our full schedule.
And get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 is open now. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Register now.
How AI can improve digital security: Breakthroughs in generative AI are fundamentally changing how people interact with technology. AI can have a major impact for good on the security ecosystem, but only if we’re being bold and responsible about how we deploy it. Read more.
How Project Shield helped protect U.S. midterm elections from DDoS attacks: Modern elections rely on public access to a vast array of online information, including political candidate stances, elections monitoring, and directions to polling sites. During the recent U.S. midterm election, attacks per week against all Project Shield customers quadrupled. Read more.
Facing shifting tech, risks, and culture, security pros share what matters most: GCAT’s new State of Cloud Detection and Response Report found that organizations contemplating or working on their digital transformation face a busy intersection of technological upgrades, evolving risks, and cultural shifts. Read more.
Why shared fate shows us a better cloud roadmap: Google Cloud takes a matured, mutually-beneficial shared fate approach to risk management, which can better serve cloud service providers, their customers, and the broader community of cloud users, because a trust issue in one cloud can impact the trust in all clouds. Read more.
Trapped in a frame: Why leaders should avoid security framework traps: Frameworks have become an endemic part of the security landscape. They seem to be everywhere, and some security professionals consider them more theatrical than practical these days — an unfortunate situation since, when used correctly, frameworks can provide value. Read more.
Google is named a Leader in The Forrester Wave™ Data Security Platforms Q1 2023: Data security is an integral part of our value proposition across all our Google Cloud products and platforms, so we are happy to share that Forrester Research has ranked Google Cloud a Leader in The Forrester Wave™ Data Security Platforms Q1 2023. Read more.
OSV and the vulnerability lifecycle: Finding and fixing security vulnerabilities has never been more important, yet with increasing interest, the vulnerability management space has become fragmented. Here are some tools we offer to help database maintainers track vulnerabilities from discovery to remediation, and how to use OSV together with other SBOM and VEX standards. Read more.
A guide to Generative AI support in Vertex AI: In the last few months, consumer-grade generative AI has captured the attention of millions, with intelligent chatbots and lifelike digital avatars. Generative AI support in Vertex AI makes it easier for developers and data scientists to access, customize, and deploy foundation models from a simple user interface. Read more.
Randstad France adopts secure and agile computing with ChromeOS: Randstad is the world’s largest HR service provider, operating in 38 countries. In 14 months, the company activated 4,000 Chromebooks supporting almost 85% of Randstad’s workforce. Here’s why.
Google Cloud security tips, tricks, and updates
Confidential Space is the future of privacy-preserving collaboration: Confidential Space is now generally available. It provides a secure enclave, also known as a Trusted Execution Environment (TEE), that our customers can leverage for privacy-focused tasks. It also protects data from all parties involved — including hardened protection against cloud service provider access. Read more.
Why (and how) Security Command Center is adding attack path simulation: Google Cloud’s built-in security and risk management solution is getting an advanced simulation engine to perform attack-path analysis, which can help defenders know where and which controls to apply to better protect their cloud environment. Read more.
How to optimize SLA execution with Chronicle SOAR: Chronicle Security Operations can help organizations meet their service level agreements, and make meeting them more about quality than speed. Read more.
Understand and trust data with Dataplex data lineage: Now generally available, Dataplex data lineage is a fully-managed Dataplex capability that can help you understand how data is sourced and transformed within your organization. Read more.
Secure, privacy-centric sharing with data clean rooms in BigQuery: Coming in Q3, we’re introducing BigQuery data clean rooms to help organizations create and manage secure environments for privacy-centric data sharing, analysis, and collaboration — all without generally needing to move or copy data. Read more.
Expanding Cloud Armor DDoS protection: We are excited to announce the general availability of Cloud Armor advanced network DDoS protection, which expands protection capabilities to workloads using external network load balancers, protocol forwarding, and VMs with public IP addresses. Read more.
How to glean security insights with Log Analytics: Log Analytics, a recent feature addition to Cloud Logging, can help customers meet their compliance and security requirements by getting actionable insights from Cloud Audit logs. Read more.
How to improve your Kubernetes security posture: As more organizations adopt Kubernetes, they also embrace new paradigms for connecting and protecting their workloads. For customers running their microservices on GKE and Anthos, GKE Dataplane V2 provides consistent network policy enforcement, logging, and monitoring without having to install third-party add-ons. Read more.
Workload identity for GKE made easy with open-source: Using an open-source tool called Kaniko, Google Cloud customers can allow Google Kubernetes Engine (GKE) workloads to safely and securely authenticate to Google APIs with minimal credential exposure. Read more.
Introducing time-bound Session Length defaults to improve your security posture: Google Cloud session management provides flexible options for setting up session controls based on your organization’s security policy. To further improve security for our customers, we are rolling out a recommended default 16-hour session length to existing Google Cloud customers. Read more.
Why you should migrate to network firewall policies from VPC Firewall rules: Last year, we announced new policy constructs for Google Cloud Firewall, a scalable, cloud-first firewall that can help secure traffic flow to and from workloads. We recommend that customers migrate from VPC firewall rules to network firewall policies, and we’ve developed a migration tool to help with the process. Read more.
Introducing a new Org Policy for Dry-Run Resource Usage Restriction in Preview: We are excited to announce the Preview launch of a Dry-Run capability for Resource Usage Restriction (RUR) Organization Policy. A key part of safely rolling out policies, this highly-requested feature allows customers to set RUR policies in audit-only mode to monitor impact on resources and workflows before enforcing in production. Read more.
Distributing software everywhere, all at once: A look at Cloud Deploy multi-target: For the developer who’s long-dreamed of releasing to multiple targets simultaneously, it’s now possible in the latest Cloud Deploy public Preview. Read more.
Compliance and Controls
5 tips on how leaders can manage risk with cyber-insurance: Cyber insurance can help organizations recover from cybersecurity-related disruptions to their business caused by data breaches, ransomware, and other types of cyberattacks. We suggest five steps for obtaining cyber insurance, developing a smooth, repeatable process that effectively demonstrates the cybersecurity investments your organization has made. Read more.
Hidden allies: CCOs are guardians for a secure and compliant cloud migration: There are easier ways to do digital transformation projects, and harder ways. One of the keys to unlocking an easier path is to involve chief compliance officers early and often — they're vital to avoiding unnecessary regulatory headaches and costs. Read more.
Google Cloud and FS-ISAC team up to advance financial services security: To strengthen our commitment to the financial sector, Google Cloud has joined the Financial Services Information Security and Analysis Center’s Critical Providers Program, the first and only major cloud provider to have done so. Read more.
Announcing Google Cloud’s new Digital Sovereignty Explorer: Digital sovereignty continues to be a top priority for organizations working to advance or begin their digital transformation efforts. To help our customers, Google Cloud’s Digital Sovereignty Explorer is a free interactive tool designed to assist in the creation of a digital sovereignty strategy that best meets their needs. Read more.
Helping FSI firms manage third-party due diligence requirements: Financial services institutions increasingly rely on external service providers for a variety of technology-related services, including cloud computing. In our FSI Migration paper, we detail the due diligence regulatory considerations that U.S.-based organizations should consider when migrating to Google Cloud. Read more.
Google Cloud Security Podcasts
We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed:
MVSP, yeah you know me: Chris John Riley, Google senior security engineer and a technical debt corrector, explains what the minimal viable secure product (MVSP) is, how it works, why it's different from other compliance standards, and what problems it solves for customers. Listen here.
Network security is coming to the cloud: Learn about the role of network security in the public cloud, and whether networks are still relevant as a layer of defense, with Martin Roesch, CEO at Netography, creator of Snort. Listen here.
Threat Horizons and how Google Cloud does threat intel: What’s unique about Google Cloud approach to threat intelligence, what’s most important when it comes to understanding OT and cloud, and what makes our Threat Horizons reports unique, with our own Charles DeBeck, cyber threat intel expert. Listen here.
A cloud whodunnit: How to solve the mystery of AppSec: Encouraging developers and operations to use the appropriate security controls and settings in the cloud is no small task. Brandon Evans, infosec consultant and certified instructor and course author at SANS, explains why. Listen here.
To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.
