Cloud CISO Perspectives: May 2022

May was another big month for us, even as we get ready for more industry work and engagement at the RSA Security Conference in San Francisco. At our Security Summit and throughout the past month, we continued to launch new security products and features, and increased service and support for all our Google Cloud and Google Workspace customers. 

Google Cloud’s Security Summit 2022

Our second annual Security Summit held on May 17 was a great success. In the days leading up to the Summit, we discussed how we are working to bring Zero Trust policies to government agencies, and we revealed our partnership with AMD to further advance Confidential Computing - including an in-depth review focused on the implementation of the AMD secure processor in the third generation AMD EPYC processor family. 

We also introduced the latest advancements in our portfolio of security solutions. These include our new Assured Open Source Software service (Assured OSS), which enables enterprise and public sector users of open source software to incorporate the same OSS packages that Google uses into our own developer workflows; extending Autonomic Security Operations (ASO) to the U.S. public sector, a solution framework to modernize cybersecurity analytics and threat management that’s aligned with the Zero Trust and supply-chain security objectives of 2021’s cybersecurity Executive Order and the Office of Management and Budget memorandum; expanding our compliance with government software standards; and SAML support for Workload Identity Federation, so that customers can use a SAML-based identity provider to reduce their use of long-lived service account keys. 

Advancing open source software security

We continued to partner with the Open Source Security Foundation (OpenSSF,) the Linux Foundation, and other organizations at another industry open source security summit to further develop the initiatives discussed during January’s White House Summit on Open Source Security. We’re working towards the goal of making sure that every open source developer has effortless access to end-to-end security by default. 

As covered in our Security Summit, an important part of this effort is Assured OSS, which leverages Google’s extensive security experience and can help organizations reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies. Assured OSS is expected to enter Preview in Q3 2022.

Also, as part of our commitment to improving software supply-chain security, the Open Source Insights project helps developers better understand the structure and security of the software they use. We introduced Open Source Insights data in BigQuery in May so that anyone can use Google Cloud BigQuery to explore and analyze the dependencies, advisories, ownership, license and other metadata of open-source packages across supported ecosystems, and how this metadata has changed over time.  

Why Confidential Computing and our partnership with AMD matters

I’d like to take a moment to share a bit more on the importance of Confidential Computing and our partnership with AMD. I’ve been talking a lot this year about why we as an industry need to evolve our understanding of shared responsibility into shared fate. The former assigns responsibilities to either the cloud provider or the cloud provider’s customer, but shared fate is a more resilient cybersecurity mindset. 

It’s a closer partnership between cloud provider and customer that emphasizes secure-by-default configurations, secure blueprints and policy hierarchies, consistently available advanced security features, high assurance attestation of controls, and insurance partnerships.

In our collaboration with AMD, we focused on how secure isolation has always been critical to  our cloud infrastructure, and how Confidential Computing cryptographically reinforces that secure isolation. AMD’s firmware and product security teams, Google Project Zero, and the Google Cloud Security team collaborated for several months to analyze the technologies and firmware that AMD contributes to Google Cloud’s Confidential Computing services. 

Also in May, we expanded the availability of Confidential Computing to include N2D and C2D Virtual Machines, which run on third-generation AMD EPYC™ processors.

GCAT Highlights

Here are the latest updates, products, services and resources from our cloud security teams this month: 

Security

• PSP protocol now open source: In order to better scale the security we offer our customers, we created a new cryptographic offload protocol for internal use that we open sourced in May. Intentionally designed to meet the requirements of large-scale data-center traffic, the PSP Protocol is a TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly. 

• Updating Siemplify SOAR: The future of security teams is heading towards “anywhere operations,” and the latest version of Siemplify SOAR can help get us there. It gives organizations the building blocks needed across cloud infrastructure, automation, collaboration, and analytics to accelerate processes for more timely responses and automated workflows. In turn, this can free up teams to focus on more strategic work.

• Guardrails and governance for Terraform: Popular open-source Infrastructure-as-Code tool Terraform can increase agility and reduce errors by automating the deployment of infrastructure and services that are used together to deliver applications. Our new tool verifies Terraform and can help reduce misconfigurations of Google Cloud resources that violate any of your organization's policies. 

• Benchmarking Container-Optimized OS: As part of our security-first approach to safeguarding customer data while also making it more scalable, we want to make sure that our Container-Optimized OS is in line with industry-standard best practices. To this end, the Google Cloud Security team has released a new CIS benchmark that clarifies and codifies the security measures we have been using, and makes recommendations for hardening. 

• New reCAPTCHA Enterprise guidebook: Identifying when a fraudster is on the other end of the computer is a complex endeavor. Our new reCAPTCHA Enterprise guidebook helps organizations identify a broad range of online fraud and strengthen their website security.

• Take the State of DevOps 2022 survey: The State of DevOps report by Google Cloud and the DORA research team is the largest and longest running research of its kind, with inputs from more than 32,000 professionals worldwide. This year will focus on how security practices and capabilities predict overall software delivery and operations performance, so be sure to share your thoughts with us.

Industry updates

• Security improvements to Google Workspace: I wrote at the beginning of the year that data sovereignty is one of the major, driving megatrends shaping our industry today. At the beginning of May we announced Sovereign Controls for Google Workspace, which can provide digital sovereignty capabilities for organizations, both in the public and private sector, to control, limit, and monitor transfers of data to and from the EU starting at the end of 2022, with additional capabilities delivered throughout 2023. This commitment builds on our existing Client-side encryption, Data regions, and Access Controls capabilities. 

• We are also extending Chrome’s Security Insights to Google Cloud and Google Workspace products, as part of our efforts to consistently provide advanced features to our customers. 

• Can you hear the security now? Pindrop is joining forces with Google Cloud. If you’ve never heard of Pindrop, you’ve almost certainly encountered their technology, which is used to authenticate payments, place restaurant and shopping orders, and check financial accounts over the phone. Their technology provides the backbone for anti-fraud efforts in voice-based controls, as well. With Google Cloud, Pindrop can be better able to detect deep fakes and robocalls, help banks authenticate transactions, and provide retailers with secure AI-powered call center support.

Compliance & Controls 

• Expanding public sector and government compliance: Google Cloud is committed to providing government agencies with the security capabilities they need to achieve their missions. In addition to our aforementioned Autonomic Security Operations and new Assured Open Source Software (OSS) service, we’re expanding Assured Workloads. This can help enable regulated workloads to run securely at scale in Google Cloud's infrastructure. We are also pleased to announce that 14 new Google Cloud services support FedRAMP Moderate and three services are being added to support FedRAMP High, with more coming this summer. (You can read the full list of those services at the end of this blog.)  

Next month we’ll recap highlights from the RSA Conference and much more.  

To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.