Cloud CISO Perspectives: September 2021
VP, TI Security & CISO, Google Cloud
We’re busy getting ready for Google Cloud Next ‘21 where we’re excited to talk about the latest updates to our security portfolio and new ways we’re committing to help all of our customers build securely with our cloud. Here are a few sessions you don’t want to miss with our Google Cloud security experts and customers that cover top-of-mind areas in today’s cybersecurity landscape:
In this month's post, I’ll recap the latest from Google Cloud security and industry highlights for global compliance efforts and healthcare organizations.
Thoughts from around the industry
Supporting federal Zero Trust strategies in the U.S.: Google Cloud recently submitted our recommendations for the Office of Management and Budget (OMB) guidance document on Moving the U.S. Government Towards Zero Trust Cybersecurity Principles and on NIST’s Zero Trust Starting Guide. We strongly support the U.S. Government’s efforts to embrace zero trust principles and architecture as part of its mandate to improve the cybersecurity of federal agencies under the Biden Administration's Executive Order on Cybersecurity. We believe that successfully modernizing the government’s approach to security requires a migration to zero trust architecture and embracing the security benefits offered by modern, cloud-based infrastructure. This is especially true following the recent SolarWinds and Hafnium attacks, which demonstrated that, even with best efforts and intentions, credentials will periodically fall into the wrong hands. This demands a new model of security that recognizes implicit trust in any component of a complex, interconnected system can create significant security risks. To learn more about about our holistic zero trust implementation at Google and products customers can adopt on their zero trust journey, visit:
Sovereignty in the cloud: The ability to achieve greater levels of digital sovereignty has been a growing requirement from cloud computing customers around the world. In our previously published materials, we’ve characterized digital sovereignty requirements into three distinct pillars: data sovereignty, operational sovereignty and software sovereignty. These requirements are not mutually exclusive, each requires different technical solutions, and each comes with its own set of tradeoffs that customers need to consider. What also comes through clearly is that customers want solutions that meet their sovereignty requirements without compromising on functionality or innovation. We’ve been working diligently to provide solutions, with capabilities built into our public cloud platform and, with our recent announcement to provide sovereign cloud solutions powered by Google Cloud to be offered through trusted partners.
Compliance update across Asia-Pacific: In the APAC region, there have been some key regulatory updates over the course of the last year, including IRAP (Information Security Registered Assessors Program), a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements and RBIA (Risk Based Internal Audit), an internal audit methodology that provides assurance to a Board of Directors on the effectiveness of how risks are managed. We’ve posted updates to guidance and resources that help support our customer’s regulatory and compliance requirements as part of our compliance offerings, which include compliance mappings geared toward assisting regulated entities with their regulatory notification and outsourcing requirements.
Open Source Technology Improvement Fund: We recently pledged to provide $100 million to support third-party foundations that manage open source security priorities and help fix vulnerabilities. As part of this commitment, we are excited to announce our support of the Open Source Technology Improvement Fund (OSTIF) to improve security of eight open-source projects, including Git, Laravel, Jackson-core & Jackson-databind and others.
President’s Council of Advisors on Science and Technology (PCAST): Some personal news I am excited to share this month. I’m honored to be appointed by President Biden to the President’s Council of Advisor on Science and Technology. It's a role I take with great responsibility alongside my fellow members and I look forward to sharing more about what we can help the nation achieve in important areas like cybersecurity. I’m also very proud to be joining the most diverse PCAST in history.
Must reads / listen security stories and podcasts
We’ve been recapping the media and podcast hits from Google security leaders and industry voices. Keep reading below to catch up on the latest security highlights in the news this month:
- Security for the Telecom Transformation: I sat down with fellow CISOs from major telecommunications providers to discuss the future of security for the industry’s transformation. We covered topics like IT modernization with the cloud, zero trust and best practices for detection and response.
- WSJ CIO Network Summit: Last week, Google’s Heather Adkins participated in a fireside chat with WSJ Deputy Editor Kim Nash where their conversation covered a broad range of timely cybersecurity topics, including opportunities and challenges for CIOs under the Biden Cybersecurity EO like IT modernization, the definition of zero trust as a security philosophy rather than a specific set of tools based on our lessons learned at Google and best practices for how CIOs and CISOs can work together to enhance security and achieve business objectives in tandem by adopting modern technologies like the cloud. Read more in this article for highlights from their insightful and incredibly timely interview for today’s cybersecurity environment.
- Washington Post Live - Securing Cyberspace: Google Cloud’s Jeanette Manfra appeared on Washington Post Live to discuss the growing need for heightened cybersecurity across industries to prevent future cyberattacks, the role of the Cybersecurity and Infrastructure Security Agency (CISA) in facilitating conversations between industries and how to deepen the partnerships between the public and private sectors to benefit our collective security.
- Not Your Bug, But Still Your Problem: Why You Must Secure Your Software Supply Chain: Google Cloud VP of Infrastructure and Google Fellow Eric Brewer and I sat down with Censys.io CTO Derek Abdine for a recent Webinar to discuss how organizations can better understand their software supply chain risks and stay in control of their assets and what software is deployed both inside and outside the network.
- Debunking Zero Trust in WIRED: Alongside Google’s Sr. Director of Information Security Heather Adkins and Google Cloud’s Director of Risk and Compliance Jeanette Manfra, we help breakdown the true meaning of zero trust in today’s security landscape and that the term is not a magic set of products, but a philosophy that organizations need to adopt across their business when it comes to security architectures.
- Google Cloud Security Podcast: Our team continues to collaborate with voices from across the industry in our podcast. This month, episodes unpacked topics like malware hunting with VirusTotal, cloud attack surface management with Censys.io CTO Derek Abdine, and cloud certification best practices and tips with The Certs Guy!
Google Cloud Security Highlights
- Updated data processing terms to reflect new EU Standard Contractual Clauses: For years, Google Cloud customers who are subject to European data protection laws have relied on our Standard Contractual Clauses (SCCs) to legitimize overseas data transfers when using our services. In response to new EU SCCs approved by the European Commission in June, we just updated our data processing terms for Google Cloud Platform and Google Workspace. For customers, this approach offers clear and transparent support for their compliance with applicable European data protection laws. Along with this update, we published a new paper that outlines the European legal rules for data transfers and explains our approach to implementing the SCCs so that customers can better understand what our updated terms mean for them and their privacy compliance.
- Toronto Region Launch: We announced our latest cloud region in Toronto, Canada. Toronto joins 27 existing Google Cloud regions connected via our high-performance network, helping customers better serve their users and customers throughout the globe. In combination with our Montreal region, customers now benefit from improved business continuity planning with distributed, secure infrastructure needed to meet IT and business requirements for disaster recovery, while maintaining data sovereignty. As part of this expansion, we also announced the preview availability of Assured Workloads for Canada—a capability which allows customers to secure and configure sensitive workloads in accordance with specific regulatory or policy requirements.
- Protecting healthcare data with Cloud DLP: Our solutions team recently released a detailed guide for getting started with Cloud DLP to protect sensitive healthcare and patient data. Cloud DLP helps customers inspect and mask this sensitive data with techniques like redaction, bucketing, date-shifting, and tokenization, which help strike the balance between risk and utility. The guide outlines the steps customers can take to create a secure foundation for protecting patient data.
- Network Forensics and Telemetry blueprint: To detect threat actors in cloud infrastructure, network monitoring can provide agentless detection insight where endpoint logs can not. In the cloud, with powerful technologies like Google Cloud’s Packet Mirroring service, capturing network traffic across your infrastructure is simpler and more streamlined. Our new Network Forensics and Telemetry blueprint allows customers to easily deploy capabilities for network monitoring and forensics via Terraform to aid visibility through Chronicle or any SIEM. We also published a helpful companion blog comparing the range of analytics options available on Google Cloud for network threat detection.
- Backup and Disaster Recovery in the Cloud: The ability to recover quickly from security incidents is a fundamental capability for every security program, and cloud technology offers a wide range of options to help make organizations more resilient. Recent posts from our teams provide up-to-date views of workload-specific and enterprise-wide Google Cloud backup and DR options.
That wraps up another month of my cybersecurity thoughts and highlights. If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up. And remember to register for Google Cloud Next ‘21 conference happening October 12-14 virtually.