Jump to Content
Security & Identity

Delivering the industry’s most trusted cloud

March 2, 2021
Phil Venables

VP, TI Security & CISO, Google Cloud

Sunil Potti

VP/GM, Google Cloud Security

Google Cloud is a leader in security, and with the recent revelations about the attacks on the software supply chain impacting governments and other organizations, customers need confidence in the providers to whom they entrust their mission-critical processes and information assets. 

At Google Cloud, we defend your data against threats and fraudulent activity using the same infrastructure and security services we use for our own operations, empowering you with advanced capabilities that would be unavailable to all but the most-well resourced global organizations. We’re driven by a vision of Invisible Security—where security technologies are engineered-in to our platforms and products, where, as a result, security operations as a silo can disappear and your vital security talent can be less stretched, and, ultimately, where risk is greatly reduced. Today, we want to further demonstrate why we are uniquely positioned to deliver on this vision, act as your security transformation partner, and be the most Trusted Cloud.

Introducing our Trusted Cloud requirements

We believe that the promise of a Trusted Cloud is built on three pillars:

A secure platform that delivers transparency and enables sovereignty: We provide a secure foundation that you can verify and independently control. It enables you to move from your own data centers to the cloud while maintaining control over data location and operations, and helps ensure compliance with local regulations.

A proven zero-trust architecture: We offer battle-tested technology that comprehensively protects data against the many types of threats that Google sees and defends against every day. As a result, you can operate with confidence that threats from ransomware, account takeovers, bots, phishing, and even more advanced attacks are minimized, detectable, and recoverable. 

Shared fate, not shared responsibility: We operate in a shared-fate model for risk management in conjunction with our customers. We believe that it's our responsibility to be active partners as our customers deploy securely on our platform, not delineators of where our responsibility ends. We stand with you from day one, helping you implement best practices for safely migrating to and operating in our Trusted Cloud.

https://storage.googleapis.com/gweb-cloudblog-publish/images/value_of_shared_fate.max-1800x1800.jpg

Let’s look at each of these pillars in more detail:  

Capabilities for transparency and sovereignty
Customers want to gain the benefits of the cloud without losing the control and agency over operations they have in their own data center. As described in an earlier post, Google Cloud offers extensive capabilities today to ensure sovereignty over data, software, and operations. We allow you to configure the locations where your data is stored, where your encryption keys are stored, and where your data can be accessed from. We give you the ability to manage your own encryption keys, even storing them outside Google’s infrastructure. Using our External Key Management service, you have the ability to deny any request by Google to access encryption keys necessary to decrypt customer data at rest for any reason. We offer the ability to monitor and approve access to your data or configurations by Google Cloud support and engineering based on specific justifications and context, so you have visibility and control over insider access. Our Confidential Computing services offer the ability to keep your data encrypted (and therefore isolated from cloud insiders or members of your own operations team) while it’s being processed.

Pioneering a trusted and scalable zero trust architecture 
As the pioneer in zero trust computing, we’ve learned a great deal about the transformative benefits but also the challenges of operating in this model. For Google, zero trust is not the latest marketing buzzword or trend to attach to—it’s how we have operated and helped to protect our internal operations over the last decade. 

BeyondCorp is our model for zero trust access that protects Google’s own applications. It establishes trust in users based on identity, context, and the state of their device, not just the ability to connect to the corporate network. BeyondProd is our model for operating production services securely at scale. It implements safeguards such as mutually authenticated service endpoints, transport security, edge termination with global load balancing and denial of service protection, end-to-end code provenance, and runtime sandboxing to ensure that only known, trusted, and specifically-authorized callers can utilize a service. Services are constrained to use only authorized code and configurations, and run only in authorized, verified environments, preventing attackers from performing actions that allow them to expand their reach.

We in turn productize and make these zero trust capabilities available to our customers. Earlier this year, we announced the availability of BeyondCorp Enterprise, a commercial version of our zero trust access platform, and many of the capabilities of BeyondProd are embedded in Anthos, our managed application platform, in features like Binary Authorization and Anthos Service Mesh. Combined with Chronicle, our security analytics platform, we can deliver secure computing from user to network to app to data plus threat detection and investigation across these surfaces, even for organizations that do not run their systems in our cloud.

https://storage.googleapis.com/gweb-cloudblog-publish/images/beyondcorp_enterprise.max-1300x1300.jpg

Moving toward shared-fate for risk management in the cloud 
Getting security right in the cloud can be challenging, and customers have been responsible for building effective cloud security programs on their own. The shared responsibility model for security that has underpinned cloud computing since its earliest days dictates that the cloud provider is responsible for securing the underlying foundation, while the customer is responsible for secure configuration, data protection, access permissions and much more. The result is that enterprises have viewed the cloud as a risk to be managed instead of a platform for managing risk. With Google’s Trusted Cloud, we provide unique tools, detailed guidance, and best practices to reduce customer risk from day one. 

You receive detailed guidance and resources to optimize your security on our platform, have tools to manage ongoing security and compliance in our Trusted Cloud, and starting today have simplified access to cyber insurance, with pricing linked directly to security, through the Risk Protection Program. Google Cloud’s collaboration with two of the world’s leading insurance providers, Allianz Global Corporate and Specialty (AGCS) and Munich Re, delivers benefits like reduced risk and the potential to reduce cost with specialized cyber coverage designed exclusively for Google Cloud customers.

The most effective partner for your security transformation 
Our goal is to be the most effective partner as you transform your business for a digital world— whether your systems run in Google Cloud, in other clouds, or on premises. Our Trusted Cloud enables your digital transformation while also supporting your risk, security, compliance and privacy transformation. 

We recognize that our products and services can only go so far in speeding up your cloud journey. You need support and guidance from leaders who know first-hand how complex cloud security challenges are for today’s modern enterprises and how best to navigate them. Google Cloud’s Office of the CISO is a dedicated team of experts who partner with you and our solutions engineering teams to support you through your entire life-cycle of safe and secure digital transformation. Our experts come from multiple industries, including financial services, healthcare, retail, telco, and government organizations, and can offer best practices and real-world guidance on security and risk topics large and small.

The Office of the CISO team maintains an increasingly effective feedback loop of customer challenges to influence product configurations and new features. They’re focused on making the secure path the easier path for you through tools and resources like secure landing zones, security blueprints, and documentation that provides detailed guidance for security transformation and standing up new services quickly and securely. Check out our first whitepaper released last month, CISO’s Guide to Security Transformation, and be on the lookout for much more over the coming months. 

This is just the beginning 
Having trusted partners is more important than ever in our interconnected world. As the requirements for trust increase, Google Cloud has taken major steps not only to redefine what these requirements are, but we’ve delivered them to you through first-of-their-kind solutions. A partnership built on shared fate that can lead to shared rewards through the Risk Protection Program is just one example. Google is a leader when it comes to cloud security and we will continue to deliver on our promise to be the Trusted Cloud. 

Posted in