Google Cloud and CyberGRX collaborate to help scale and accelerate cloud assessments
Ruchi Khurana
Office of the CISO, Google Cloud
Rita Zurbrigg
Office of the CISO, Google Cloud
Risk managers know there is one assessment type that’s foundational for every risk management program: the vendor risk assessment. Understanding the risk posture of your vendors and third parties, including your cloud providers, is an important part of an effective risk management program. While collecting and analyzing information can often be time-consuming for risk managers, Google Cloud collaborates with third-party risk management (TPRM) providers to make the process easier.
These TPRM organizations provide independent due diligence services and platforms to help automate vendor risk management based on their inspection of security, privacy, business continuity, and operational resiliency controls, aligned with industry standards and regulation compliance. The ultimate goal is to help our customers scale and accelerate their assessments of Google Cloud.
We enable trusted TPRM providers, like CyberGRX, to examine the CyberGRX controls (such as privacy, operational, and management) and operations. Based on their observations, CyberGRX provides a validated cyber risk assessment of Google Cloud’s security posture. Like assessments performed by individual customers, the CyberGRX assessment of Google Cloud details our adherence to industry standards and the security protocols built into our infrastructure.
Using a standardized approach like this, CyberGRX can quickly provide access to a security assessment of Google Cloud. CyberGRX’s validation process focuses on measuring the accuracy of a third party, such as Google Cloud’s assessment answers. CyberGRX analysts and partners evaluate evidence provided by Google Cloud to confirm we have implemented certain critical controls as indicated by their assessment. The assessment of Google Cloud is available to organizations via the CyberGRX website.
How Google Cloud stacks up
CyberGRX’s assessment covers more than 200 controls, and integrates Google Cloud’s responses with analytics, threat intelligence, and risk models. Additionally, CyberGRX’s Framework Mapper provides further functionality by mapping the cyber risk assessment of Google Cloud to more than 20 commonly used industry frameworks and standards. This enables our customers to view the cyber risk assessment of Google Cloud against customers’ specific, local compliance regime requirements including the MITRE ATT&CK framework.
CyberGRX’s Framework Mapper has broad standards and requirements coverage, including:
The CyberGRX mapping technology enables customers to see a mapping that is based on their specific needs, aggregated into a single assessment. This saves customers time and effort by eliminating the need for customers to create and repeatedly perform customized assessments of Google Cloud. Customers can now map the cyber risk assessment of Google Cloud to the frameworks they’re accustomed to using.
Integrating the MITRE ATT&CK™ framework
MITRE ATT&CK is a strongly-supported knowledge base that helps model security adversarial behavior, tactics, and techniques which currently includes 13 tactics and 192 techniques.
In June 2022, Google Cloud announced our support and investment in a research partnership with MITRE Engenuity Center for Threat-Informed Defense, which included facilitating the mapping of the MITRE ATT&CK framework to Google Cloud security capabilities.
CyberGRX also recognizes the value of the MITRE ATT&CK framework and maps their foundational assessment to the MITRE ATT&CK framework. This allows organizations to review their security controls and gain visibility into gaps in their defenses. Security leaders can rapidly and easily identify critical problems for remediation.
There are multiple benefits to using the MITRE ATT&CK framework when accessing Google Cloud’s risk assessment through CyberGRX, including:
Uncovering previously unreported gaps by leveraging MITRE techniques to create kill chains or use cases.
Integrating results into internal risk and threat management programs that already align with MITRE ATT&CK.
Increasing credibility and defensibility to CyberGRX risk findings to support third-party decisions and relationships due to connection to MITRE-based analytics.
Take advantage of the Google Cloud and CyberGRX collaboration
CyberGRX’s independent security assessment of Google Cloud is available to Google Cloud customers, and is an easy way for organizations to scale and accelerate their cloud assessments. CyberGRX provides a comprehensive and objective view of Google Cloud’s security posture based on a number of local compliance regime requirements and the MITRE ATT&CK framework. CyberGRX’s centralized assessment supports our customers’ annual vendor risk management processes and reduces the review time.