Charting a safer future starts at Google Cloud’s Security Summit
Sunil Potti
VP/GM, Google Cloud Security
Cybersecurity risks remain at the top of every organization’s agenda. As we progress on our Invisible Security journey, we remain focused on delivering solutions that can make governments and enterprises safer with Google, in our trusted cloud and through SaaS products that bring our security capabilities to on-premises environments and other clouds.
At our annual Google Cloud Security Summit today, we are sharing how we’re helping our customers and governments around the world address their most pressing security challenges: securing their software supply chain, accelerating the adoption of Zero Trust architectures, improving cloud governance, and transforming security analytics and operations.
Securing the Software Supply Chain
Patching security vulnerabilities in open source software often feels like a high-stakes game of whack-a-mole: fix one, and two more pop up. This helps explain research that shows that there’s a 650% year-over-year increase in cyberattacks aimed at open source software (OSS) suppliers.
Governments around the world have taken notice, too, as critical infrastructure such as hospitals and power plants have faced a surge in cyberattacks exploiting widely-deployed code. In the US and around the world, governments have responded with new requirements and standards specifically focused on the software development lifecycle and the software supply chain. Google last week joined with industry leaders, the Open Source Security Foundation (OpenSSF), and the Linux Foundation in a meeting to help advance initiatives put forth during January’s White House Summit on Open Source Security.
The scale of Google’s ongoing effort to find OSS vulnerabilities would be challenging for any organization to construct and operate. We continuously fuzz 550 of the most commonly-used open source projects. As of January 2022, that process has found more than 36,000 vulnerabilities.
To further our commitment to strengthen the OSS software supply chain, we are announcing a new Google Cloud offering, our Assured Open Source Software service. Assured OSS enables enterprise and public sector users of open source software to easily incorporate the same OSS packages that Google uses into their own developer workflows. Packages curated by the Assured OSS service:
are regularly scanned, analyzed and fuzz-tested for vulnerabilities
have corresponding enriched metadata incorporating Container/Artifact Analysis data
are built with Cloud Build including evidence of verifiable SLSA-compliance
are verifiably signed by Google
are distributed from an Artifact Registry secured and protected by Google
Assured OSS helps organizations reduce the need to develop, maintain, and operate a complex process for securely managing their open source dependencies. Assured OSS is expected to enter Preview in Q3 2022.
Adopting Zero Trust Architectures
Urgency for adoption of Zero Trust architectures has only increased with efforts like the Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture and the United Kingdom’s National Cyber Security Center Zero Trust design principles, which outline many foundational elements of the BeyondCorp approach to Zero Trust that Google has promoted for more than a decade.
For Zero Trust access, we offer BeyondCorp Enterprise - and today we’re introducing BeyondCorp Enterprise Essentials, a new solution offering intended to help organizations quickly and easily take the first steps toward Zero Trust implementation. It combines context-aware access controls for SaaS applications or any other apps connected via SAML, as well as threat and data protection capabilities - data loss prevention, malware and phishing protection, and URL filtering, integrated in the Chrome browser. It’s a simple and effective way to protect your workforce, particularly an extended workforce or users who leverage a “bring your own device” model. Admins can also use Chrome dashboards to get visibility into unsafe user activity across unmanaged devices.
We’re also pleased to announce that both the BeyondCorp Enterprise app connector and client connector will be generally available in Q3 2022, giving customers even more options for protecting their unique environments. App connector can simplify connections to apps on other clouds such as Azure or AWS without the need to open firewalls or set up site-to-site VPN connections. Client connector enables Zero Trust access to non-http, thick-client apps hosted on-prem or in other clouds.
Cloud Governance
In Google Cloud, we operate in a shared fate model, where we take an active stake in our customers’ security posture. Key to this is engineering security into our core platform, coupled with security controls you can configure according to your risk profile. But you shouldn’t have to wonder which controls to deploy or how to achieve a strong baseline. So we’re excited to deliver our new Security Foundation solution as a way to help enterprises more easily adopt Google Cloud’s security capabilities.
This solution is aligned to the prescriptive guidance from our Google Cloud Cybersecurity Action Team, and codified in our Security Foundations Blueprint, so that you get the controls you need for data protection, network security, security monitoring, and more to help make your deployments secure from day one–and to do it more cost-effectively.
Also for Google Cloud customers:
We’re adding new custom detection capabilities to Security Command Center, our security and risk management platform. Security Health Analytics custom modules enable you to add your own detection rules and perform configuration checks based on your specific needs. For example, Security Health Analytics’ default detection triggers findings if a Cloud Key Management Service (Cloud KMS) encryption key is not rotated for 90 days. You can now add a custom module that creates findings when your encryption key has not been rotated for an interval (such as 30 days) that matches your internal policy. Event Threat Detection also provides configurable detection modules that enable you to define parameters for events that trigger findings. For example, by default Event Threat Detection delivers threat findings based on evidence of connections to a list of known malicious IP addresses that Google maintains. Now you can configure a module with a list of suspicious IP addresses that you maintain, and if events indicate a connection to any of your supplied IP addresses, a threat finding will be reported in SCC.
We’re expanding Assured Workloads, our product that enables regulated workloads to run securely at scale in Google Cloud's infrastructure. For our U.S. public sector customers and private sector organizations who serve them, we are announcing a number of new services that support FedRAMP Moderate and FedRAMP High, with more expected later this year. These enable our regulated customers to take advantage of the same hyperscale cloud services that are available to our commercial Cloud customers.
We’re adding SAML support to Workload Identity Federation so that customers who use a SAML-based identity provider will be able to reduce their use of long-lived service account keys.
Transforming Security Operations
We’ve built our security operations suite to work as you do - across the cloud, your enterprise, with any type of source, at any scale, so that you can strengthen capabilities for threat detection, investigation, and response.
We recently announced Autonomic Security Operations (ASO) for the U.S. public sector, a solution aligned with the objectives and requirements of Executive Order 14028 and Office of Management and Budget’s Memorandum M-21-31 focused on threat management. Using Google Cloud’s Security Operations Suite, ASO helps public sector organizations manage cybersecurity telemetry at scale, meet the Event Logging Tier requirements of the White House guidance, accelerate detection and response, and increase productivity. To see how Google Cloud can help federal agencies meet many new White House security requirements, visit the Google Cloud for U.S. federal cybersecurity webpage.
With new context-aware detections in Google Chronicle, supporting information (including telemetry, context, relationships, and vulnerabilities) from authoritative sources (such as CMDB, IAM, and DLP) is available out of the box as a “single” detection event. Customers can use this contextualization to write better detections, prioritize existing alerts, and drive faster investigations.
The latest release of Siemplify SOAR can help security teams move beyond the traditional Security Operations Center and provide the building blocks for modern “anywhere” security operations. Our new features enable more transparent collaboration between service providers and end customers, ensuring every role is presented with relevant data to help ensure fast response, and make building playbooks that drive automation easier.
The public preview launch of Apigee Advanced API Security targets two critical pain points in API security - misconfigured APIs and the detection of bad bots. Organizations can use Advanced API Security to conform API proxies to their security standards to avoid misconfigurations that might lead to vulnerabilities. It also can alert users to API misconfigurations or API abuse, and provide recommendations for improving the organization’s API security posture. Finally, Advanced API Security notifies administrators, alerting on suspicious client activity, blocking or tagging subsequent malicious API calls, and can make it easier for security teams to identify and implement needed policy changes.
Learn more at our Google Cloud Security Summit
Google Cloud continues to reimagine safety for our customers with industry-first innovations such as Assured Open Source Software and the numerous advances across our product portfolio. You can learn more about these announcements by attending the Google Cloud Security Summit, which runs today and on-demand afterwards. We look forward to helping make your organization, employees, and customers safer with Google, in the industry’s most trusted cloud or wherever your critical assets reside.