How Google Cloud can help the Public Sector embrace zero trust
Head of Security Strategy, Global Public Sector, Google Cloud
Senior Director, Global Risk and Compliance
The past several months have been marked by a series of major cyber attacks targeting the identity and email systems of tens of thousands of organizations. In light of these events, Google Cloud asked, “How can we help governments reduce their risk from cyber attacks?” The answer? Use a zero trust approach for security.
We recently participated in a webinar with the American Council for Technology and Industry Advisory Council (ACT-IAC) to walk through Google Cloud’s zero trust approach to security, now available on-demand here. During the webinar, we discussed how important it is for governments to feel that they have a realistic and achievable plan for implementing zero trust in order to counter a rise in cyber attacks, dramatically reduce cyber risk overall, and to align with guidance from NIST and the NSA. For many organizations, this can be daunting, because zero trust is a dramatic change from how they have handled security in the past and because the market is crowded with too many vendors applying the term “zero trust” to anything and everything in security.
One critical way for governments to make sense of their zero trust journey is to start by asking themselves, “zero trust for what?” IT leaders need to recognize that they can not achieve zero trust for every aspect of their IT fabric or for every IT-supported activity overnight. So, it’s important to select areas of priority and take a staged approach. By deciding to focus on implementing a zero trust approach for well-defined areas of activity or certain groups of users in a prioritized way, the zero trust journey can become less daunting and more doable. For example, legacy email, communications, and collaboration tools have too often proven to be susceptible to cyber attacks. As a powerful alternative, Google Workspace can provide a turnkey zero trust platform for secure email, communications and collaboration in accordance with NIST zero trust guidance. By picking discrete and finite areas of focus in which to implement zero trust, progress and milestones become clearer and easier to track.
Here are the top five take-aways from our webinar conversation:
1. There can be some confusion around what zero trust means. Simply put, it means trust nothing, and verify everything. In practice, that means three things:
- Zero trust does not assume that being on or off an enterprise’s network makes you more or less trustworthy. As such, connecting from a particular network must not determine which services you can access.
- Access to services and data is granted based on what we know about you and your device. Within Google and within Google’s products, each access decision is “context aware,” taking into consideration a range of variables, including the user’s IP address, their device, their behavior, the sensitivity of the resource, and a host of other factors.
- All access to services must be authenticated, authorized and encrypted.
NIST and NSA have come out with guidance to promote and support government adoption of zero trust. The DoD is expected to come out with zero trust guidance this year.
2. Google Cloud, starting in 2011, was one of the earliest adopters of zero trust enterprise-wide. We started with the idea that Google employees should be able to work anywhere, anytime, from any device without having firewall or VPN dependencies. Google’s own successful investment in the global implementation of zero trust for its entire workforce resulted in greater security and improved collaboration, productivity and innovation. We took the lessons learned and many of the technical innovations that came from our own zero trust journey and embedded them into the solutions we made available to the market, such as Google Cloud Platform, Google Workspace (formerly GSuite), and BeyondCorp Enterprise.
3. How can you apply zero trust for your organization? First, think through what systems and activities are highest risk and that an adversary might be most interested in. Then come up with a plan for bringing zero trust capabilities to those discrete groups of systems, user groups, or activities. But instead of organizations trying to integrate a series of standalone security capabilities from multiple vendors, they can turn to Google for integrated end-to-end zero trust security capabilities on “turnkey” platforms. For example, GCP can provide a zero trust environment for workloads that you want to move to the cloud. Workspace can provide a turnkey zero trust platform for secure email, communications, and collaboration. BeyondCorp Enterprise can provide zero trust security and the ability to largely eliminate VPNs for secure access to enterprise web and SaaS applications.
4. Security leaders within an organization must own the zero trust strategy and roadmap. Implementing zero trust throughout an entire organization is a long-term project. At the same time, organizations can take significant steps to drive down cyber risk – starting now -- by implementing zero trust in discrete high-priority areas.
5. What does success look like in a zero trust approach? Always keep evolving. Building Google’s approach to zero trust security took years of internal investment. Today, those investments and years of lessons learned allow Google to offer its customers cost-effective, easier to use, turnkey zero trust solutions, especially suited for government organizations. Just as Google constantly evolves with our customers and the current risk environment, your zero trust approach can, too. Google is committed to bringing what we have learned from our experience and making it available to our customers as key ingredients and accelerators in their own zero trust strategy.
Have specific questions? Check out this great resource on zero trust security or email us directly at GCPsecurity@google.com.
About the Authors:
Dan Prieto is the former Director of the Defense Industrial Base Cybersecurity program at the Department of Defense. Jeanette Manfra is the former Assistant Director for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. Both Dan and Jeanette also served in the White House on the staff of the National Security Council's cybersecurity directorate.