Cloud CISO Perspectives: October 2021

October has been a busy month for Google Cloud. We just held our annual conference, Google Cloud Next ‘21, where we made significant security announcements for our customers of all sizes and geographies. It’s also National Cybersecurity Awareness Month where our security teams across Google delivered important research on new threat campaigns and product updates to provide the highest levels of account security for all users. 

In this month’s post, I’ll recap all of the security “Action” from Next ‘21, including product updates that deliver “secure products” not just “security products” and important industry momentum for tackling open source software security and ransomware. 

Google Cloud Next ‘21 Recap 

• Google Cybersecurity Action Team: While having access to the latest, most advanced security technology is important, the knowledge of what and how best to transform security to become resilient in today’s risk and threat environment is foundational. This is the reason we announced the formation of the Google Cybersecurity Action Team to support the security and digital transformation of governments, critical infrastructure, enterprises and small businesses around the world. We’re already doing a lot of this work every single day with our public and private sector customers. The Cybersecurity Action Team builds on these efforts with services and guidance across the full spectrum of what our customers need to strengthen security from strategy to execution. Under this team, we will guide customers through the cycle of security transformation - from their first cloud adoption roadmap and implementation, through increasing their cyber-resilience preparedness for potential events and incidents, and engineering new solutions as requirements change.  We describe the team vision in more depth in this podcast episode. If you are interested in learning more about the Google Cybersecurity Action Team, reach out to your  Google Cloud Account Team(s) to arrange a security briefing.

• A Safer Way to Work: The way we work has fundamentally changed. Users and organizations are creating more sensitive data and information than ever before, creating a culture of collaboration across organizations. This modern way of working has many benefits but also creates new security challenges that legacy collaboration tools aren’t equipped to handle. During Next, we announced a new program called Work Safer to provide businesses and public sector organizations of all sizes with a hybrid work package that is cloud-first, built on a proven Zero Trust security model and delivers up-to-date protection against phishing, malware, ransomware, and other cyberattacks. Work Safer includes best-in-class Google security products like Google Workspace, BeyondCorp Enterprise, Titan Security Keys and powerful services from our cybersecurity partners CrowdStrike and Palo Alto Networks. 

• A Secure and Sustainable Cloud: Seeing security and sustainability come together in one announcement is uncommon, and our Unattended Project Recommender is a great example of how at Google Cloud we’re helping customers combat two pressing issues: climate change and cybersecurity.  At Next we announced that Active Assist Recommender will now include a new sustainability impact category, extending its original core pillars of cost, performance, security, and manageability. Starting with the Unattended Project Recommender, you’ll soon be able to estimate the gross carbon emissions you’ll save by removing your idle resources. 

• Workspace Security Updates: To further strengthen security and privacy across the Google Workspace platform, we announced four new capabilities: 

1. In June, we announced that Client-side encryption (CSE) was available in beta for Drive, Docs, Sheets, and Slides. Now we’re bringing CSE to Google Meet, giving customers complete control over encryption keys while helping them meet data sovereignty and compliance requirements. 

2. Data Loss Prevention (DLP) for Chat is continuation of our ongoing commitment to help organizations protect their sensitive data and information from getting into the wrong hands, without impacting the end-user experience. 

3. Drive labels are now generally available to help organizations classify files stored in Drive based on their sensitivity level. 

4. Additional protections to safeguard against abusive content and behavior. If a user opens a file that we think is suspicious or dangerous, we’ll display a warning to the user to help protect them and their organization from malware, phishing, and ransomware. 

• Distributed Cloud: From conversations with customers, we understand there are various factors why an organization may resist putting certain workloads in the cloud. Data residency and some other compliance issues can be a driver. Google Distributed Cloud Hosted - one of the first products in the Distributed Cloud Portfolio - builds on the digital sovereignty vision we outlined last year, supporting public-sector customers and commercial entities that have strict data residency requirements. It provides a safe and secure way to modernize an on-premises deployment.

• New Invisible Security Capabilities: Over the past year, Google Cloud has been delivering on our vision of Invisible Security for our customers, where capabilities are continuously engineered into both our trusted cloud platform and market-leading products to bring the best of Google’s security to wherever your IT assets are. At Next we announced new capabilities, here are just a few, we’ll be talking more about these next month: 

• The new BeyondCorp Enterprise client connector enables identity and context-aware access to non-web applications running in Google Cloud and non-Google Cloud environments. We are also making it easier for admins to diagnose access failure, triage events, and unblock users with the new Policy Troubleshooter feature.

• Automatic DLP is a prime example of how we are making Invisible Security a reality. It’s a game-changing capability that discovers and classifies sensitive data for all the BigQuery projects across your entire organization without you needing to do a single thing.

• Ubiquitous Data Encryption is a new solution which combines our Confidential Computing, External Key Management, and Cloud Storage products to seamlessly encrypt data as it’s sent to the cloud. Using our External Key Management solution, data can now only be decrypted and run in a confidential VM environment, greatly limiting potential exposure. This is a groundbreaking example how Confidential Computing and cryptography can be used for building solutions that many industries and regions with sovereignty requirements demand as they move to the cloud. 

Thoughts from around the industry

• OpenSSF: It's great to see the Open Source Security Foundation announce additional funding to help the industry curb the rise in software supply chain attacks and address critical efforts like the Biden Administration's Executive Order. Google is proud to support this new funding with others in the industry. The OpenSSF helps drive important work to improve security for all with projects like the security scorecards and Allstar. I encourage every executive that wants to see meaningful improvements in their own software supply chain to get involved.  

• Trusted Cloud Principles: Last month, we joined the Trusted Cloud Principles initiative with many other cloud providers and technology companies. This is a great development to keep the cloud industry committed to basic human rights and rule of law as we expand infrastructure and services around the world -- all while ensuring the free flow of data, to promote public safety, and to protect privacy and data security in the cloud.

• White House Ransomware Summit: Ransomware continues to be top of mind for businesses and governments of all sizes. This month we saw the White House gather representatives from 30 countries to continue combatting this growing threat through technology, finance, law enforcement, and diplomacy.  In order to be helpful and provide insights into this form of malware, we recently released the VirusTotal Ransomware Report, analyzing 80 million ransomware samples.

Google Cloud Security Highlights 

Every day we’re building enhanced security, controls, resiliency and more into our cloud products and services. This is what we mean by our guiding principle that can best serve our customers and the industry with secure products, not just security products.  Here’s a snapshot of the latest updates and new capabilities across Google Cloud products and services since our last post. 

Security

• Cloud customers running high-intensity workloads (such as analytics on Hadoop) and managing their own encryption keys on top of those provided by Cloud will see better support. 

• Keeping track of cryptographic keys is essential to managing complex systems. New Cloud features make that arduous task much simpler with the Key Inventory Dashboard. Also great to see Cloud KMS PKCS #11 Library as well as capabilities for automating Variable Key Destruction and Fast Key Deletion.

• Firewalls remain an important part of security architecture, especially during migration, so we created a module within our Firewall Insights tool to help tame overly permissive firewall rules. This is a great benefit of a software defined infrastructure. 

Resilience

• The network security portfolio secures applications from fraudulent activity, malware, and attacks. Updates to Cloud Armor, our DDoS protection and WAF service, bring four new features to our partners: Integration with the Google Cloud reCAPTCHA Enterprise bot and fraud management; per-client rate limiting; Edge security policies; and Adaptive Protection, our ML-based, application-layer DDoS detection and WAF protection mechanism.

Sovereignty

• Our EU Data Residency allows European customers to specify one of five Google Cloud Regions in the EU where their data will be stored and where it will remain. Customers retain cryptographic control of their data and can even block Google administrator access thanks to the new Key Access Justifications feature.

Controls

• The Policy Controller within Anthos Config Management enables the enforcement of fully programmable policies for clusters. These policies can audit and prevent changes to the configuration of your clusters to enforce security, operational, or compliance controls. 

• The folks at USAA tell us how they use Google Cloud and security best practices to automatically onboard new hires. 

We covered a lot today and are excited to bring you more exciting updates for cybersecurity throughout the end of the year. If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up. If you missed our security sessions and spotlights at Google Cloud Next ‘21, sign up at the link to watch on-demand.