Google’s yearly “Cloud Next” event wrapped up last week with a slew of exciting announcements. In the security space, two general themes emerged: maintaining a secure software supply chain and evolving the cloud security perimeter alongside core cloud offerings. A number of product updates and initiatives are relevant to us as security practitioners.
Software supply chain security has been a hot topic for quite some time and has continued to rise in the zeitgeist following various high profile incidents in recent years. As the complexity of software and the environments that run it continues to grow, it is only natural for vendors to create offerings that assist in wrangling the responsibilities of inventory, dependency management, provenance, secure deployment and software verifiability. Google’s Software Delivery Shield aims to tackle software supply chain security in GCP. Software Delivery Shield is a combination of new and existing products wired together as a managed service based on Google’s previously announced SLSA supply chain security framework.
Starting with newly announced (in preview) Cloud Workstations, Dev/Ops/Admin teams can customize and deploy browser accessible development environments shifting the data attack surface from a remote workstation or mobile laptop to a tightly controlled and highly scalable GCP project. Code and data never leave the cloud perimeter while the developer maintains access to familiar tools and gains the full power and elasticity of GCP services. Further down the chain, Software Delivery Shield integrates with Artifact Registry, Cloud Build and Deploy for SLSA Level 3 builds, and the availability (in preview) of security posture management for GKE compliments the existing binary authorization feature to help maintain a verifiable Software Bill of Materials.
GCP is moving the network perimeter to protect users and data proactively where they are. Multiple updates were announced to the Cloud Firewalls offering that make it more accessible and easier to tune. Cloud Armor gets finer-grained tuning for preconfigured WAF rules, general availability of preconfigured rules for the OWASP Top 10 vulnerabilities, and automatic deployment of proposed rules via machine learning.
Private Service Connect now supports hybrid environments and private interconnect, enabling secure communications between services either on-premise or in the cloud behind a consistent IP address. Network Intelligence Center also gains the GA release of Analyzer for automatically detecting misconfigurations, Performance dashboard for enhanced visualization of your entire Google Cloud network environment, and integration with the Recommender API for ongoing right-sizing.
As the cloud, and the threats to it, continue to evolve, we are committed to staying on the leading edge of sound architecture, proactive detection and effective response. Software provenance and an evolving network perimeter should be top of mind for all security professionals, especially those operating in the cloud. These new tools should prove indispensable in the battle to secure GCP workloads.