Last week, Google held its annual Cloud Security Summit to discuss the current and future state of security in its cloud platforms (namely Google Cloud Platform (GCP) and Google Workspace). The keynote address started off with a bang, with the announcement of the Security Foundation Solution, a suite of tools and services designed to make it easier for organizations to adopt security best practices in Google Cloud Platform (GCP). Other new and improved offerings were alluded to, with a promise of deep dive sessions to come later.
In this post I discuss some of the highlights from each of the four main learning tracks at the summit: Zero Trust, Secure Software Supply Chain, Ransomware and Emerging Threats, and Cloud governance and Sovereignty.
Google has developed and promoted their own approach to a Zero Trust architecture, BeyondCorp, for more than a decade. BeyondCorp Enterprise was developed as an offering to help empower customers to adopt a zero trust platform for accessing resources and applications in the Google ecosystem. While zero trust adoption has wide support as a security best practice, it can sometimes be an involved multi-step process for organizations to adopt. Google announced a new service BeyondCorp Enterprise Essentials in order to give customers an easier on-ramp to zero trust. It offers building block network connectivity and security features through an integration with the Chrome browser. Primary use cases include:
- BYOD Protection - Mitigate data exfiltration risk and prevent malware/ransomware upload while maintaining privileged access to corporate data.
- Extended Workforce Access - Provide consistent security controls to third parties such as contractors, call center agents, or vendors even if they are not utilizing corporate-managed devices.
- SaaS Application Protection - Provide zero trust access to SaaS applications while mitigating exfiltration and malware upload/download risks without the use of SSL decrypting proxies. This provides in-browser Cloud Access Security Broker (CASB) - like functionality.
With zero trust mandates now coming from the highest possible source (ScaleSec wrote a great blog post about it), anything that makes adoption less intimidating for organizations is welcome. Check out the full presentation here.
Secure Software Supply Chain
The rise of supply chain attacks has brought this domain of discussion front and center. There are a rich number of events in recent months with Log4J, SolarWinds, Kaseya, Codecov, and most recently PyPI. Google utilized the Cloud Summit to focus on open source software (OSS) supply chain attacks in particular. While attacks can happen at any stage of the development pipeline, third party dependencies are a particularly popular vector. Large packages can have hundreds of dependencies which can be hard to assess accurately for security.
To address the issue, Google utilized the Security Summit to announce the Assured Open Source Software service, which strengthens the OSS supply chain by giving customers the ability to integrate OSS packages vetted for security by Google itself. Using these packages in a Google deployment is not a prerequisite. Security vetting assures that the packages:
- Are regularly scanned, analyzed, and fuzz-tested for vulnerabilities
- Have corresponding enriched metadata incorporating Container/Artifact Analysis data
- Are built with Cloud Build including evidence of verifiable SLSA-compliance
- Are verifiably signed by Google
- Are distributed from an Artifact Registry secured and protected by Google
Currently there is only support for certain Java and Python OSS packages, but increased coverage will be based on customer feedback. The full presentation can be viewed here.
Managing the risks of open source dependencies
Ransomware and Emerging Threats
Last year Google introduced Autonomic Security Operations in a push to evolve the state of Security Operations. They defined it as
“a combination of philosophies, practices, and tools that improve an organization’s ability to withstand security attacks through an adaptive, agile, and highly automated approach to threat management.”
At the Cloud Summit, Google provided an update on the evolving philosophy, technology stack, and tangible benefits that customers have experienced after adopting an autonomic approach to security.
From a philosophy standpoint, Google stated that the core tenants can be boiled down to the following principles:
- Eliminate Toil
- Automate Everything
- Use Service Level Objectives
- Continuous Improvement
- Eliminate Silos
- No Heroes
From a technology standpoint, Google continues to heavily utilize third party acquisitions to increase the maturity of its security technology stack. Joining the Chronicle and VirusTotal is the recent acquisition Siemplify, a security orchestration, automation and response (SOAR) platform. The Siemplify and Chronicle integration allows for direct custom automation playbook integration with the analytics platform, which Google believes will eliminate toil and enable continuous improvement.
Google further detailed their case for autonomic security operations by showing statistics that show it resulted in a decrease of cost per incident, enabling security teams to show that they are helping the business with their cost savings. Please look here for the presentation and here for a demo of the SecOps suite including Siemplify.
An automatic approach to security operations
Modern threat detection, investigation and response
Cloud Governance and Sovereignty
As public cloud services continue to transform how organizations scale, secure, and deploy their workloads, customers must continue to balance the benefits and risks of the shared responsibility model. Of particular interest to many cloud customers, particularly in the EU with the advent of GDPR, is the concept of how to maintain digital sovereignty for data assets that are hosted in a public cloud. The Cloud Summit session ‘Achieving Your Digital Sovereignty with Google Cloud’ spoke to these customer priorities and discussed Google’s current and future plans for offering support.
To delve deeper into the customer concerns that Google identified regarding digital sovereignty, they fall into three main categories:
- Security and Control - Concerns about a lack of control regarding data that is stored and processed in the cloud. This included situations involving the cloud service provider accessing data itself, or acquiescing to legally binding data export requests from government entities.
- Economical - Concerns about the dominance of a small number of global cloud service providers resulting in product lock-in and a lack of local economic development.
- Geopolitical - Concerns about data being controlled by a foreign government with different data standards, or data survivability in instances of geopolitical conflict.
For Google Cloud Platform (GCP), Assured Workloads is the Generally Available service that Google feels will satisfy a majority of digital sovereignty requirements. This service can create a GCP environment built to various compliance standards for US and EU based customers. Some of the features the service supports include the ability to specify data residency locations, the ability to encrypt data with keys hosted outside of GCP (the potential of External Key Manager alone is very promising), and increased control over Google access to customer data. More details can be found here.
For customers with more specific requirements that are not met by Assured Workloads, Google announced the following new offerings:
- Sovereign Controls - Google will partner with third parties in various countries to provide localized support and administration of data sovereignty as a managed offering.
- Supervised Cloud Services - Multiple layers of local partner-managed controls and administration will be added to the core GCP platform.
- Hosted Cloud Services - Google will offer environments built on air gapped hardware, where the control plane does not require connectivity to other Google managed environments to function. Due to the increased burden placed on customers to manage and configure infrastructure, partners will play a large role in delivery.
These offerings are in various stages of development. Announced partnerships include T-Systems in Germany, Thales in France, and Minsait in Spain. The complete presentation can be found here.
Achieving your digital sovereignty
Google continues to improve the maturity of its security services through a mixture of in house development and strategic acquisitions. This year’s summit had no shortage of news and announcements packed into just a single day of content. Check out the on demand session videos here, and follow our blog and social media (LinkedIn, Twitter) for further insight as we encounter some of these services in the wild.