Last week, Google held its annual Cloud Security Summit to discuss the current and future state of security in its cloud platforms (namely Google Cloud Platform (GCP) and Google Workspace). The keynote address started off with a bang, with the announcement of the Security Foundation Solution, a suite of tools and services designed to make it easier for organizations to adopt security best practices in Google Cloud Platform (GCP). Other new and improved offerings were alluded to, with a promise of deep dive sessions to come later.
In this post I discuss some of the highlights from each of the four main learning tracks at the summit: Zero Trust, Secure Software Supply Chain, Ransomware and Emerging Threats, and Cloud governance and Sovereignty.
Google has developed and promoted their own approach to a Zero Trust architecture, BeyondCorp, for more than a decade. BeyondCorp Enterprise was developed as an offering to help empower customers to adopt a zero trust platform for accessing resources and applications in the Google ecosystem. While zero trust adoption has wide support as a security best practice, it can sometimes be an involved multi-step process for organizations to adopt. Google announced a new service BeyondCorp Enterprise Essentials in order to give customers an easier on-ramp to zero trust. It offers building block network connectivity and security features through an integration with the Chrome browser. Primary use cases include:
With zero trust mandates now coming from the highest possible source (ScaleSec wrote a great blog post about it), anything that makes adoption less intimidating for organizations is welcome. Check out the full presentation here.
The rise of supply chain attacks has brought this domain of discussion front and center. There are a rich number of events in recent months with Log4J, SolarWinds, Kaseya, Codecov, and most recently PyPI. Google utilized the Cloud Summit to focus on open source software (OSS) supply chain attacks in particular. While attacks can happen at any stage of the development pipeline, third party dependencies are a particularly popular vector. Large packages can have hundreds of dependencies which can be hard to assess accurately for security.
To address the issue, Google utilized the Security Summit to announce the Assured Open Source Software service, which strengthens the OSS supply chain by giving customers the ability to integrate OSS packages vetted for security by Google itself. Using these packages in a Google deployment is not a prerequisite. Security vetting assures that the packages:
Currently there is only support for certain Java and Python OSS packages, but increased coverage will be based on customer feedback. The full presentation can be viewed here.
Last year Google introduced Autonomic Security Operations in a push to evolve the state of Security Operations. They defined it as
“a combination of philosophies, practices, and tools that improve an organization’s ability to withstand security attacks through an adaptive, agile, and highly automated approach to threat management.”
At the Cloud Summit, Google provided an update on the evolving philosophy, technology stack, and tangible benefits that customers have experienced after adopting an autonomic approach to security.
From a philosophy standpoint, Google stated that the core tenants can be boiled down to the following principles:
From a technology standpoint, Google continues to heavily utilize third party acquisitions to increase the maturity of its security technology stack. Joining the Chronicle and VirusTotal is the recent acquisition Siemplify, a security orchestration, automation and response (SOAR) platform. The Siemplify and Chronicle integration allows for direct custom automation playbook integration with the analytics platform, which Google believes will eliminate toil and enable continuous improvement.
Google further detailed their case for autonomic security operations by showing statistics that show it resulted in a decrease of cost per incident, enabling security teams to show that they are helping the business with their cost savings. Please look here for the presentation and here for a demo of the SecOps suite including Siemplify.
An automatic approach to security operations |
Modern threat detection, investigation and response |
As public cloud services continue to transform how organizations scale, secure, and deploy their workloads, customers must continue to balance the benefits and risks of the shared responsibility model. Of particular interest to many cloud customers, particularly in the EU with the advent of GDPR, is the concept of how to maintain digital sovereignty for data assets that are hosted in a public cloud. The Cloud Summit session ‘Achieving Your Digital Sovereignty with Google Cloud’ spoke to these customer priorities and discussed Google’s current and future plans for offering support.
To delve deeper into the customer concerns that Google identified regarding digital sovereignty, they fall into three main categories:
For Google Cloud Platform (GCP), Assured Workloads is the Generally Available service that Google feels will satisfy a majority of digital sovereignty requirements. This service can create a GCP environment built to various compliance standards for US and EU based customers. Some of the features the service supports include the ability to specify data residency locations, the ability to encrypt data with keys hosted outside of GCP (the potential of External Key Manager alone is very promising), and increased control over Google access to customer data. More details can be found here.
For customers with more specific requirements that are not met by Assured Workloads, Google announced the following new offerings:
These offerings are in various stages of development. Announced partnerships include T-Systems in Germany, Thales in France, and Minsait in Spain. The complete presentation can be found here.
Google continues to improve the maturity of its security services through a mixture of in house development and strategic acquisitions. This year’s summit had no shortage of news and announcements packed into just a single day of content. Check out the on demand session videos here, and follow our blog and social media (LinkedIn, Twitter) for further insight as we encounter some of these services in the wild.