HomeTechnologyCloud CISO Perspectives: May 2022

Cloud CISO Perspectives: May 2022

May was another huge month for us, even as we get ready for more industry work and engagement at the RSA Security Conference in San Francisco. At our Security Summit and throughout the past month, we continued to launch new security products and features, and increased service and support for all our Google Cloud and Google Workspace clients. 

Google Cloud’s Security Summit 2022

Our second annual Security Summit held on May 17 was a worthy success. In the days leading up to the Summit, we mentioned how we are working to bring Zero Trust policies to government businesses, and we revealed our partnership with AMD to further advance Confidential Computing – including an in-depth review focused on the implementation of the AMD secure processor in the third generation AMD EPYC processor family. 

We also introduced the latest advancements in our portfolio of security solutions. These include our new Assured Open Source Software service (Assured OSS), which enables enterprise and public sector users of open source software to incorporate the same OSS packages that Google uses into our own developer workflows; extending Autonomic Security Operations (ASO) to the U.S. public sector, a resolution framework to modernize cybersecurity analytics and threat management that’s aligned with the Zero Trust and supply-chain security objectives of 2021’s cybersecurity Executive Order and the Office of Management and Budget memorandum; increasing our compliance with government software standards; and SAML support for Workload Identity Federation, so that clients can use a SAML-based identity provider to reduce their use of lengthy-lived service account keys. 

Advancing open source software security

We continued to partner with the Open Source Security Foundation (OpenSSF,) the Linux Foundation, and other organizations at another industry open source security summit to further develop the initiatives mentioned during January’s White House Summit on Open Source Security. We’re working towards the goal of making sure that every open source developer has easy entry to end-to-end security by default. 

As covered in our Security Summit, an necessary part of this effort is Assured OSS, which leverages Google’s extensive security experience and can help organizations reduce their need to develop, maintain, and operate complex processes to secure their open source dependencies. Assured OSS is anticipated to enter Preview in Q3 2022.

Also, as part of our dedication to improving software supply-chain security, the Open Source Insights project helps developers better understand the structure and security of the software they use. We introduced Open Source Insights data in BigQuery in May so that anyone can use Google Cloud BigQuery to discover and analyze the dependencies, advisories, possession, license and other metadata of open-source packages across supported ecosystems, and how this metadata has changed over time.  

Why Confidential Computing and our partnership with AMD matters

I’d like to take a moment to share a bit more on the significance of Confidential Computing and our partnership with AMD. I’ve been talking a lot this year about why we as an industry need to evolve our understanding of shared responsibility into shared fate. The former assigns obligations to either the cloud provider or the cloud provider’s customer, but shared fate is a more resilient cybersecurity mindset. 

It’s a nearer partnership between cloud provider and customer that emphasizes secure-by-default configurations, secure blueprints and policy hierarchies, consistently available advanced security features, high assurance attestation of controls, and insurance partnerships.

In our collaboration with AMD, we focused on how secure isolation has always been critical to  our cloud infrastructure, and how Confidential Computing cryptographically reinforces that secure isolation. AMD’s firmware and product security teams, Google Project Zero, and the Google Cloud Security team collaborated for several months to analyze the technologies and firmware that AMD contributes to Google Cloud’s Confidential Computing services. 

Also in May, we expanded the availability of Confidential Computing to include N2D and C2D Virtual Machines, which run on third-generation AMD EPYC™ processors.

GCAT Highlights

Here are the latest updates, products, services and sources from our cloud security teams this month: 

Security

  • PSP protocol now open source: In order to better scale the security we offer our clients, we created a new cryptographic offload protocol for internal use that we open sourced in May. Intentionally designed to meet the requirements of large-scale data-center traffic, the PSP Protocol is a TLS-like protocol that is transport-unbiased, enables per-connection security, and is offload-friendly. 

  • Updating Siemplify SOAR: The prospective of security teams is heading towards “anyplace operations,” and the latest version of Siemplify SOAR can help get us there. It gives organizations the building blocks desired across cloud infrastructure, automation, collaboration, and analytics to accelerate processes for more timely responses and automated workflows. In turn, this can free up teams to focus on more strategic work.

  • Guardrails and governance for Terraform: Popular open-source Infrastructure-as-Code tool Terraform can increase agility and reduce errors by automating the deployment of infrastructure and services that are used together to deliver applications. Our new tool verifies Terraform and can help reduce misconfigurations of Google Cloud sources that violate any of your organization’s policies. 

  • Benchmarking Container-Optimized OS: As part of our security-first approach to safeguarding customer data while also making it more scalable, we want to make sure that our Container-Optimized OS is in line with industry-standard best practices. To this end, the Google Cloud Security team has launched a new CIS benchmark that clarifies and codifies the security measures we have been using, and makes recommendations for hardening. 

  • New reCAPTCHA Enterprise guidebook: Identifying when a fraudster is on the other end of the computer is a complex endeavor. Our new reCAPTCHA Enterprise guidebook helps organizations identify a broad range of online fraud and strengthen their website security.

  • Take the State of DevOps 2022 survey: The State of DevOps report by Google Cloud and the DORA research team is the largest and longest operating research of its kind, with inputs from more than 32,000 professionals worldwide. This year will focus on how security practices and capabilities predict general software delivery and operations performance, so be sure to share your thoughts with us.

Industry updates

  • Security improvements to Google Workspace: I wrote at the beginning of the year that data sovereignty is 1 of the major, driving megatrends shaping our industry today. At the beginning of May we announced Sovereign Controls for Google Workspace, which can provide digital sovereignty capabilities for organizations, both in the public and private sector, to control, limit, and monitor transfers of data to and from the EU starting at the end of 2022, with additional capabilities delivered throughout 2023. This dedication builds on our existing Client-side encryption, Data regions, and Access Controls capabilities. 

  • We are also extending Chrome’s Security Insights to Google Cloud and Google Workspace products, as part of our efforts to consistently provide advanced features to our clients. 

  • Can you hear the security now? Pindrop is joining forces with Google Cloud. If you’ve never heard of Pindrop, you’ve almost certainly encountered their technology, which is used to authenticate payments, place restaurant and shopping orders, and check financial accounts over the phone. Their technology provides the backbone for anti-fraud efforts in voice-based controls, as well. With Google Cloud, Pindrop can be better able to detect deep fakes and robocalls, help banks authenticate transactions, and provide retailers with secure AI-powered call center support.

Compliance & Controls 

Next month we’ll recap highlights from the RSA Conference and much more.  

To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our publication. We’ll be back next month with more security-related updates.

Source

Most Popular