Thoughts from around the industry

• Securing open source software: Google’s Open Source Software team recently announced ClusterFuzzLite, a continuous fuzzing solution that can run as part of CI/CD workflows to find vulnerabilities. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed. Implementing security checks as early as possible in developer workflows is paramount for improving supply chain security, and NIST’s guidelines for software verification specify fuzzing among the minimum standard requirements for code verification.
• Runtime cloud-native security: Google Cloud’s Eric Brewer and I discussed the latest trends and the role of cloud providers and startups with InfoWorld in the ‘Race to Secure Kubernetes at Runtime’. Our work in this space goes back many years when we outlined our approach to cloud-native security through our BeyondProd framework, which details one of the core design principles of cloud-native security architectures: protections must extend to how code is changed and how user data in microservices is accessed.
• The risks and opportunities of the transition to cloud computing: Office of the CISO Director Nick Godfrey and I sat down with Robert Sales of the Global Association of Risk Professionals to discuss the digital risk management landscape. Our discussion covers timely themes like how ensuring the safe adoption of cloud computing is becoming an increasing priority, reflecting the benefits that an organization can accrue from a digital transformation in terms of agility, quality of product and services provided to customers, and relevance in the marketplace and understanding how cloud-driven transformation can actually mitigate existing security, control and resilience risks. Check out the full webinar here.
• Open source DDR controller framework for mitigating Rowhammer: Google and Antmicro developed a new Rowhammer Tester platform to enable memory security researchers and manufacturers to have access to a flexible platform for experimenting with new types of attacks and finding better Rowhammer mitigation techniques. This important work demonstrates how open source, vendor-neutral IP, tools and hardware can produce better platforms for more effective research and product development.
• Ethical AI best practices: Many of you are likely engaged in your organizations on controls around AI including the ethical framework for the use of AI. Take a look at SEED (Security, Ethics, Explainability and Data) in this great summary from Maribel Lopez, Founder, Analyst & Author, Lopez Research, on the importance of controls in AI.

Google Cybersecurity Action Team Highlights

Here’s a snapshot of the latest updates, new services and resources across our Google Cybersecurity Action Team and Google Cloud Security products since our last post.

Security

• Reducing risk and increasing sustainability: Veolia, the global leader in optimized resource management, is using Google Cloud’s Security Command Center (SCC) Premium as the core product for protecting the company’s technology environments. In a recent blog post, Thomas Meriadec, Technical Lead and Product Manager for Veolia’s Google Cloud implementation, discusses how SCC Premium serves as the company’s risk management platform and enables Veolia to streamline the process of security management.

Compliance

• Google Cybersecurity Action Team’s Risk and Compliance as Code (RCaC) solution helps organizations prevent security misconfigurations and  automate cloud compliance. The solution enables compliance and security control automation through a combination of Google Cloud products, blueprints, partner integrations, workshops and services to simplify and accelerate time to value.
• We announced new public sector authorizations including the Impact Level 4 designation for Google Cloud services and FedRAMP High for Google Workspace. These authorizations are a part of our ongoing commitment to help the US federal government modernize their security with cloud-native services at scale. For Google Workspace, this means that federal agencies now have an alternative and choice for productivity and collaboration tools that are completely cloud-native in the marketplace. With IL4 authorization for select GCP services, this is a demonstration of the efficacy of our security controls at scale across our public cloud infrastructure.

Controls

• We released new security capabilities for Google Cloud’s enterprise-ready control plane product Traffic Director, which provides fully-managed workload credentials for Google Kubernetes Engine (GKE) via our managed CA Service, and policy enforcement to govern workload communications. The fully-managed credential  provides the foundation for expressing workload identities and securing  connections between workloads leveraging mutual TLS (mTLS), while following zero trust principles.
• Review our timely guidance here on how to create and safeguard admin accounts in GCP including links to more in-depth guidance in our resource guides.

Threat Intelligence 

• Google’s Cybersecurity Action Team released the first issue of the new Threat Horizons report, which is based on cybersecurity threat intelligence observations from Google’s internal security teams. Part of offering a secure cloud computing platform is providing cloud users with cybersecurity threat intelligence so they can better configure their environments and defenses in manners most specific to their needs. This new report provides actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats. Our future reports will continue to provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action. Learn more in our blog post or click here to download the executive summary.

Must-listen podcasts 

• Our Cloud Security Podcast has some must-listen episodes this month. Hear from MK Palmore,  a new director in Google Cloud’s Office of the CISO and member of the Cybersecurity Action Team on how Missing Diversity Hurts Your Security and other topics like why email phishing still isn’t solved with Ryan Noon, CEO at Material Security, and the difference between cloud misconfigurations and on-premise infra misconfiguration with the GSK team. Finally, an interview with a Chronicle customer about their SIEM experience is covered in the latest episode.

Upcoming Q4 Security Talks – all things Zero Trust

• Our Google Cloud Security Talks event for Q4 will focus on a topic that we’ve emphasized continuously in our Cloud CISO Perspectives – Zero Trust. Join us on December 15 to hear from leaders across Google as well as leading-edge customers on the many facets of an enterprise zero trust journey. Click here to reserve your spot and we’ll see you there (virtually).

If you’d like to have this Cloud CISO Perspectives post delivered every month to your inbox, click here to sign-up. We’ll be back next month for our final Cloud CISO Perspectives blog of 2021.