What makes Google Cloud security special: Our reflections 1 year after joining OCISO

Editor’s note: Google Cloud’s Office of the Chief Information Security Officer (OCISO) is an expert team of cybersecurity leaders, including established industry CISOs, initially formed in 2019. Together they have more than 500 years of combined cybersecurity experience and leadership across industries including global healthcare, finance, telecommunications and media, government and public sector, and retail industries. Their goal is to meet the customer where they are and help them take the best next steps to secure their enterprise. In this column, Taylor Lehmann, Director in OCISO Director, and David Stone, Security Consultant in OCISO, reflect on their first year with Google Cloud and the OCISO team.

After spending most of our careers helping secure some of the world’s most critical infrastructure and services, we joined Google Cloud because we wanted to help enterprises be safer with Google.

One thing that became immediately apparent is that at Google Cloud, security is a primary ingredient baked into everything we do. We can provide organizations with an opportunity to deploy secure workloads on a secure platform, designed and maintained by thousands of security-obsessed Googlers with decades of experience defending against adversaries of all capability levels. Our engineering philosophies drive us to design products that are secure by design, secure by default, and constantly updated to incorporate lessons learned from our own research and by defeating attacks.  

Our existing customers know that our continuously-improving cloud platform has security turned on and up before they set up their cloud identity and build their first project. The value of cloud technology can’t be understated: It allows security teams to reduce their attack surface through removing entire categories of threats because security has been engineered into the hardware and software from the ground up.

Dogfooding: A critical component of our security culture

Google helped popularize the practice of dogfooding, when a software company uses its own products before making them available to the general public. We also use dogfooding to drive the creation of advanced security technologies. Because we use the security technologies we sell, we never settle for just good enough — for Googlers (who have exceptionally high expectations for the technology they use), for customers, and for their users. 

In some cases, these technologies (such as BeyondCorp and BeyondProd, implementations of Zero Trust security models pioneered at Google) are available to us years before the broader need for them outside of Google is fully understood. Similarly, our Threat Analysis Group (TAG) began developing approaches to track and stop threats to Google’s systems and networks following lessons we learned in 2010. What’s unique about these initiatives (and newer ones like Chronicle) is not only how they came together, but how they continue to improve by our own dogfooding.

Embracing the shared fate model to better protect users

It’s important to update your thinking to keep pace with the ever-evolving cybersecurity landscape. The shared responsibility model, which establishes whether the customer or the cloud service provider (CSP) is responsible for various aspects of security, has guided security relationships and interactions since the early days of CSPs. At Google Cloud, we believe that it now stops short of helping customers achieve better security outcomes. Instead of shared responsibility, we believe in shared fate. 

Shared fate includes us building and operating a trusted cloud platform for your workloads. We provide guidance for security best practices and secured, attested infrastructure-as-code patterns that you can use to deploy your workloads. We release solutions that combine Google Cloud services to solve complex security problems, and we offer innovative insurance options to help you measure and mitigate the risks that you must accept. Shared fate involves a closer interaction between us and you to secure your resources on Google Cloud. By sharing fate, we can create a system of mutual accountability and can set expectations that the CSP and their customers are actively involved in making each other secure and successful. 

Establishing trust in our software supply chain

Software supply chains need to be better secured, and we believe Google’s approach to be the most robust and well-rounded. We contribute to many public communities, such as the Linux Foundation, and use our Vulnerability Rewards Program to improve the security of software we open source for the world. We recently announced Assured Open Source Software, which seeks to maintain and secure select open source packages for customers the same way Google secures them for itself. Assured Open Source is yet another dogfood project, taking what we do at Google and externalizing it for everyone’s benefit.

A resilient ecosystem requires community participation

Being an active member of the community is a priority at Google, and can be a vital part of securing the critical infrastructure that we all rely on. We joined the Health-ISAC (Information Sharing and Analysis Center) as a partner this July. We’ve maintained relationships with Financial Services ISAC, Auto ISAC (for vehicle software security,) Retail ISAC, and others for years. Sharing knowledge and guidance between our organizations can only help improve everyone’s ability to defend against the latest cybersecurity threats. We’re not just partners, we’re helping build close relationships with these organizations, pairing teams together to protect communities globally.

Top challenges during transformation

We believe the future is better running workloads on a trusted cloud platform like Google Cloud, but the journey there can be challenging. In feedback we’ve received over the past year, including from nearly 100 executive workshops and interactions we’ve led, our customers have shared their top challenges with us. The seven most frequent ones are: 

Evolving a software-defined perimeter where identity, not firewall rules, keep bad out and allow good in;

Enabling secure, remote access capabilities that allow access to data and services anywhere and from any device;

Ensuring data stays in approved locations while allowing the enterprise to be agile and responsible to their stakeholder use cases;

Scaling effective security programs to match the growth in consumption infrastructure and cloud-native services by their business;

Managing their attack surface in light of two facts: That more than 42 billion devices are expected to be connected to the internet by 2025, and organizations are looking for ways to connect and leverage an ever-growing collection of data;

Analyzing and sharing data securely with third parties as businesses seek to leverage this information to get closer to customer needs while also generating more revenue; and finally,

Transforming teams by federating responsibilities for security outside of the security organization and establishing effective guardrails to safely constrain and protect use of cloud resources.  

The future is multi-cloud

An important point that we’ve learned, and that we’ve emphasized in our customer interactions over the past year, is that Google Cloud is not singularly-focused on how to be successful only on our own platform. We focus on building technologies that meet customers where they are at, create value for their organizations and customers, and reduce the operator toil needed to get there. It’s why we built Anthos, contribute to and support open source, and develop products like Chronicle which work well no matter where you decide to deploy a workload — on-prem, on Google Cloud, or on another cloud.

At its heart, the cybersecurity community is its people and its technology. That’s why we’re investing $10 billion in cybersecurity over the next five years, why we work hard to improve DEI initiatives at Google and beyond, and why we provide accessible, free training and certification programs in security and cloud to democratize knowledge and build the next generation of cloud leaders.

We close out our first year thankful for the opportunity to work with so many customers, communities, partners, and governments around the world. We have learned and have grown better at what we do from the experiences we had interacting across these groups. In the final months of this year and onwards into 2023, we will continue to find new ways to use Google’s resources to help customers, build products, and support the safety and security of societies around the world.