Cybersecurity is a tough game. With a bleak economic outlook for 2023, security teams are under increasing pressure to secure complex cloud environments against financially and politically motivated threat actors looking to capitalize on any small mistake.
However, despite economic pressures, Google Cloud CISO Phil Venables suggested in a recent Q&A that investing in new security capabilities is still key to maintaining business transformation in 2023
Venables also shared his thoughts on how generative AI will impact security teams; what CISOs should be doing to secure the cloud; and why zero trust is “essential” for protecting workloads in the cloud.
- Identity and access management (IAM) and the power of zero trust
Of all the domains that look different in the cloud, IAM may be the most important to get right.
With IAM tools, you’re able to grant access to cloud resources at a granular level, creating more access control policies for attributes such as device security status, IP address, resource type and date and time, to better ensure appropriate access controls are in place.
Implementing a zero-trust framework, where there is zero implicit trust, means that it has to be established via multiple mechanisms and continuously verified. This is essential to protect an organization’s workforce and workloads in the cloud.
By shifting access controls from the network perimeter to individual processes, devices, and users, zero trust enables employees to work more securely from any location and any device without traditional remote-gateway VPNs.
Google has applied a zero-trust approach to most aspects of our operations. We believe it is certainly a framework that CISOs should consider when securing their cloud infrastructure.
- Threat intelligence
Successful CISOs keep a close [watch] on incidents that have occurred in other organizations that would signal changes in malicious activity or provide other lessons that could potentially alter an organization’s defensive cloud posture.
Detecting, investigating, and responding to threats is only part of better cyber-risk management — it’s also critical to understand what an organization looks like from an attacker’s perspective and if an organization’s cybersecurity controls are as effective as expected.
Likewise, when it comes to securing the cloud, paying attention to threat intelligence trends — and selecting cloud providers that view threat intelligence as a priority — is a must.
- Multicloud management
It’s not uncommon for organizations to have data in multiple clouds, not just one. One of the bigger challenges for CISOs is not just ensuring that each individual service is appropriately secured, but that the collection of those services that make up a business or mission process is secure.
It’s an even bigger challenge to assure the mitigation of other risks across resilience, compliance, privacy, data governance, and other domains. As a result, CISOs should think comprehensively about their cloud security strategy and look at their cloud architecture as a whole versus in silos.
VB: Any comments on Google’s role in helping to secure the software supply chain and open-source projects?
Venables: Collectively securing open source and the software supply chain remains a priority for the private and public sectors. The supply chain is made up of a variety of different types of vendors — connected services, software providers, outsourced IT, and other types of business process outsourcing.
Any reasonably sized organization could have hundreds to thousands of vendors — and some Fortune 100 companies even have tens of thousands.
Securing the software supply chain is really going to take a combination of three things:
- Driving the adoption of best practices
- Building a better software ecosystem
- Making long-term investments in digital security
At Google, we’re working with industry partners, governments, and the open-source community to address these exact goals. Over the past few years, we’ve announced a number of initiatives to address these threats:
- Last year, we announced the creation of the new Open Source Security Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open-source projects.
- We provided opinionated guidance for mitigating software supply chain risks in the first edition of our Perspectives on Security series.
- We launched Software Delivery Shield, the first fully managed software supply chain security solution that equips developers and security teams with the tools they need to build secure cloud applications.
- We released new products like OSV-Scanner and Open Source Insights data in BigQuery, which aim to directly support the open-source community as they secure their projects.
- In collaboration with the Open Source Security Foundation (OpenSSF), Google proposed [a] supply-chain levels for software artifacts (SLSA) framework, which formalizes criteria around software supply chain integrity to help the industry and open-source ecosystem secure the software development lifecycle.