Google Cloud’s biggest differentiator when it comes to security is its capitalisation on “security by design,” according to Phil Venables, chief information security officer of the number three cloud computing provider.
“The big thing is the fact that our infrastructure has been designed with security built in and was built from so-called zero trust principles from the very beginning,” Venables said.
In a recent interview with CRN, Venables addressed what he sees as Google Cloud’s edge when it comes to security compared to other providers, whether the cloud is more secure than on-premise environments, security challenges faced by Google Cloud customers and the cybersecurity threat landscape among other security topics.
Venables joined Google Cloud in December 2020 after 21 years at Goldman Sachs, the New York-based investment bank, where he last worked as a private equity operating partner supporting portfolio cybersecurity and other technology companies in building security capabilities and reducing risk. He previously served as chief information security officer for both Goldman Sachs and Deutsche Bank.
The last year-plus at Google Cloud has been an enjoyable one, he said.
“A different environment compared to my career in financial services — many things the same, but many things different, especially the scale of what we do and our ability to invest even more in security than even some of the largest banks are able to invest,” Venables said.
Google integrated its risk, security, compliance and privacy teams from across the company into the Google Cybersecurity Action Team announced last October. The consolidated team will provide strategic security advisory services, trust and compliance support, customer and solutions engineering, and incident response capabilities.
“Those were all teams that were doing really, really good stuff, but we thought it made sense for them to be part of one integrated organisation for cloud given the importance of all four of those topics, making sure that we provide even more focus on those things together,” Venable said. “That’s working out very well, and I think that’s reflected in a lot of large organisations that are aligning their risk compliance, security and privacy teams because of a lot of the commonality between the types of controls that you have to implement to drive those things effectively.”
What are Google Cloud’s advantages when it comes to security?
The big thing is the fact that our infrastructure has been designed with security built in and was built from so-called zero trust principles from the very beginning. The fact that security is designed in — not bolted on after the fact — shows through in a lot of the products and services that we have and also enables us to do some quite foundational things around default levels of security. Everything’s encrypted by default — the data at rest, data in transit — and a lot of that comes from just the base design of the overall infrastructure. We operate a very large, private global network. We build a lot of our own servers and infrastructure. We can embed security in that infrastructure we build, so our own security chips are on every one of our own servers. All of that base level of designed-in security gets pushed up through all of the products we make available to customers.
The underlying infrastructure design and how we secure and manage all of that also underpins the services we run for cloud customers. Obviously, it’s all separate and isolated in terms of the services, but the same underlying security design and infrastructure and an encrypted global network are part of our overall infrastructure.
Is Google Cloud more secure than Amazon Web Services (AWS) and Microsoft Azure? What are the key differences?
We don’t do those kinds of comparisons in that respect. We believe we have a secure platform. We have a lot of features and approaches in our security by design that we think are different from other providers — a lot of our choices around secure defaults, like things being encrypted by default; some of the things we do with how we provide services for customers to manage their encryption keys; some of the things we do on so-called confidential computing, where we even provide capabilities to encrypt data not just at rest and in transit, but all the way to the point of computation itself inside the processors.
When we think about our overall approach, the big thing is really the fact that we’re capitalizing on security by design. That’s where security is built in rather than bolted on, and that, we think, is the big differentiator.
So AWS and Microsoft bolt it on?
They can comment themselves.
You’re being very diplomatic. If you had a customer in front of you, would you be as diplomatic if they were coming down to security?
Yes, we talk about what we believe our strengths are. We don’t really talk about the competition.
Do you see many customers moving over to Google Cloud from AWS or Microsoft Azure because of security concerns?
I don’t have data on that as being a specific reason. But we certainly see lots of large enterprises, as well as small and medium-sized enterprises, choosing Google Cloud for a whole array of reasons, whether it’s our global reach, our capabilities, our performance, our features, our security capabilities. All of those are factors in why they would choose us.
How did the Apache Log4j 2 exploit impact Google Cloud? What are the lessons learned there?
Like a lot of organisations, we responded to that very, very quickly. The extent to which our products were affected were on our website. The vast majority of our products didn’t actually use that software, so they weren’t affected. The ones that were, were typically ones where we had an external dependency on another product that we run in the cloud for customers.
As you probably saw from our participation and leadership in the White House open-source security summit (on Jan. 13), we were one of the companies that founded the Open Source Security Foundation, and we quite publicly committed $100 million to further improvements in open-source security. And we’re going to continue to partner with government and partner with other companies and partner with the open-source community to really drive improvements there for the benefit of everybody.
With all the cyberattacks in the past year – against SolarWinds and Microsoft Exchange, and the ransomware demands — can we expect them to continue increasing in the coming years? What do you see as the next threat vector?
I think we’re going to keep seeing cyber threats being an ever-present issue. As the world, as all businesses in pretty much every part of our lives are digitized, then we’re going to see continued digital threats. Many organisations, especially through use of cloud providers and other providers like us, are gradually improving their security to make these threats less impactful. But then…the attackers work to come up with new forms of attacks, as we saw…with SolarWinds. They’ll innovate to try and figure out new attacks. Collectively through our work, we try and stay ahead of that by investing in security and improving controls and trying to make as best security available for customers as we can so that they’re protected as well in the environments they run on us.
It’s always had to predict (new kinds of attacks). There’s always the potential for things that we’ve not seen before. We have a very large visibility into the world of cyber threats through all of our global platform. We track all these things quite closely and aim to stay ahead of it through not just innovations in cloud, but all of the innovations in all of the other Google services and products, where we try and build in security by default and just make sure that security is in there by design, to stay ahead of whole classes of threats, not just particular types of attacks.
We certainly remain ever-vigilant to look at what’s going on, and we look at what’s affecting other organisations and look to see if that’s anything that we can learn from. But in ourselves, we have this just tremendous global visibility of threats and attacks, and that informs how we continue to improve and add new security capabilities to the platform.
If you’re an organisation that doesn’t have a large security team, in many respects if you’re using a cloud provider like us, you can essentially take every update and every new feature we give you knowing that’s been informed by some aspect of our threat research, our vulnerability research, our projections of what defenses need to occur, and then we’re baking that in the platform. You as a customer can get the benefit of that by just taking those feature updates. We’re constantly trying to stay ahead of these things. But I think…you’re always going to see some new type of exploit happen, as we saw with impacts to supply chains. You’ll also always see attacks being more prevalent or not compared to how difficult what used to be easy attacks have now become (and) therefore the attackers have to try different techniques.
This is a constant evolution of defense versus offense, and I think that’s just going to be the way it is. The good news is now there’s a lot more technology and capability built in by design by large providers like us that provide a higher level of defense than has typically been seen in on-premise technology environments over the past few decades.
You sit on the President’s Council of Advisors on Science and Technology. Does the federal government do enough to help technology companies protect the security of the country’s technology infrastructure and is there a big enough enforcement effort?
We partner really closely with the government — and actually not just the US government. We’re clearly a global presence. We partner in appropriate ways with law enforcement and governments around the world to protect their national critical infrastructure.
But very specifically in the US, the work that (the Biden) administration has been doing on cybersecurity I think is really good, what with the executive order on cyber that’s been driving a lot of work, the fact that we’ve got multiple really first-rate leaders in various positions in the federal government. And then increasingly, as well, we partner with the Department of Homeland Security (DHS) on the JCDC (Joint Cyber Defense Collective), the cyber collaboration initiative that DHS has set up with a lot of the big tech and security companies. That is a really good example of real operational coordination to mitigate risk and manage vulnerabilities in the national critical infrastructure.
What are the top security challenges that your customers face?
Many large organisations are dealing with a lot of built-up complexity. They have large established infrastructures in their traditional on-premise environments, in their own data centers. They’re all using multiple cloud providers and multiple software as-a-service providers. So we spend a lot of time helping customers just figure out how to manage their secure digital transformations across all of that…modernizing their infrastructure in the cloud and figuring out how to get the best of security out of the cloud. That’s something that we partner with all of our customers very closely on.
This overall Google Cybersecurity Action Team, where we’ve brought together even more resources from across Google to…help our customers with those secure digital transformations, is something that we’re seeing a lot of demand for. As they migrate to the cloud or they create new businesses and new workloads in the cloud, they’re finding a lot of benefits from that kind of security-by-design approach that we’ve been taking. Especially as they modernize their way of building software and managing infrastructure, they’re certainly able to uplift the security and resiliency that they’ve had compared to their prior environments.
On-premise environments versus the cloud, which is more secure?
We get asked quite a bit is cloud more secure than on premise. The answer to that, we believe, is yes.
When I look…at a lot of what companies implement in their own data centers, what we’re doing in the cloud as a default level of security is just way ahead of what all companies are able to do in their on-premise environment. It’s not just that we invest more in security, and we have larger numbers of security engineers. It’s that, but it’s also something more fundamental, and it was encapsulated in how we think about these so called ‘security mega trends.’
I won’t talk through them all, but just one of them, for example, is this economy of scale point. Our scale is so large. We design, build and embed…our Titan Security chips on each of our servers. That assures the trusted and secure boot process, so we can have a lot of trust in the integrity of the software on those machines that we run. When you amortize it across this massive fleet of infrastructure that we have, the cost for that unit cost goes down. Whereas if you think about an on-premise environment that’s shrinking because some of it’s moving to the cloud, the unit cost of their controls start going up, because the scale is diminishing. Scale is a real big advantage that enables us to invest in security. And the unit cost of that security goes down over time just because of the scale, which means we can invest even more in security.
Another example (is) this whole concept of the ‘digital immune system.’ If we ship hundreds of feature updates and security updates continuously across the product — these are either new features, they could be features that some customers have asked for, it could be new security capabilities where we’ve seen the need for a new control to stay ahead of threats, it could be all sorts of different things — and if you’re a customer that doesn’t have a large security team, or even if you do have a large security team, some of your best security strategy might be just to take every update we give you, because that update has been informed by this overall ecosystem driving an uplift of security. And so that notion of the cloud as a digital immune system seems to work quite well.
Then there’s other elements…our notion of moving from the shared responsibility model to a ‘shared faith model,’ where we’re not just sitting behind that line of shared responsibility and really kind of delineating from where the customer’s responsibility and where our responsibility is. Increasingly, we’re reaching across that line of shared responsibility to provide as much help as we possibly can to customers to help them run securely in the environment and also provide them with blueprints and other advice and guidance and pre-configured secure configurations so they can run securely in the cloud. Couple that with all of the monitoring that helps them sustain that level of security. All of these things added together means that you’ve got this dynamic feedback loop that keeps making cloud more secure and more secure faster than any on-premise environment can keep up with. We describe it as a mega trend, because it’s just going to keep working that way over time, and cloud just becomes more and more secure compared to on-premise environments.
Are there areas of cloud security that are kind of ripe for partners to mine right now? Is there any unmet demand that partners could answer?
We partner with a lot of security companies that either run on the cloud or have cloud security offerings that are part of our cloud marketplace that customers get to use as part of their use of the cloud. We work very closely with the security industry on making sure that they’re able to run their products in the cloud and that they become value-adds to the cloud in respect to what customers need.
We’re going to continue to partner closely with security companies, as well (use) our own cloud security business. We have a number of different cloud security products like our Chronicle security monitoring solution and various other products like our zero trust product, Beyond Corp Enterprise.
We have a reasonably good coverage with all of these different companies across all of what we think customers need in terms of security. There’s lots of new startup companies with lots of new product development. It’s a very vibrant industry in terms of responding to coming up with new technologies to defeat new threats, as well as coming up with new approaches to help customers manage their security in cost-effective, secure, risk-managed agile ways. There’s a lot of innovation that goes on, which I think is healthy for everybody.
Can you talk about a Google Cloud security product that recently came out that you’re really excited about or give a sneak peek of something you’re working on?
There’s a lot of stuff. It’s really difficult to pull one thing out. Beyond Corp Enterprise, which is our zero trust solution (released in January 2021), is something based on technology built and operated in Google at huge scale over the past decade. It’s always great to get something that we’ve used to protect Google very effectively and be able to put that in hands of customers. And then similarly, with our Chronicle product, which is a security analytics and monitoring product, we’re able to put some of that threat intelligence…from our global visibility into the world…into that product. Customers get to automatically flag in their monitoring threats that we’ve seen before those customers have seen it, so that they’re kind of forewarned for that automatically.
In terms of things coming, we acquired a security automation company called Siemplify, and that’s a great company. We’re thinking about plugging that together with all of our other security tooling apparatus to give that more seamless experience for customers’ security teams. That’s going to be pretty exciting as we deliver on that this year.