I attended my first Google Next conference last week in San Francisco and came away quite impressed. Clearly, Google is throwing more of its engineering prowess and financial resources at GCP to grab a share of enterprise cloud computing dough and plans to differentiate itself based upon comprehensive enterprise-class cybersecurity features/functionality.
CEO Diane Greene started her keynote saying that Google intends to lead the cloud computing market in two areas: AI and security. Greene declared that AI and security represent the “#1 worry for customers and the #1 opportunity for GCP.”
This surely got my attention as I was there for the sole purpose of learning about GCP security. After attending Google Next, here are a few of my takeaways:
- GCP is built on a foundation of strong security. It looks like Google took the CISSP common body of knowledge (CBK) taxonomy and made sure to address each of the eight from the get go. For example, GCP is built using secure hardware infrastructure, storage services, identity services, and network communications, offering a true defense-in-depth architecture. Google extends its coverage to the application layer as well. For example, it announced ISTIO for enhancing the security of containers and microservices built on top of Kubernetes. Many of these layers use proprietary Google technologies developed for the company’s own data centers. In other words, we are talking about battle-tested controls up and down the stack. Oh, and GCP security has been certified against, well, just about any certification standard you can think of.
- Everything is visible and controllable. Google talked a lot about delivering visibility and trust to its customers. GCP captures and monitors every workload, communication channel, data element, etc. One security practitioner I spoke with said that this monitoring capability alone helped his organizations greatly improve security by gaining a level of unprecedented central visibility compared to past practices. Google also understands the impact of the cybersecurity skills shortage, making sure that all of its security administration functions are simple to implement and monitor.
- Google gets the changing security perimeters. Cloud and mobile computing have all but erased the division between public and private networks, making identity and data security two critically important new security perimeters. Given its heritage, it’s no surprise that Google embraces this transition. Google IAM offers just about every feature you’d want: fine-grained access controls, multi-factor authentication (note: Google announced its own hardware tokens at the event), single sign-on, etc. Oh, and Google’s been an SDP visionary since releasing its BeyondCorp design a few years ago. As for data security: All data is encrypted by default with GCP or customer-based key management services available. Cloud-centric applications can be encrypted at the application layer for the strongest levels of data security, and Google exposes DLP APIs to help customers (and partners) discover, classify, and protect sensitive data. Google also talked about letting customers better organize their data by offering a set of tools for data governance.
- Google is focused on security innovation. Google made five security announcements (across Google technologies and GCP) in 2017 and has already made 20 this year in areas like VPC service controls, access transparency, Cloud Armor, DLP APIs, etc. To extend its security coverage, Google has also signed up a who’s who of partners.
- Google is addressing innuendo past criticism. Google built its business on a simple quid pro quo, users got free services like search and email and in exchange, Google collected, mined, and sold this data for massive profit. Based upon this business model, many enterprise security pros view Google with skepticism, believing it will mine and sell their sensitive data in a similar fashion but this is not the case. In fact, Google goes out of its way to reinforce this promise: All data is encrypted by default and users can monitor Google administrator activities. In fact, Google puts its money where its mouth is as GCP contracts also guarantee a tamperproof relationship.
Google gets security and, in my opinion, the company is quite sincere about making GCP the most secure cloud platform of all. Engineering alone won’t cut it, however. To achieve this goal and get the word out, Google must:
- Schmooze the cybersecurity diaspora. Security pros are starting to learn more about AWS and Azure security but ESG research indicates that cloud security training, knowledge, and skills remain a work in progress at best. To bridge this gap and elbow its way into the party, Google should establish certifications, and work with training groups like SANS and professional organizations like ISSA to get the word out. Google should also dedicate ample resources for specific CISO education programs. This will take dedication, a focused effort on the security community, and consistent rolling thunder marketing initiatives.
- Get security leaders to think differently about security. Too many security professionals still try to force-fit existing security controls into the cloud, but this strategy is sub-optimal at best. Alternatively, organizations could greatly improve their overall security efficacy and operational efficiency by embracing native cloud security controls as a primary strategy and then bridging hybrid cloud security with APIs, gateways, CASB, SaaS, etc. Google should take the lead on pushing this model while working with partners who can help customers implement it. In her keynote, Diane Greene mentioned that Google engineers are working closely with partners on vertical industry applications for GCP. The company would be wise to extend these vertical efforts to include security controls, processes, and strategies that align with industry initiatives.
- Get the competitive juices flowing. Whenever CEO Greene was asked about the competition, she defaulted to two statements: 1) “It’s early in the game,” and 2) “We believe our technology superiority will help us win over time.” While both statements are true, Amazon and Microsoft have a pretty big lead and Google never compared its security (or GCP in general) with the competition in any of the sessions I attended at Google Next. In my opinion, Google must take the gloves off. If GCP is the most secure cloud platform, Google must be willing to demonstrate this with verification testing, feature comparisons, and competitive knock-offs for sales and channel partners.
I have no doubt that GCP will be a huge hit among enterprise companies, but I do believe that Google has the opportunity to accelerate the adoption curve if the market better understands and appreciates its cybersecurity commitment and vision sooner rather than later.