Google puts more power behind cloud security, ‘shared fate’ model
Google Cloud’s recent acquisition of Mandiant, a leader in dynamic cyber defence, threat intelligence and incident response, will significantly strengthen Google’s already-robust cloud security.
This is according to Louis van Schalkwyk, Head of Technical Operations at Digicloud Africa, who says the Google Cloud security portfolio is simplifying and enhancing security for customers of all sizes.
Says Van Schalkwyk: “In South Africa, there are still misconceptions around security in cloud infrastructure and workloads. At the one extreme, some organisations believe that moving to the cloud will automatically secure workloads.”
“At the other extreme, some organisations think the cloud is not secure at all. The reality is that the cloud is not secure by default, but it’s not insecure either. It’s about how you configure your cloud security.”
“What many people may not know, is that a lot of the tools and mechanisms Google uses to support its own security are available to customers. Google Cloud offers a strong and growing portfolio of tools to enhance and simplify cloud security management.”
“With the Mandiant acquisition, Google is increasing its global threat intelligence and attack surface management capabilities, and will use global knowledge to better protect customers in real time,” he says.
Shared fate in the cloud
Van Schalkwyk says Google is evolving a ‘shared responsibility’ model to a ‘shared fate’ model, in which it actively partners with customers to deploy secure solutions in the cloud.
“Responsibility and accountability for security vary, depending on whether you’re using infrastructure as a service, platform as a service, or software as a service,” says Van Schalkwyk. “For example, when you run applications on your own infrastructure, you are in complete control, and responsible for, security at all layers from hardware to the application.
Depending on how you architect your applications in the cloud, some or most of the responsibilities can shift to the cloud vendor. Security becomes a shared responsibility between the customer and the cloud provider.”
This diagram shows who’s responsible for different areas when comparing on-prem with infrastructure, platform and software – as a service.
Van Schalkwyk notes: “It’s important to note that the diagram provides guidance at a high level. In reality, applications hosted in the cloud might make use of several different solutions, so the security requirements aren’t as clear cut.”
“There might be a misconception that moving to the cloud automatically makes your application secure (or not secure, depending on who you talk to). Moving to the cloud can offer improved security and risk mitigation but it can also introduce additional risks if not secured correctly.”
He believes that cloud providers should provide customers with a solid, secure foundation on which customers can execute the shared responsibility model.
“On Google Cloud, this is offered through deployment blueprints that provide customers with curated, opinionated guidance to optimise native controls and service for a secured landing zone in the cloud.
According to recent research by the Cloud Security Alliance the top 3 threats to cloud computing are insufficient identity, credential, access and key management; insecure interfaces and APIs, and misconfiguration and inadequate change control. Google has put measures in place to help customers mitigate these.
Says Van Schalkwyk: “Understanding who is responsible for what is therefore essential to ensuring application security. That said, drawing a line in the sand to separate responsibilities isn’t a great way to get going either.”
“Luckily Google Cloud is offering customers their security blueprints, which offers implementation examples to ensure customers follow industry best practices.”
Google Cloud’s security foundations blueprint covers what customers need to land security in the cloud before expanding. These blueprints cover a wide range of initial config areas to consider, from organisational structure and policy, authentication and authorisation, resource hierarchy, networking, key and secret management, logging, detective controls as well as general security guidance.
Combining products and blueprints with integrated security best practices provides customers with the architecture and guidance they need to configure, build, deploy and operationalise secure applications.
Furthermore, specific blueprints help customers protect specific workloads, applications or services. For example, securing PII in AI notebooks.
Van Schalkwyk says that Google’s evolved ‘shared fate’ approach offers security capabilities and tools throughout the customer’s cloud journey: “Firstly while you design and build (with security foundations / posture blueprints), secondly when deploying, putting guard rails in place through organisation policies and constraints, and thirdly, at run time, by providing monitoring, alerting and corrective-action features through services like security command centre premium.”
“Together these services / offerings help reduce risk and provide customers with a better security posture overall,” he says.
“With the recently completed acquisition of Mandiant, Google Cloud will expand their end to end security operations even further, providing customers the best possible protection against threats, whether applications are hosted on prem, cloud or multi cloud,” he says.
For more detailed information refer to Google Cloud’s security foundations whitepaper.