UPDATED 12:00 EDT / MAY 17 2022

SECURITY

Google Cloud sharpens its focus on open-source software security, zero trust, cloud governance and more

Google Cloud said today it’s doubling down on its concept of “Invisible Security” with the launch of an array of new security services.

They’re aimed at helping enterprise customers to secure their software supply chains, adopt zero-trust security architectures, improve cloud governance and transform their security operations. “We’re wanting to package the Google magic and bring it to where customers want it,” said Google Cloud Vice President and General Manager Sunil Potti.

Potti explained that many cloud customers still rely heavily on open-source software to power their most critical applications and infrastructure. Unfortunately, open-source software security is a weak point, with vulnerabilities popping up faster than they can be patched.

Worse still, hackers realize this and have been stepping up their attacks. A recent report from Sonatype Inc. found that cyberattacks aimed at open-source software suppliers rose more than 650% in the last year.

In a bid to reassure users of open-source software, Google Cloud announced the launch of a new offering called the Assured Open Source Software service at the Google Cloud Security Summit today.

Assured OSS, as it’s known for short, allows any customer that relies on open-source software to incorporate the same OSS packages that Google uses in its own developer workflows. The idea is that organizations can use open-source software without needing to develop, maintain and operate complex processes for securely managing dependencies. The OSS packages are regularly scanned, analyzed and fuzz-tested for vulnerabilities, verifiably signed by Google and distributed from an artifact registry that’s secured and protected by the company.

A second major focus for Google Cloud is on the idea of zero-trust security. Google actually invented the concept of zero trust, which is a security framework requiring all users to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data. As more governments push agencies to adopt such a posture, with initiatives such as the federal strategy to move the U.S. government toward a zero-trust architecture and the United Kingdom’s National Cyber Security Center Zero Trust design principles, Google is making it easier to do so.

Today, the company announced it’s expanding its BeyondCorp Enterprise offering with BeyondCorp Enterprise Essentials (below), a new solution that’s meant to help organizations implement zero trust more easily. With it, organizations gain context-aware access controls for software-as-a-service applications, threat and data protection and URL filtering, directly integrated into the Google Chrome browser.

“It’s a simple and effective way to protect your workforce, particularly an extended workforce or users who leverage a ‘bring your own device’ model,” Potti said. “Admins can also use Chrome dashboards to get visibility into unsafe user activity across unmanaged devices.”

In addition, Potti said, customers will soon be able to take advantage of the new BeyondCorp Enterprise application and client connector when it becomes generally available in the third quarter. This is a new tool that simplifies zero-trust connectivity to applications hosted on other clouds such as Amazon Web Services.

Analyst Holger Mueller of Constellation Research Inc. told SiliconANGLE that security is key for cloud success, as enterprises need confidence that their data and processes are secure. “This is why cloud infrastructure providers tend to be at the forefront of adopting modern security best practices and processes,” he said. “Today it is Google’s turn, pushing its zero-trust architecture forward into Chrome and adding some interesting innovation to secure open-source software supply chains. It’s good to see the progress and execution in this critical area.”

On the cloud governance side, Google announced the launch of a new Security Foundation service (outlined below) that gives customers an easier way to adopt Google Cloud’s own security capabilities. “We believe we have a unique and industry-leading approach to sovereignty,” Potti said. “We’re going country by country across the globe, starting with the U.K.”

The Security Foundation is aligned to the prescriptive guidance of Google’s Cloud Cybersecurity Action Team, and codified in a Security Foundations Blueprint, giving customers access to the specific controls they need for data protection, network security and security monitoring.

“In Google Cloud, we operate in a shared fate model, where we take an active stake in our customers’ security posture,” Potti said. “Key to this is engineering security into our core platform, coupled with security controls you can configure according to your risk profile.”

Potti also announced updates to the Security Command Center security and risk management platform. The new Security Health Analytics custom modules allow customers to add their own detection rules and perform configuration checks based on their specific needs, for example.

In addition, Potti provided an update on the ways Google is helping transform enterprises’ security operations for the better. The recent launch of Google’s Autonomic Security Operations platform, for instance, gives cloud customers a way to comprehensively manage their cyber telemetry and scale their threat detection and response capabilities, he said.

Moreover, the latest version of Google’s Siemplify security orchestration, automation and response platform will allow security teams to move beyond the traditional security operations center and build more modern “anywhere” security operations, Potti explained. “Our new features enable more transparent collaboration between service providers and end customers, ensuring every role is presented with relevant data to ensure fast response,” he said.

Finally, Google announced the public preview launch of Apigee Advanced API Security, which Potti said targets two critical pain points for developers using application programming interfaces: misconfigured APIs and the detection of “bad bots” responsible for malicious API calls.

With reporting from Robert Hof

Images: Google

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU