UPDATED 14:20 EDT / JULY 21 2023

Phil Venables Supercloud 3 2023 CLOUD

Secure by design, secure by default: Inside Google Cloud’s security strategy

As artificial intelligence moves front and center, organizations are facing down a new context when they consider what the proper regime is, and how it should evolve.

For Google LLC and Google Cloud, when it comes to considering security across the entire organization, there’s a combination at play of having some central teams that provide consistent infrastructure and tooling. It all plays into the company’s philosophy of secure by design, and secure by default in the infrastructure and the product, according to Phil Venables (pictured), vice president and chief information security officer of Google Cloud.

“We have a whole series of federated specialist teams that are embedded inside product areas or product teams,” he said. “For example, inside our Google Kubernetes Engine, our GKE team, we’ve got a very large security engineering team that focuses on the security of GKE, just like we have for other product areas. It’s that combination of centralized providing central tooling and central capabilities plus these federated teams embedded in product areas.”

Venables spoke with theCUBE industry analyst Dave Vellante at the Supercloud 3: Security, AI and the Supercloud event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed making security intrinsic to products and software supply chain risk reduction.

On being secure by design, secure by default

The number one challenge Vellante hears from chief information security officers these days concerns a lack of talent. When it comes to the philosophy of secure by design, secure by default, there’s a driving force behind that, according to Venables.

“Why we think about secure by design and secure by default is so important is we want to help customers with the toil of securing their environment, not add to it,” he said. “You talk about the cybersecurity talent challenges; we’ve spent a lot of time thinking about this, and there’s really two sides to the skills and talent challenges.”

The first is the raw number of cybersecurity professionals that exist, from entry-level up to expert. There have been some announcements with the Google Cybersecurity Certificate that have helped train more people to become cybersecurity professionals, according to Venables.

“But on the flip side as well, we’ve got to think about how do we 10x the productivity of the cybersecurity and IT workforce we’ve already got,” he said. “A lot of that comes down to the secure by default, secure by design, making these things just intrinsic to the products. We all want secure products, not just security products. A big part of what we’re doing is to try and enable that.”

There’s also been much talk about the shared responsibility model of cloud, which is correct in that the cloud provider runs the base infrastructure and the customer is responsible for many parts of the configuration, according to Venables. But Google has taken a slightly different approach over the past few years.

“To talk about what we call shared fate, which is, how do we reach across that line of shared responsibility, provide better defaults for customers, provide better guidance, better guardrails, configuration code to help them stand up an environment, again, so that it becomes less of an effort to have a secure by default environment,” he said. “And we’re going to keep focused on that.”

The means to secure an environment

Through the provision of tools and services, Google is all about giving customers the means to secure their environments not just on Google Cloud, but across all their environments, according to Venables. That goes for a variety of products, including Chronicle, VirusTotal and other services.

“We spend a lot of time, and we have cloud products that run on other clouds, like Azure or AWS, where customers want to use our products on a different cloud. We think heavily around how do we set the security standards for that,” Venables said. “We’ve also spent a huge amount of time in the open-source community and the standards communities to make sure that we’re baking security into not just the most critical open source, but across the open-source tooling in general.”

Google has also invested a lot of time in software supply chain risk reduction and is investing a lot of time in the standards communities to drive security improvements not just for the cloud, but for the internet and the IT infrastructure overall, according to Venables. Ultimately, that’s the right thing to do, he added.

“But it’s also the commercial thing to do because it grows trust in technology and cloud services, which … ultimately benefits everybody,” he said. “Because I think people have now realized that cloud is a means of managing their risks, not just a risk in itself.”

Here’s the complete video interview with Phil Venables, part of SiliconANGLE’s and theCUBE’s coverage of the Supercloud 3: Security, AI and the Supercloud event:

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy