Google Intends on Making GCP the Most Secure Cloud Platform

I attended my first Google Next conference last week in San Francisco and came away quite impressed.  Clearly, Google is throwing its more and more of its engineering prowess and financial resources at GCP to grab a share of enterprise cloud computing dough and plans to differentiate itself based upon comprehensive enterprise-class cybersecurity feature/functionality.

CEO Diane Greene started her keynote saying that Google intends to lead the cloud computing market in two areas – AI and security.  Greene declared that AI and security represent the “#1 worry for customers and the #1 opportunity for GCP.” 

This surely got my attention as I was there for the sole purpose of learning about GCP security.  After attending Google Next, here are a few of my take-aways:

  1. GCP is built on a foundation of strong security. It looks like Google took the CISSP common body of knowledge (CBK) taxonomy and made sure to address each of the eight from the get go.  For example, GCP is built using secure hardware infrastructure, storage services, identity services, and network communications, offering a true defense-in-depth architecture.  Google extends its coverage to the application layer as well.  For example, it announced ISTIO for enhancing the security of containers and microservices built on top of Kubernetes.  Many of these layers use proprietary Google technologies developed for the company’s own data centers.  In other words, we are talking about battle-tested controls up-and-down the stack.  Oh, and GCP security has been certified against – well just about any certification standard you can think of.
  2. Everything is visible and controllable. Google talked a lot about delivering visibility and trust to its customers.  GCP captures and monitors every workload, communication channel, data element, etc.  One security practitioner I spoke with said that this monitoring capability alone helped his organizations greatly improve security by gaining a level of unprecedented central visibility compared to past practices.  Google also understands the impact of the cybersecurity skills shortage, making sure that all of its security administration functions are as simple to implement and monitor. 
  3. Google gets the changing security perimeters. Cloud and mobile computing have all but erased the division between public and private networks, making identity and data security two critically important new security perimeters.  Given its heritage, it’s no surprise that Google embraces this transition.  Google IAM offers just about every feature you’d want – fine-grained access controls, multi-factor authentication (note: Google announced its own hardware tokens at the event), single sign-on, etc.  Oh, and Google’s been an SDP visionary since releasing its BeyondCorp design a few years ago.  As for data security: All data is encrypted by default with GCP or customer-based key management services available.  Cloud-centric applications can be encrypted at the application layer for the strongest levels of data security, and Google exposes DLP APIs to help customers (and partners) discover, classify, and protect sensitive data.  Google also talked about letting customers better organize their data by offering a set of tools for data governance. 
  4. Google is focused on security innovation. Google made 5 security announcements (across Google technologies and GCP) in 2017 and has already made 20 this year in areas like VPC service controls, access transparency, Cloud Armor, DLP APIs, etc.  To extend its security coverage, Google has also signed up a who’s who of partners. 
  5. Google is addressing innuendo past criticism. Google built its business on a simple quid pro quo, users got free services like search and email and in exchange, Google collected, mined, and sold this data for massive profit.  Based upon this business model, many enterprise security pros view Google with skepticism, believing it will mine and sell their sensitive data in a similar fashion but this is not the case.  In fact, Google goes out of its way to reinforce this promise – all data is encrypted by default and users can monitor Google administrator activities.  In fact, puts its money where its mouth is as GCP contracts also guarantee a tamperproof relationship. 

Google gets security and, in my opinion, the company is quite sincere about making GCP the most secure cloud platform of all.  Engineering alone won’t cut it however.  To achieve this goal and get the word out, Google must: