Adoption of Google Cloud’s Supply-chain Levels for Software Artifacts (SLSA) security framework would have protected organisations from the SolarWinds cyberattack by alleged Russia-backed hackers, CEO Thomas Kurian has claimed.
The software supply chain is a vector of threats that other cloud providers had not anticipated, Kurian said.
“We had anticipated that,” Kurian said in an interview with CRN US. “Not only did we build the technology in a secure way, but we’re now making it available to customers to use in a secure way. We have now taken that framework and, working with NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology), are making it available to the entire software industry, because that framework would have protected against SolarWinds.”
Pronounced “salsa,” SLSA is a source-to-service security framework for ensuring the integrity of software artifacts by helping to protect against unauthorised changes to software packages throughout the software supply chain.
It is based on Google’s internal Binary Authorization for Borg (BAB), a deploy-time enforcement check designed to minimise insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorised, especially if that code has the ability to access user data. Google has been using BAB since 2013 and requires it for all of its production workloads.
The SolarWinds hack, which ensnared Microsoft and breached US federal government agencies and private sector companies, was first detected last December.
Suspected Russian intelligence attackers injected malicious code into SolarWinds’ Orion network monitoring platform that was downloaded into as many as 18,000 of its customers’ computer networks. Last month, Microsoft said the hackers behind SolarWinds also had developed a backdoor that exfiltrates sensitive information from compromised Microsoft Active Directory Federation Services servers.
Kurian pointed to both the increasing number of cybersecurity threats and the variations of those threats.
“A year ago, if somebody said ‘will your software supply chain be a source of vulnerability’...we at Google felt it would be, which is why we had built the technology that we now make available through this framework we call SLSA,” he said. “But most companies had not thought about it. Every time there’s a new boundary of how technology can be adopted or a boundary where there’s a concern about a particular area…we’re always evolving our technology to meet those needs.”
Growth area for Google Cloud
Cybersecurity is a new area of significant growth for Google Cloud, according to Kurian.
“We are seeing very, very strong interest in from customers,” Kurian said. “There’s almost a breach a week happening, and many customers have asked us how can Google help protect our system. So we offer products, we offer solutions, we offer advisory services. And that’s an area where new partners are building business with us, including ... managed security service providers, many ISVs – Palo Alto (Networks), Fortinet, F5 Shape. There’s a long list of them.”
Google Cloud unveiled several new cybersecurity partnerships at Next ’21 in addition to a new Google Cybersecurity Action Team.
Its new Work Safer Program, launching today with cybersecurity partners CrowdStrike and Palo Alto Networks, is designed to help organisations and their employees and partners collaborate and communicate securely and privately in hybrid work environments.
“We want to provide customers the best choice of the best technologies to use in concert with us,” Kurian said.
The new Google Cybersecurity Action Team will be comprised of experts from across Google and will provide strategic security advisory services, trust and compliance support, customer and solutions engineering and incident response capabilities.
Google Cloud’s security edge
Kurian outlined several primary benefits – in addition to protecting against more threat vectors and partnerships with ISVs – that he said give Google Cloud’s security an edge over that of chief competitors Amazon Web Services (AWS) and Microsoft Azure.
“First of all, we’ve made security much simpler for people by building it into the products,” Kurian said. “An example: Every organisation wants to run communications and collaboration security. We’ve been in the market since 2004 … when Gmail was launched. I think if you went out and looked at the (NIST’s National Vulnerability) database … we’ve never had a breach. We built technology into the way that Gmail works and our collaboration tools work – the same thing with GCP (Google Cloud Platform) – to make it much simpler.”
The “proof” of Google Cloud’s security edge is its Risk Protection Program that gives customers access to a specialised cyber insurance policy from Allianz Global Corporate & Specialty (AGCS) and Munich RE, according to Kurian.
The Risk Manager security diagnostic tool allows customers to measure and manage their risk on Google Cloud and obtain reports on their security postures that can be sent to AGCS and Munich Re, who can use them to assess customers’ underwriting eligibility for the Cloud Protection + policy.
“When you talk to executives, one of the key metrics that people struggle with is every cyber incident is a ‘black swan’ event, meaning the day before the cyber incident, the company thought it was secure, then the cyber incident happens,” Kurian said.
“More importantly, they did not even know that they had been hacked for many months in certain cases. One of the challenges that everybody has had with cybersecurity is can you measure, manage and insure cyber risk?”