KEEPNET LABS > Blog > What You Should Know About Google Cloud Security Summit 2022

What You Should Know About Google Cloud Security Summit 2022

The ‘Google Cloud Security Summit’ brought together top Google and partner security experts to discuss the most recent advances.

With the widespread use of cloud computing, a bunch of privacy and security concerns have arised. To discuss the issues regarding cloud security a pioneering event ‘The Google Cloud Security Summit’ brought together leading Google and partner professionals to share ideas about the latest developments. Topics included moving to zero trust architectures, bolstering software supply chain security, and defending against emerging threats were discussed in the latest event on 17 May 2022. 

Four Critical Issues to Keep in Mind

Sunil Potti, the general manager of Google Cloud Security, kicked off the Security Summit by recalling how cyber security has become every organization’s single biggest risk today, and how Google combats such threats. With a two-pronged strategy, Google helps businesses be safer with Google Cloud. The goal is to deliver the industry’s most trusted cloud for digital transformation, and the fact that not every key system or workload is in the cloud, is recognized as well. Sunil brought upon and shared Google’s security foundation solution to make it easier for businesses to implement Google Cloud’s essential security features. He achieved so by mentioning four critical security issues that are always on people’s minds, 

* Zero Trust     

* Securing the Software Supply Chain

* Ransomware and other emerging threats

* Cloud governance and Digital Sovereignty

 How To Build Zero-Trust in the Government

The US National Cyber Director, Chris Inglish, then gave a wonderfully disciplined response about what the US government is doing to strengthen resilience and robustness in the defense of common infrastructure. He mentioned that the government had published future-defining zero-trust architectural blueprints, in which they will attempt to trust the architectures while assuring that they can prove that trust. As a result, the key is to trust but verify. It’s also critical to make sure that duties and responsibilities are clearly defined, and that the government functions as a whole. This is true not only in terms of how it operates its own businesses, but also in terms of how it deals with the private sector.

He then goes on to discuss three developing trends that we see in both the public and private sectors. For starters, there is a growing emphasis on resilience by design. This means that resilience must be built in people, ideology, and roles and responsibilities, not only in technology. This, of course, entails drawing a best practice from the way Google has built its structures over time.

“Defeat All of Us In Order To Defeat One Of Us”

The second growing broad tendency is collaboration, in which diverse parties are expected to contribute to the building of resilience or maybe the defense of what then follows. We can only discover things jointly by merging insides and authorities in such a way that a lawbreaker in this space must “defeat all of us in order to defeat one of us”. There should be great efforts made to protect privacy and proprietary interests, yet there are times when collaboration is the solution. It is vital to be dedicated to figuring out how the government can assist the private sector in learning about things that the government knows better than anybody else, and to put its resources to bear on the problem in a true collaboration. 

Thirdly, Chris gave a preview of what should be looked out for if we want to see the government participate in this partnership. The US government has set aside 1.3 trillion dollars for infrastructure improvements, much of which appears to be directed at physical infrastructure, indicating that it will have a physical manifestation. Nothing, however, is more vital than ensuring that each one of those dollars is cyber-aware. It has to do with cyber resilience and scalability. The government recently informed something akin to the national transportation safety board in the shape of the cyber safety review board, drawing on its expertise in the transportation sector. Furthermore, the government now has a place where private-public collaboration can be facilitated. It is called the joint cyber defense collaborative. Last year, private and public cyber subject matter experts came together to co-discover and collaborate in the mitigation of cyber dangers that can’t be identified by one party alone, but only by working together. Finally, Chris concludes by readdressing an aforementioned point that if somebody is a transgressor in this area, they must get through all of us in order to beat one of us, or, to put it another way, every one of us must contribute to the defense of all of us.  

Afterwards, Jonathan Meadows, Citibank’s head of cloud cyber security engineering, joined the conversation to provide his thoughts on the summit. Citibank has collaborated with Google in the OSSF (open-source security foundation) as well as on internal projects. Over the last four years, he had concentrated on safeguarding the software supply chain, as it has been evident that it is a significant concern with an increasing number of attacks. “The supply chain security such a broad discipline,” Jonathan says, referring to his work with Google partners and others in the industry to develop ways to safeguard the overall software supply chain.  

Incorporating Threat Models for Supply Networks

He included that as a community and with their business partners, one must work together to better understand the attack surface and provide an end-to-end approach to mitigating the danger. Therefore, it’s critical to work on a variety of issues throughout the supply chain, from software ingestion to the security of open-source software to securely manufacturing software in secure software factories with suitable attestations proving the program’s provenance. It’s critical to recognize that in order to safeguard the supply chain, it should be considered as an end-to-end challenge. Following that, assuring validation of the source materials of the software and the projects that originated from, essentially securing the ingress of software as well as the building that egresses, requires a holistic strategy. Much of the software we use today relies on Ingress as a source dependency and ingredient. 

Jonathan suggested that looking at supply networks and incorporating threat models is critical for determining where attention should be focused. By doing so, it will be possible to pinpoint the area that requires special attention as well as the larger issue. Citibank and the collaborative communities have teamed up to help safeguard open-source software by providing guidelines and metrics on how to secure projects. From working together, it’s clear to Jonathan that continuous collaboration is needed.

Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.