The Swiss-headquartered global technology leader has chosen Google Cloud as part of the organization’s ‘Rationalizing IT Operations’ (code named: Program RIO) initiative, which seeks to further increase the scalability and resilience of its infrastructure services to all ABB businesses.
Google Cloud will collaborate with ABB’s hosting services team to layout an optimized cloud migration that is tailored to meet the IS needs of ABB businesses. This will be rolled out in a structured way and in-line with ABB’s new operating model. The migration signals ABB’s increased focus on cloud adoption, and optimizing its data centers’ capacity.
Google Cloud’s data science, artificial intelligence (AI) and machine learning (ML) capabilities will be leveraged to simplify and improve the IS quality assurance via automation and consolidation of identified services housed in ABB’s strategic data centers and remote sites, with a cloud-first approach.
“ABB is a global technology leader that has been a Fortune 500 company for many years,” said Dominik Wee, Managing Director Global Manufacturing and Industrial at Google Cloud.
“We’re thrilled about the opportunity for Google Cloud to help ABB in its journey toward powering its information systems services in the cloud, as the company heads towards a more digitized future.”
“We are excited to be working together with Google Cloud to improve the competitiveness of ABB’s Information Systems services, and the flexibility we offer our internal business customers,” said Daniele Lisetto, Head of IS Strategy Office and Sponsor of RIO Program at ABB.
“Our choice to include Google Cloud further strengthens our strategic vision and stimulates innovation as we expand the Information Systems’ cloud footprint,” said Prabhu Chakravarthy, Group IS Program Leader at ABB.
The new integration allows security and DevOps teams to set up automated security scans of container artifacts in Artifact Registry, now generally available. Qualys Container Security scanning will assess all images for software inventory, vulnerabilities and misconfigurations, and provide a unified view across multiple Google Cloud regions.
Customers can then leverage the Qualys security posture API of these container images for automation of security workflows like container deployments in Google Cloud Build or integrating with DevOps ticketing systems.
“Google Cloud’s Artifact Registry provides a convenient fully-managed service that allows customers to have a central repository for all their software artifacts,” said Philippe Courtot, CEO, Qualys.
“Now, with our new integration, customers can quickly adopt this artifact management offering from Google Cloud in their DevOps pipeline with seamless container security built-in from Qualys.”
“It’s important that DevOps and IT teams are able to deliver software quickly and securely, and we’re excited that Qualys is integrating its container security capabilities with Google Cloud’s Artifact Registry,” said Juan Sebastian Oviedo, Product Manager at Google Cloud.
Qualys Container Security
Built on the Qualys Cloud Platform, Qualys Container Security discovers, tracks and secures containers from build to runtime. Container Security continuously flags and responds to security and compliance issues in containers across your hybrid IT environment.
The addition of runtime protection extends these capabilities, delivering full, granular visibility into running containers and the ability to enforce policies that govern containers’ behavior.
As a result, you can immediately detect and act upon containers drifting from their parent images and potentially creating a security risk due to vulnerabilities or misconfigurations.
What is confidential computing? Can it strengthen enterprise security? Sam Lugani, Lead Security PMM, Google Workspace & GCP, answers these and other questions in this Help Net Security interview.
How does confidential computing enhance the overall security of a complex enterprise architecture?
We’ve all heard about encryption in-transit and at-rest, but as organizations prepare to move their workloads to the cloud, one of the biggest challenges they face is how to process sensitive data while still keeping it private. However, when data is being processed, there hasn’t been an easy solution to keep it encrypted.
Confidential computing is a breakthrough technology which encrypts data in-use – while it is being processed. It creates a future where private and encrypted services become the cloud standard.
At Google Cloud, we believe this transformational technology will help instill confidence that customer data is not being exposed to cloud providers or susceptible to insider risks.
Confidential computing has moved from research projects into worldwide deployed solutions. What are the prerequisites for delivering confidential computing across both on-prem and cloud environments?
Running workloads confidentially will differ based on what services and tools you use, but one thing is given – organizations don’t want to compromise on usability and performance, at the cost of security.
Those running Google Cloud can seamlessly take advantage of the products in our portfolio, Confidential VMs and Confidential GKE Nodes.
All customer workloads that run in VMs or containers today, can run as a confidential without significant performance impact. The best part is that we have worked hard to simplify the complexity. One checkbox—it’s that simple.
What type of investments does confidential computing require? What technologies and techniques are involved?
To deliver on the promise of confidential computing, customers need to take advantage of security technology offered by modern, high-performance CPUs, which is why Google Cloud’s Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC processors.
To support these environments, we also had to update our own hypervisor and low-level platform stack while also working closely with the open source Linux community and modern operating system distributors to ensure that they can support the technology.
Networking and storage drivers are also critical to the deployment of secure workloads and we had to ensure we were capable of handling confidential computing traffic.
How is confidential computing helping large organizations with a massive work-from-home movement?
As we entered the first few months of dealing with COVID-19, many organizations expected a slowdown in their digital strategy. Instead, we saw the opposite – most customers accelerated their use of cloud-based services. Today, enterprises have to manage a new normal which includes a distributed workforce and new digital strategies.
With workforces dispersed, confidential computing can help organizations collaborate on sensitive workloads in the cloud across geographies and competitors, all while preserving privacy of confidential datasets. This can lead to the development of transformation technologies – imagine, for example, being able to more quickly build vaccines and cure diseases as a result of this secure collaboration.
How do you see the work of the Confidential Computing Consortium evolving in the near future?
Cloud providers, hardware manufacturers, and software vendors all need to work together to define standards to advance confidential computing. As the technology garners more interest, sustained industry collaboration such as the Consortium will be key to helping realize the true potential of confidential computing.
As organizations across industries rapidly deploy more assets in the public cloud with Amazon, Microsoft, and Google, they’re leaving numerous paths open for exploitation, according to Orca Security.
Cloud estates are being breached through their weakest links of neglected internet-facing workloads, widespread authentication issues, discoverable secrets and credentials, and misconfigured storage buckets.
While public cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform keep their platforms secure, customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world.
Such shared responsibility poses a serious challenge due to the speed and frequency of public cloud deployments. For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. However, IT security teams are not always informed of cloud deployments, so this lack of visibility results in missed vulnerabilities and attack vectors.
While organizations must secure their entire estate, attackers only need to find a single weak link to exploit,” said Avi Shua, CEO, Orca Security. “It’s imperative for organizations to have 100 percent public cloud visibility and know about all neglected assets, weak passwords, authentication issues, and misconfigurations to prioritize and fix. The Orca Security 2020 State of Public Cloud Security Report shows how just one gap in cloud coverage can lead to devastating data breaches.”
Neglected internet-facing workloads
Attackers look for vulnerable frontline workloads to gain entrance to cloud accounts and expand laterally within the environment. While security teams need to secure all public cloud assets, attackers only need to find one weak link.
- The study found more than 80 percent of organizations have at least one neglected, internet-facing workload – meaning it’s running on an unsupported operating system or has remained unpatched for 180 days or more
- Meanwhile, 60 percent have at least one neglected internet-facing workload that has reached its end of life and is no longer supported by manufacturer security updates
- 49 percent of organizations have at least one publicly accessible, unpatched web server despite increased awareness of how that can result in large data breaches
Authentication and credential issues
Weak security authentication is another way that attackers breach public cloud environments. Researchers found that authentication and password storage issues are commonplace.
- Almost half the organizations (44 percent) have internet-facing workloads containing secrets and credentials that include clear-text passwords, API keys, and hashed passwords that allow lateral movement across their environment
- Meanwhile, 24 percent have at least one cloud account that doesn’t use multi-factor authentication for the super admin user; 19 percent have cloud assets accessible via non- corporate credentials
- Additionally, five percent have cloud workloads that are accessible using either a weak or leaked password
Lateral movement risk
All weak links combine to pose serious cloud security and lateral movement attack risk for any organization. Attackers also take advantage of knowing that internal servers are less protected than external internet-facing servers and that they can expand rapidly in search of critical data once inside a cloud estate.
- The security posture of internal machines is much worse than internet-facing servers, with 77 percent of organizations having at least 10 percent of their internal workloads in a neglected security state
- Additionally, six percent of internet-facing assets contain SSH keys that could be used to access adjacent systems
Sonrai Security announced the Governance Automation Engine for Sonrai Dig, re-inventing how customers ensure security in AWS, Azure, Google Cloud and Kubernetes by automatically eliminating identity risks and reducing unwanted access to data.
This enables enterprise companies to achieve and maintain least privilege, enforce separation of duties, eliminate complex identity risks and lock down critical data. Workflow and role-based swimlanes route alerts and recommend actions to cloud, security, audit or DevOps teams, or deploy remediation bots to address security issues.
The new Governance Automation Engine helps enterprises address critical pain points including security breaches caused by identity policy misconfiguration and data risks that go beyond S3 buckets. It extends to include databases like Amazon RDS, DynamoDB, CosmosDB and many others, addressing disconnects among cloud, security, audit and DevOps teams with widely disparate cloud security toolsets.
“The acceleration of migrations from on-prem datacenters to the cloud presents an entirely new set of challenges for global enterprises that cannot be fully addressed by the security approaches of the past,” said Richard Stiennon, chief research analyst, IT-Harvest. “Security for public clouds must center on effective governance and security of three critical control points – identities, data and platform – to understand, monitor and minimize risk. Effective solutions will be those that go well beyond simply presenting dashboards of cloud provider tools and bring entirely new identity and data analytics to the mix.”
Cloud security complexity
For enterprise organizations, public cloud expansion quickly leads to hundreds of cloud accounts, thousands of data stores and tens of thousands of ephemeral pieces of compute involving multitudes of development teams. Improperly set up, this growing array of interdependencies and inheritances can open up many security risks such as over-permissioned identities, separation of duties risks and excessive access paths to critical data. Legacy cloud security tools have failed to address identity and data complexity and either miss critical vulnerabilities or send continuous alarms, creating high levels of noise that overwhelm security teams’ resources and lead to inaction.
The Sonrai Dig platform builds a comprehensive graph detailing every relationship between identities (people and non-people) and data that exist within cloud platforms like AWS, Azure, GCP and Kubernetes. Analytics provided atop that graph allows users to understand risk, eliminate risk and monitor it continuously. Swimlane workflows enable escalations, certifications and risk-exception handling and provide role-based access control for workloads, teams and cloud platforms to ensure adherence to policy.
New automation capabilities
The Governance Automation Engine for Sonrai Dig automatically dispatches prevention and remediation bots and provides safeguards in the form of code promotion blocks. Helping to ensure end-to-end security in public cloud platforms, Sonrai Dig also fosters excellence in the application lifecycle and in DevOps by preventing users from promoting code to the next stage of the development cycle if public cloud security requirements are unmet.
Extensive integration ecosystem
Sonrai Dig and its growing integration ecosystem have worked closely to ensure cross-platform compatibility through API integrations including:
Public Cloud: AWS, Azure, Google Cloud (GCP), Kubernetes
IAM: AWS IAM, Azure AD, GCP IAM
Audit: AWS CloudTrail, Azure activity logs, GCP Stackdriver
Data Stores: DynamoDB, RDS, Cosmos DB, Data Lake, SQL, Big Table
Key Stores: KMS, HashiCorp Vault
Infrastructure: WAF, Cloudfront, ELB Compute: ECS, Lambda, Azure Serverless
“Enterprise companies’ explosive expansion of cloud-native development creates a dizzying number of ways people and non-people identities access corporate data, creating unacceptable risk,” said Brendan Hannigan, CEO, Sonrai Security. “Sonrai provides unique technology to find and eliminate all of these risks, in a way that aligns with how applications are developed in today’s world. Our swimlanes, workflow and remediation capabilities are integrated seamlessly to automatically de-risk complex environments and represent an entirely new and effective approach to security.”
Thought Machine, the cloud native core banking technology firm, has announced that its core banking platform Vault now runs on every major cloud infrastructure provider including Google Cloud Platform, Amazon Web Services, Microsoft Azure and IBM Cloud.
In addition, Vault can be deployed on either the bank’s choice of cloud provider, on premise, in a hybrid cloud using OpenShift from Red Hat, or as a SaaS product.
Thought Machine’s expanded compatibility enables banks to migrate with the freedom to pick the cloud infrastructure partner of their choice – while adhering to any regulatory and legal requirements they might have in place.
As a cloud agnostic business, Thought Machine continues to expand its list of compatible cloud providers. Vault initially rolled out on GCP and AWS before progressing to run on the four leading cloud hosting providers, enabling far greater flexibility than peers in core banking and financial services technology.
The new SaaS offering brings further flexibility for banks wishing to operate an instance of Vault for their institution without the overhead of software management and updates. This Thought Machine-managed service is now available on AWS, with further provider compatibility planned for 2020.
Vault works with financial institutions and technology companies across the spectrum – from tier one global banks, to smaller regional banks, greenfield offerings as well as fintech players who offer banking capabilities to their customers. All of these firms can now deploy Vault in the way that is most suitable for their needs.
Paul Taylor, Chief Executive Officer and Founder of Thought Machine, comments: “At Thought Machine, the benefits of being cloud agnostic are crystal clear. Banks, fintechs and financial institutions have differing needs, and different relationships with the cloud.
“We don’t want to influence those choices, or those relationships, and are proud to announce we can deliver Vault wherever, and whenever, a business needs. By delivering Vault as a Software-as-a-service product, banks no longer need to concern themselves with the implementation, regulatory and logistical obligations of bringing software in-house.
“Vault SaaS is now available with the same high level of security and resilience as our deployed version, without the infrastructural management overheads.”
MariaDB announced the immediate availability of MariaDB SkySQL through the Google Cloud Marketplace. SkySQL is the first database-as-a-service (DBaaS) to unlock the full power of MariaDB Platform for transactions, analytics and both, optimized with a cloud-native Kubernetes-based architecture and backed from the source, the engineers who built the database.
The availability of SkySQL on the Google Cloud Marketplace eliminates the need for additional contracts with separate terms and conditions, and provides the same ease of access and unified billing of any other product in Google Cloud’s rich ecosystem of solutions.
“We are proud to debut SkySQL, the first fully containerized, relational enterprise cloud database offering, on the Google Cloud Marketplace,” said Kevin Farley, Director of Strategic Alliances, MariaDB Corporation.
“The addition of SkySQL in the Google Cloud Marketplace allows joint customers to build predictability into their cloud modernization budgets while ensuring mission-critical workloads are built and run on a best-of-breed integrated platform. This ultimately brings more choice and value for our customers.”
“We’re excited to partner with MariaDB to deliver its SkySQL cloud database platform on Google Cloud,” said Manvinder Singh, Director, Partnerships at Google Cloud.
“Customers can now quickly deploy and manage MariaDB SkySQL from the Google Cloud Marketplace, providing unified billing, increased ease of use, and a streamlined path to leveraging SkySQL’s analytics and transactional capabilities on Google Cloud.”
SkySQL with standard MariaDB support is available using pay-as-you-go credits on the Google Cloud Marketplace. Custom packaging is available for customers that need more capacity, additional support tiers or customization.
Thales has deployed the world’s first GSMA-certified eSIM activation solution on Google Cloud. This solution will offer telecom operators secure and highly scalable support to manage increases in mobile subscriptions for eSIM-capable devices.
It also lets them benefit from the reliability of Google Cloud’s carbon neutral technology. eSIM adoption is being fueled by a new generation of smartphones, tablets, wearables and new IoT use-cases.
Thales’ subscription management expertise not only ensures seamless remote activation of a vast number of devices, but also provides data analytics and protection of the subscriber’s data.
With telecom operators facing the combined challenges of rapid digital transformation and a drastically growing eSIM ecosystem, Thales has responded by creating a public cloud-based version of its proven eSIM Remote Subscription Platform.
In this initial deployment, the platform will run on Google Cloud, which is available in more than 200 countries and territories across the globe.
Thales has implemented first-class security standards specifically designed to meet the requirements of GSMA certification in a public cloud environment.
Telecom operators can also benefit from the Thales subscription management solution which offers unprecedented levels of operational flexibility, both in terms of auto-scaling and capacity management. As a result, enterprises will be able to take full advantage of subscription business growth in the years ahead.
Anil Jain, Google Cloud Managing Director – Telecom, Media & Entertainment, Industry Solutions: “The combination of Thales and Google Cloud’s global technology expertise is a perfect match to address the challenges of the eSIM market in a very innovative manner.
“Thales’ new cloud infrastructure enables the expected and significant growth in eSIM-capable devices to be tackled seamlessly. We know Google Cloud’s scalability will be critical with the rise of 5G networks and the cellular network connectivity of billions of IoT devices worldwide.”
Emmanuel Unguran, SVP Mobile Connectivity Solutions at Thales: “By collaborating with Google Cloud teams, we have designed a global service to answer the exponential demand for new eSIM devices.
“This hybrid infrastructure is a springboard to innovative IoT applications in a standardized and interoperable security framework. By achieving GSMA certification our cloud-based solution provides a trusted and compliant platform for telecom operators.”
Google Cloud today announced it’s making Google Meet, Google’s premium video-conferencing solution, free for everyone with availability rolling out over the coming weeks.
Starting in early May, anyone with an email address can sign up for Meet and enjoy many of the same features available to G Suite’s business and education users, such as simple scheduling and screen sharing, real-time captions, and layouts that adapt to your preference, including the expanded tiled view.
“With the lines blurred between work and home, Google Meet can offer the polish needed for a work meeting, a tiled view for your online birthday party and the security needed for a video call with your doctor,” said Javier Soltero, VP of G Suite. “We’re in the middle of a significant worldwide shift impacting communication from the workplace to schools to the home. People want familiar, secure tools that they can use across all facets of their lives.”
Google has invested years in making Meet a secure and reliable video conferencing solution that’s trusted by schools, governments and enterprises around the world, and in recent months has accelerated the release of top-requested features to make it even more helpful.
Whether it’s hospitals supporting patients via telehealth, banks working with loan applicants, retailers assisting customers remotely, or manufacturers interacting safely with warehouse technicians, businesses across every industry are using Meet to stay connected.
Google Meet: Built on a secure foundation
Meet is designed, built and operated to be secure at scale. Meet is hosting 3 billion minutes of video meetings and adding roughly 3 million new users every day. And as of last week, Meet’s daily meeting participants surpassed 100 million.
Privacy and security are paramount, no matter if it’s a doctor sharing confidential health information with a patient, a financial advisor hosting a client meeting, or people virtually connecting with each other for graduations, holidays, and happy hours.
Google’s approach to security is simple: make products safe by default. Meet was designed to operate on a secure foundation, providing the protections needed to keep users safe, their data secure, and their information private.
Here are just a few of the default-on safety measures:
- A strong set of host controls such as the ability to admit or deny entry to a meeting, and mute or remove participants, if needed.
- Anonymous users are not allowed to join meetings created by individual accounts.
- Meet meeting codes are complex by default and therefore resilient to brute-force “guessing.”
- Meet video meetings are encrypted in transit, and all recordings stored in Google Drive are encrypted in transit and at rest.
- The service does not require plugins to use Meet on the web. It works entirely in Chrome and other modern browsers, so it’s less vulnerable to security threats.
- Meet users can enroll their account in Google’s Advanced Protection Program.
- Google Cloud undergoes regular rigorous security and privacy audits for all its services.
- Your Meet data is not used for advertising, and Google doesn’t sell your data to third parties.
- Google operates a highly secure and resilient private network that encircles the globe and connects their data centers to each other—ensuring that your data stays safe.
Google has made available BeyondCorp Remote Access, a cloud-based, zero trust service that allows employees, contractors and partners to securely access specific corporate resources from untrusted networks without having to use the company’s VPN.
The goal is to help companies with a suddenly massive remote workforce from overburdening the company’s VPN infrastructure.
About BeyondCorp Remote Access
BeyondCorp Remote Access is a subscription-based service that is available through Google Cloud.
“This cloud solution — based on the zero trust approach we’ve used internally for almost a decade — lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN,” Google Cloud honchos Sunil Potti and Sampath Srinivas explained.
“Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
Access to web apps and services is granted (or not) based on user identity, device identity, device security, location, and other metadata and signals collected through the browser or an endpoint agent that is installed on the user’s device (if the customer mandates it).
The web apps that can be accessed through the service can be hosted on Google Cloud, on other clouds, or on the customer’s premises. Enterprise admins can configure access policies for each app.
“For example, you can enforce a policy that says: ‘My contract HR recruiters working from home on their own laptops can access our web-based document management system (and nothing else), but only if they are using the latest version of the OS, and are using phishing-resistant authentication like security keys.’ Or: ‘My timecard application should be safely available to all hourly employees on any device, anywhere,’” the duo explained.
The company’s long term plan is to “offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
For many of the 70 million users Mitel supports each day, the COVID-19 crisis has turned remote working and real-time communications from a modern convenience into a necessity almost overnight.
Shelter in place orders, travel bans, and daily uncertainties have led to a surge in demand for technologies that can help organizations maintain operational continuity, respond to questions and concerns from customers, patients or students, and stay connected as humans.
Mitel, a global leader in business communications, and Google Cloud are enabling customers to adapt to this new way of working with secure, reliable and scalable solutions that allow users to communicate and collaborate from anywhere.
Mobility and remote working solutions from Mitel underpin operations for organizations including Nottinghamshire Health Informatics Services, Tulane Health Science Center, First Assistance, Anna Freud Centre, University of Liverpool, Anaheim Union High School District, Beaverton School District, Taft School, London Borough of Waltham Forest, City of Atlantic Beach, City of Porvoo, Feefo, Festival Foods and others around the world.
In recent weeks, Mitel assisted critical frontline healthcare facilities, statewide government agencies, schools and universities, and even major professional sports organizations in making the shift to this “new normal”.
With COVID-19, communications needs in the healthcare industry have pivoted from an efficiency driver to a critical, life-saving function for both patients and healthcare professionals.
Hit hard by the virus, a large hospital in Cuneo, Italy, was able to deploy hundreds of DECT phones under 24 hours with the help of Mitel. In France, urgent requests from two regional hospitals led to delivery of hundreds of collaboration licenses in a single day and several hundred more a few days later.
Government and education
Soon after one of the first U.S. states issued an emergency declaration related to COVID-19, Mitel rapidly equipped its health department contact center agents and staff with work-from-home capabilities, enabling the department to respond to increased inquiries and keep citizens safe.
Mitel also helped a UK government organization enable 8,000 employees to work remotely while managing a deluge of calls from the public.
When the governor of Michigan made the state-wide decision to close schools, Zeeland Public Schools reached out to Mitel to set up softphone access for staff to work from home. The connectivity also allowed the district to coordinate meals for students as part of a special program.
Sports and entertainment
The staff of San Diego Padres are using MiTeam Meetings to collaborate with voice, video and chat while working remotely. In-office capabilities also extend to their mobile devices, giving everyone a way to instantly connect and respond to fans.
The San Francisco Giants are also keeping business operations running efficiently with softphone functionality, allowing front-office employees to make calls from their laptops and mobile devices.
As organizations look to quickly implement collaboration solutions that will support their new work requirements, Mitel has seen rapid growth in demand across its portfolio.
Teleworking licenses for Mitel’s collaboration applications have increased tenfold, while usage of the company’s virtual meeting and workspace solution, MiTeam Meetings, has grown by more 500 percent.
Similarly, usage of the MiCloud Connect Teamwork collaboration application has doubled in recent weeks, and healthcare organizations have prompted a spike in demand for portable devices such as DECT phones.
However, many businesses are also now facing difficult choices as operational and financial impacts of the pandemic begin to compound. Driven by an intent commitment to customers and partners, Mitel recently announced multiple special offers that provide financial relief for businesses while making it easy for them to be productive anywhere:
- Free MiCloud Connect services until 2021 – Built on Google Cloud, MiCloud Connect delivers an easy-to-use, all-in-one cloud communications solution with calling, conferencing, collaboration and contact center capabilities.
- MiTeam meetings 6-month trial – Mitel’s business-class virtual meeting and workspace enables seamless transitions between video, chat and voice for truly collaborative team experiences.
- 50% off all self-paced training – All training courses are now available virtually and at discounted rates to support increased demand from customers and IT teams looking to help employees work from home effectively.
Cloud providers such as Google Cloud Platform, AWS, and Microsoft Azure work hard to be the service provider of choice for enterprise customers. They often push the envelope with specialized features and capabilities unique to each platform. These features can often add real value for certain industries and applications and help to differentiate the platforms from each other.
At the same time, the reliance on unique services across the various public clouds creates a barrier that inhibits enterprise customers from easily switching from one cloud provider to another or managing applications efficiently across a multi-cloud environment.
In addition, all the public cloud vendors have their own solution for encryption key management, which can be extended to specific applications for enhanced data protection. While this establishes a high degree of security, organizations lose control over the keys and give up the ability to easily migrate to different cloud platforms.
Many organizations start off with the intention of sticking to a preferred cloud provider. But over time, they may need to host certain applications or access certain services that are only available on certain clouds. When that happens, they invariably migrate to a multi-cloud environment. For smaller organizations, it may be possible to stay with a single provider, but as organizations grow, they have to consider going multi-cloud. And from a redundancy standpoint, having the ability to move from one cloud to another in case something happens is very attractive to larger organizations. Additionally, organizations may have an audit requirement involving backup or redundancy capabilities and simply can’t be sole source on a single vendor.
Furthermore, if the cloud provider directly manages an organization’s cryptographic keys, local employees could access the organization’s sensitive data if proper oversight and controls are not in place. Also, if the cloud provider is issued a legal order, they are left with no choice but to comply and hand over the organization’s keys.
Use your own keys
To address these challenges, cloud providers have introduced support for Bring Your Own Key (BYOK) that allows organizations to encrypt data inside cloud services with their own keys while still continuing to leverage the cloud provider’s native encryption services to protect their data.
Even with BYOK, keys still exist in the cloud providers’ key management service. But because keys are now generated, escrowed, rotated, and retired in an on-premises hardware security module (HSM), BYOK helps organizations to more fully address compliance and reporting requirements. Another benefit is that companies can ensure cryptographic keys are generated using a sufficient source of entropy and are protected from disclosure.
While BYOK offers increased control, it also comes with additional key management responsibilities that are magnified in multi-cloud environments. Every cloud provider has its own set of APIs and its own cryptographic methods for transporting keys. With AWS, you import keys through the AWS Management Console, a command-line interface, and with APIs through the TLS protocol. Microsoft has the Azure Storage Service Encryption for data at rest along with the Azure Storage Client Library, and keys must be stored in Azure Key Vault. Google Cloud Platform meanwhile has its own set of tools for managing keys for services such as Google Cloud Storage or Google Compute Engine.
Fundamentally, the processes, procedures and methods for managing keys are completely different across clouds, and not just from an API standpoint, but from architecture and process standpoints with each requiring different key management techniques. Needless to say, all this complexity and variability is the enemy of efficient operations and any missteps can put critical data at risk.
The irony is that at the end of the day, you’re trying to accomplish the same thing, namely encrypt application data in the cloud using keys. That’s also the good news. Because you have a singular goal of key management, many organizations are turning to centralized key management to manage the full lifecycle of cloud keys.
In the BYOK scenario, centralizing key management can offer significant advantages by allowing organizations to consolidate policies and procedures, develop consistent, repeatable, and well-documented practices, and – most importantly – reduce the risks of exposing keys.
As mentioned above, even with BYOK, organizations still have to leave a copy of their cryptographic keys with the cloud provider. To address this problem, cloud providers are starting to develop interfaces to allow their customers to fully utilize external key management systems. Not only will this give organizations complete control of their keys, but it points toward centralization as the accepted best practice for managing encryption across multiple cloud environments.
Based on the broad trend toward multi-cloud and the challenge of key management in a multi-cloud world, it’s safe to assume that other cloud providers will be adding improved for support for external key management. This will make it increasingly easier to simplify key management functions across multiple clouds while allowing you to retain full control over your data and encryption keys.
ECS, a leader in advanced technology, science, and engineering solutions, announced an expansion of its services as a Google Cloud Platform (GCP) partner. Through the ECS Cloud Center of Excellence, ECS delivers solutions from leading cloud service providers (CSPs) to deploy mission-critical workloads to some of the largest organizations in the world.
As part of this ongoing commitment to meeting customer needs, ECS now delivers Google Analytics 360 and Google Maps solutions as part of its full-service GCP offering, along with cloud consulting, managed services, and full and direct resale access to all Google Cloud Platform services and regions worldwide.
The Google Analytics platform enables customers to gain valuable insights and information from their digital assets while the Google Maps platform provides organizations with real-world insights and immersive location experiences.
“As our customers’ digital transformation needs expand, ECS continues to evolve our capabilities to meet these requirements,” explained ECS Vice President of Cloud John Sankovich.
“We’re pleased to expand our Google Cloud partnership to include delivering Google Analytics and Google Map platforms to support enhanced digital insights and agile user experiences enabled with rich location data.”
ECS offers customers capabilities in analytics intelligence and reporting, and solutions to facilitate digital modernization and machine learning. ECS has built a cloud practice based on deep expertise of cloud offerings from the world’s leading CSPs, and delivers agile, secure solutions to defense, federal civilian, and commercial clients.
ECS cloud architects and team members hold professional technical and product certifications in cloud to assist companies and organizations along every stage of the cloud adoption lifecycle.
Attivo Networks, the award-winning leader in deception for cybersecurity threat detection, announced the availability of its ADSecure solution for Google Cloud’s Managed Service for Microsoft Active Directory (AD).
The Google Cloud team has reviewed the Attivo solution that operates and reduces the risk of attack escalation for organizations running Active Directory with Google’s managed service.
Active Directory is estimated to be used by over 90% of businesses to organize users, computers, and services. Attackers target it frequently because it is a centralized directory that they can use to understand the network and gain the privileges that they need to advance their attacks.
The requirement for open access and the availability of automated tools designed to help attackers break into AD make protecting this environment a challenge.
The Attivo ADSecure solution detects unauthorized queries within the managed AD service to reduce the risk of successful enumeration. The solution alters the query response and returns deceptive objects that misdirect attackers to a decoy when they try to use them.
By detecting unsanctioned access to AD, security teams receive alerts early in the attack lifecycle, and the attacker is less likely to get the critical AD information they were seeking.
Additionally, the ADSecure solution reduces the attack surface by misdirecting attackers into a deception environment that safely gathers TTPs (Tactics, Techniques, and Procedures) to aid in the development of company-specific threat intelligence and accelerated response.
Further, the solution operates without altering the production AD, eliminating a critical adoption barrier presented by alternative security solutions.
“With more and more organizations moving to the cloud, there is a heightened need to protect their directory services located in the cloud,” said Marc Feghali, VP of Product Management for Attivo Networks.
“For Google Cloud customers that are using a managed Active Directory service, the additional protection of ADSecure helps keep attackers from successfully querying Cloud Service Objects, domain controllers, Cloud OU resources like privileged users, computer groups, service accounts, and built-in privileged groups.”
“Customers are using our service to simplify AD deployment, management, and security in the cloud without managing infrastructure,” said Siddharth Bhai, Product Manager for Google Cloud. “They can now leverage ADSecure to further reduce the risk of attack escalations against their deployments.“
Cybercriminals were able to register malicious generic top-level domains (gTLDs) and subdomains imitating legitimate, prominent sites due to Verisign and several IaaS services allowing the use of specific characters that look very much like Latin letters, according to Matt Hamilton, principal security researcher at Soluble.
To demonstrate the danger of these policies, he registered 25+ domains that resemble a variety of popular domains by using a mix of Latin and Unicode Latin IPA homoglyph characters.
“This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization,” he pointed out.
Some homograph domains had already been registered
During this research he also discovered that, since 2017, more than a dozen homograph domains that imitated prominent financial, internet shopping, technology, and other Fortune 100 sites, have had active HTTPS certificates – meaning: they’ve already been registered.
“There is no legitimate or non-fraudulent justification for this activity (excluding the research I conducted for this responsible disclosure),” Hamilton noted, and posited that this technique was used in highly targeted social-engineering campaigns.
He also discovered that Google, for example, also allows the registration of bucket names that use Unicode Latin IPA Extension homoglyph characters. In fact, it also allows the registration of subdomains which contain mixed-scripts (e.g., Latin and Cyrillic characters), which should also be a no-no.
Mitigation and remediation
Hamilton contacted Verisign (which runs the .com and .net domains) and Google, Amazon, Wasabi and DigitalOcean (IaaS providers) in late 2019 and shared his discovery.
Everyone confirmed the receipt of the responsible disclosure report, but only Amazon and Verisign (so far) did something about the problem.
“Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority. While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited,” a Verisign spokesperson noted.
“Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.
Amazon changed its S3 bucket name validation policy to prevent registration of bucket names beginning with the punycode prefix “xn--”, preventing the use of these and all other Unicode homoglyphs.
Hamilton also pointed out that any TLD which allows Latin IPA characters is likely affected by this vulnerability, but that the majority of the most popular sites on the internet use gTLDs (namely .com).
He advises users who discover that someone has registered a homograph of one of their domains to submit an abuse report to the appropriate organization.
He has also promised to soon make available a tool that will help organizations generate homographs for their domains and discover whether they’ve been registered in the last few years.
Snowflake combines its cloud-native data platform with Google Cloud’s AI, ML and analytics capabilities
Snowflake is now available in the us-central1 (Iowa) and europe-west4 (Netherlands) regions with additional regions coming later this year. Combined with the new database replication feature, Snowflake makes it easy for customers to migrate their data to Google Cloud or keep their database data synchronized between multiple cloud providers for business continuity.
General availability of Snowflake on Google Cloud is a continuation of the company’s commitment to providing customers with the flexibility of choosing a preferred- or multi-cloud environment that best supports their business and users.
Clearbanc, an equity-free VC alternative, is also leveraging Snowflake on Google Cloud to drive business growth. “Clearbanc is rapidly scaling our business in 2020, and seamless access to insights derived from all of our data is essential,” said Vikas Gandhi, VP of Data at Clearbanc.
“Snowflake on Google Cloud delivers the scale, performance and ease-of-use we need to enable real-time data analytics. It drives our strategies to streamline services, operations, and grow our network.”
In addition to general availability of Snowflake on Google Cloud, the cloud data platform company will launch integrations with Google Cloud’s big data analytics platform later this year, including:
- Snowflake Connector for Spark running in Google Cloud Dataproc
- Snowpipe continuous data ingestion using Google Cloud Pub/Sub
- Cloud Data Fusion, Google Cloud’s data integration service
- Cloud Dataflow, Google Cloud’s fully-managed service for stream and batch processing
- Artificial Intelligence (AI) Platform Notebooks
“Organizations need the ability to make decisions based on increasingly large volumes of data, often spread across multiple cloud and on-premises data sources,” said Kevin Ichhpurani, Corporate Vice President, Global Ecosystem at Google Cloud.
“We’re delighted to partner with Snowflake to help them do so, and to make Snowflake’s data platform available to more organizations in Google Cloud.”
“General availability of Snowflake across all three major public clouds is a key milestone in addressing demand from our customers and providing choice,” Snowflake Senior VP of Product Management, Christian Kleinerman said.
“Snowflake enables organizations to give their users secure and governed access to data that’s needed to propel the business forward. The possibilities of what can be achieved with fast and scalable access to data are even more vast now that custome
As organizations move more of their businesses to the cloud, better control over data and activities in the cloud, as well as preventing privilege misuse, becomes critically important.
Building on their existing global alliance, Deloitte and Google Cloud announced that together they will leverage the strength of their portfolios in cyber and cloud solutions to provide customers with end-to-end secure cloud transformation services and solutions in support of their digital transformation journeys and to better combat cyber threats.
“The increasing integration, interconnectedness, and data exchange of our businesses and lives create shared vulnerabilities where a problem in one area can quickly cascade into another.
“By building security into these environments, organizations can better protect their data, privacy, and operations,” said Deborah Golden, U.S. cyber leader, Deloitte Risk & Financial Advisory, and principal in Deloitte & Touche LLP.
“Together with Google, we are supporting secure transformative change for our clients, something that all organizations should prioritize, and can enable them to be better secured in their critical cyber and cloud needs.”
“For enterprise customers moving to the cloud, security isn’t an afterthought, it’s at the top of every CIO’s list, and in general is a board level topic,” said Sunil Potti, vice president engineering at Google Cloud Security.
“Building in the right security processes and controls from the beginning of the cloud journey can significantly reduce risks and costs for customers, and so we are delighted to be collaborating with Deloitte to help deliver end-to-end security services and solutions to our joint-customers.”
As a Google Cloud Security Premier Partner, Deloitte offers cloud security services to its clients globally and helps assist Google Cloud Platform customers address security, privacy and compliance related risks as they migrate and transform their business in the cloud.
As part of growing the alliance, Deloitte will offer Google Cloud customers cloud security solutions in the areas of security monitoring and threat response, zero trust, identity and access management (IAM) and data security.
- Security monitoring and threat response: Provide next-generation capabilities that can help organizations proactively detect, continuously monitor and respond to unauthorized activity before it can adversely affect networks.
- Zero trust: Establish and operationalize a zero trust architecture and program to continuously monitor and authenticate users — constantly determining their level of risk based on who they are, what they access, and when and where they do it from.
- Identity and access management: Enhance a digital transformation strategy and lay the foundation to leverage new data-driven identity models as they evolve.
- Data security: Provide a suite of services designed to help organizations address data risk management challenges and help them understand the value of their data and privacy considerations, as well as to operationalize their data risk governance program.
Deloitte also has been recognized as Google Cloud’s Global Services Partner of the Year, for its solutions related to analytics, machine learning, cloud-native application development, SAP, security, workload migration, and managed services.
This second consecutive win for Deloitte underscores the strength of its relationship with Google Cloud and the breadth of solutions the two organizations offer their clients.
STEALTHbits, a leading cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data, announced support for Google Cloud’s Managed Service for Microsoft Active Directory as it joins Google Cloud’s Partner Advantage program.
Google’s Managed Service for Microsoft Active Directory (AD) is a highly available, hardened Google Cloud service running actual Microsoft AD enabling customers to manage cloud-based AD-dependent workloads, automate AD server maintenance and security configurations, and connect on-premises AD domains to the cloud.
STEALTHbits Technologies saw an opportunity to continue to co-innovate with Google Cloud and offer a consistent security approach across cloud, on-premise, and hybrid environments.
“At STEALTHbits, we work to secure every organization’s most valuable targets – their credentials and data,” said Rod Simmons, VP of Product Strategy for Active Directory.
“Whether operating Active Directory in a purely on-prem, cloud-based, or more commonly, hybrid environment, our customers can achieve the visibility and security they need with our flexible, innovative, responsive Active Directory security solutions,” Simmons continued.
“Customers today are deploying Active Directory on Google Cloud and across hybrid and multi-cloud environments, and they need to ensure the highest levels of security at each point,” said Manvinder Singh, Director, Partnerships at Google Cloud. “We’re excited to partner with STEALTHbits to help them do so.”
Leveraging StealthAUDIT and STEALTHbits Privileged Activity Manager (SbPAM) solutions, customers obtain critical capabilities around auditing, reporting, governance and privileged access management for their Google Managed AD environment.
“Our just-in-time (JIT) privileged access solution, SbPAM, no longer focuses on privileged accounts, but rather the privileged activity, or action, the user wishes to perform,” said Martin Cannard, VP of Product Strategy – Privileged Access Management at STEALTHbits.
“Through the use of our zero standing privileges (ZSP) approach with STEALTHbits Privileged Activity Manager, organizations can finally reduce their threat surface and fix the problem at the source by eliminating the vast majority of privileged accounts, and removing administrative privileges when not in active use,” Cannard continued, “SbPAM provides just enough privilege, just in time, regardless of whether the environment is hosted on-prem, or Google’s Managed Service for Active Directory.”
Awake can now protect organizations’ hybrid and Google Cloud deployments with its AI-based platform that detects and responds to threats such as lateral movement, especially as adversaries now attempt to traverse from on-premise to the cloud and vice versa.
Awake on Google Cloud enables businesses to enhance their cloud security, identify compromised instances, ensure regulatory compliance through security monitoring and prevent service delays and application unavailability.
“With the growing popularity of hybrid cloud, networks have grown incredibly complex. Monitoring activity on the network is the best way to ensure both security and performance, but doing so for the new network, across cloud and IoT, has proven challenging,” said Rahul Kashyap, CEO of Awake Security.
“By allowing for the collection and inspection of network traffic at scale, Google Cloud’s Packet Mirroring service is opening new doors that will enable businesses to hunt down and prioritize threats with visibility and speed that weren’t possible before.”
As one of a select set of partners leveraging Google Cloud’s new Packet Mirroring service, the Awake Security Platform seamlessly monitors traffic to, from and within the cloud, automatically profiling, classifying and assessing the risk to every workload.
Harnessing the power of AI to detect malicious intent across hybrid-cloud as well as IoT and OT networks, Awake prioritizes and enables rapid response to threats in the cloud and on-premise from a single, integrated console.
Moreover, as more than 86% of customers have a multicloud strategy according to Forrester, Awake delivers these key capabilities to customers not just on GCP but also on Amazon Web Services and Microsoft Azure.
Across all of these, the Awake Security Platform also enables full packet forensics, supporting audits, investigations and compliance with regulations like PCI-DSS.
“Traffic visibility is critical to prevent security breaches and attacks as networks grow in complexity,” said Mahesh Narayanan, product manager at Google Cloud.
“With Packet Mirroring, our customers now have a way to proactively detect network intrusions, analyze, and diagnose application performance issues for both Compute Engine and Google Kubernetes Engine, across all regions and machine types.”
Qumulo, the leader in enterprise-proven hybrid cloud file storage, announced the availability of its file storage software in the Google Cloud Platform (GCP) Marketplace. Qumulo for GCP provides enterprise organizations with scalable file storage in the cloud that efficiently uses cloud-based resources to minimize solution costs.
“At Google Cloud we’re committed to providing customers with the right technology, flexibility and choice they need to succeed with the cloud,” said Manvinder Singh, director, partnerships at Google Cloud.
“It’s exciting to see the work that Qumulo and Google Cloud Platform are achieving together to advance workloads in the cloud. This collaborative solution is a great example of innovation made possible by the confluence of strong partnerships and technology.”
Gartner predicts that by 2021, more than 75 percent of midsize and large organizations will have adopted a multicloud and/or hybrid IT strategy.
The announcement underscores Qumulo’s commitment to bringing high performance, scalable file storage to the cloud, and complements Qumulo’s presence in the Amazon Web Services (AWS) Marketplace. The Qumulo file system scales across on-prem, hybrid cloud and cloud environments, and is now available for purchase in the GCP Marketplace and the AWS Marketplace.
Qumulo’s multicloud strategy makes it easy for organizations to store, manage, and access their data, workloads and applications in either GCP and AWS. Qumulo also enables data replication between clouds for migration or multi-copy requirements.
Qumulo provides a complete set of enterprise features in the cloud including support for high-performance NFS & SMB, real-time data analytics and visibility, directory-based capacity quotas and snapshots. Data can quickly and easily be moved between clusters in data centers on-prem and within Qumulo cloud clusters with continuous replication.
Scaling to billions of files, and tens of petabytes, Qumulo solutions provide customers with file storage for the most demanding workloads. Its scale-out NAS enables extreme performance and is configurable to support a wide range of compute-intensive workloads such as VFX rendering, data analytics, artificial intelligence and genomic sequencing.
“Qumulo’s mission is to help our customers unleash the power of their file data, whether it’s on-prem or in public cloud platforms like GCP. We are excited by the power GCP offers our customers as they look for seamless solutions to scale their business and leverage the unique capabilities of the cloud,” said Molly Presley, global director product marketing, Qumulo.
“For global enterprises, public cloud providers are helping to revolutionize the storage industry and enable true digital transformation.”