Google's plan to win the cloud war hinges on its security aspirations

VP Sunil Potti talks strategy with The Register


Interview Google's quest to steal cloud customers from rivals Amazon and Microsoft will be won – or lost – based on its strength as a cybersecurity provider.

The web giant is pumping billions of dollars into its security offerings so that this big bet will pay off. This includes mergers and acquisitions as well as building out technologies to work across AWS, Azure, and on-premises environments.

Though the ultimate goal remains moving large organizations to Google Cloud, helping customers shore up their network and computer defenses during that transition is a key aim, according to Google Cloud Security VP Sunil Potti. 

"Your overall security hygiene dramatically improves if most of your workloads are on a cloud," Potti said in an interview with The Register. "That's our end game, our true north. But along the way, we have to help modernize security because the adversaries are not waiting."

This deliberate security strategy within Google Cloud started about three and a half years ago – before SolarWinds marked the beginning of this era of wide-reaching supply-chain attacks in enterprise IT. Instead of just selling Google as a cloud services provider, "we intentionally decided … we are a brand in security," Potti said.

It became both a strategic move and a differentiator for Google, which remains the number three cloud provider – or sometimes further down the list – after Amazon and Microsoft, depending on which market share report you read. 

Customers want to talk about multi-cloud even before they are ready for it and while they are still on a single cloud, such as Amazon Web Services or Azure. Before a customer has even committed to using Google Cloud Platform, Google hopes it can at least tempt the client with its security protection technologies. In other words, ensure customers can pick up Google Cloud as a security provider, at least, if not a full cloud platform.

"In reality, what happens is that somebody starts with one cloud, gets to critical mass, and then they expand to other clouds," Potti said.

"So while we are waiting on those multi-cloud decisions, what if you could revector down from the CIO to the CISO's office, and in the CISO's office, find a way to have them embrace safety like we would inside Google, but without necessarily having to come to Google Cloud?"

Becoming a security brand

Google's answer to this was Anthos – its multi-cloud platform that launched in 2019. It allows customers to run Kubernetes workloads in their datacenters and on Google Cloud Platform as well as on AWS and Azure. 

And it gave security a starring role. The platform drew on its BeyondCorp approach to security that Google had started developing in 2010, after Chinese cyber-spies successfully infiltrated it and other Silicon Valley tech giants' networks and stole intellectual property. 

The security breach spurred Google to shift access controls from the network perimeter to individual users and devices – what has since become the zero-trust buzzword.

Also in 2019, Google moved its Chronicle security analytics platform – which had spun out of Alphabet into a standalone startup – back into its cloud security fold. 

Around this time, security became a major pillar of Google Cloud, and Google "invested heavily in its standalone security products," Potti recalled. "We've got infrastructure, we've got Workspace, we've got data and analytics, and ML-AI, and then we've got the security cloud," he said.

We're told Google tries to take a different approach to that of its rivals.

"With Amazon, you have to be in Amazon to taste the rest of the security capabilities," Potti claimed. "You can't modernize your security operations center (SOC) if you're not on Amazon completely. You can't adopt a zero-trust posture for all your enterprise and your contractors" if you're not all-in on Amazon.

Meanwhile Microsoft "wants to be an end-all, be-all" for security products and software in general, he argued. "The analogies that you hear about Microsoft having the fire in the forest and then also charging as a forest ranger," he quipped.

Potti claimed Google's strategy differs from its two main cloud competitors in a couple of key ways. First, its security products work across a customer's environment, not only inside Google Cloud. And second, instead of offering a general-purpose security stack, "we chose a few markets as first-priority markets that we fundamentally believe are most critical to be reimagined, and bottled all those learnings into a few big market segments," he explained.

Self-driving SOC

The security operations center (SOC) is one of these segments. It's an area where Google is using its internally developed tech combined with acquisitions to move customers to "self-driving" operations, Potti said.

In its second-biggest acquisition ever, Google inked a $5.4 billion deal to buy Mandiant, which would bring that firm's threat detection and intelligence, as well as its advisory services and incident response, into Google Cloud. It's worth noting Microsoft also reportedly explored a Mandiant buyout, and that fell through.

Potti couldn't discuss the Mandiant deal, which is also the subject of a lawsuit. But in March, when Google announced the planned acquisition, the cloud provider said it planned to incorporate Mandiant's services into its security operations portfolio of products.

This includes BeyondCorp Enterprise for zero trust, VirusTotal for software vulnerabilities, Chronicle's security analytics and automation, and Google Cloud's newly announced Cybersecurity Action Team.

For example, "security operations tools within Google Cloud's Chronicle, Siemplify solutions and Mandiant's Automated Defense help customers analyze, prioritize and streamline threat response and leverage Mandiant's expertise as a virtual extension of their teams," according to a Google statement at the time. 

A couple of months before announcing the Mandiant deal, Google reportedly paid $500 million to acquire Siemplify to roll security orchestration, automation and response (SOAR) into Chronicle – which already provided security information and event management (SIEM) and analytics capabilities.

Endpoint, XDR partners

Additionally, Google partners with endpoint and extended detection and response providers including CrowdStrike, Palo Alto Networks, and Cybereason, which provide their own security services on top of Google's Chronicle and BeyondCorp enterprise suite "for more of a complete offer," Potti noted. 

In addition to partnering with the endpoint detection and response outfit, Google also invested $50 million in Cybereason late last year. 

These moves aim to help customers transition "from manual security operations to automated security operations to autonomic security operations," Potti said.

Automating security only gets organizations about halfway to the goal, he explained. "The moment you unlock your ability to store unlimited amounts of data – like petabytes of data coming from your DNS system or your endpoint – you can go beyond automation to what I call autonomic operations."

This makes real-time context – and using AI combined with real-people threat hunting teams to analyze massive amounts of data to find potential threats – increasingly important, Potti said. 

He used a nation-state attack on a bank in Europe as an example of Google using both organic and inorganic security capabilities to move to autonomic security operations in other territories. 

"Whatever intelligence I can gather from the front line," he explained, "can permeate … to every other customer subscribing to the service in real time." And with that knowledge in the system, Potti said, "the chance of recognizing that actor if it shows up in Atlanta as a zero-day attack improves dramatically." ®


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading

Biting the hand that feeds IT © 1998–2022