Google Cloud CEO: SLSA Adoption Would’ve Muted SolarWinds Hack

Adoption of Google Cloud’s Supply-chain Levels for Software Artifacts (SLSA) security framework would have protected organizations from the SolarWinds cyberattack by alleged Russia-backed hackers, according to CEO Thomas Kurian.

The software supply chain is a vector of threats that other cloud providers had not anticipated, Kurian said.

“We had anticipated that,” Kurian said in an exclusive CRN interview ahead of the Google Cloud Next ’21 conference that started today. “Not only did we build the technology in a secure way, but we’re now making it available to customers to use in a secure way. We have now taken that framework and, working with NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology), are making it available to the entire software industry, because that framework would have protected against SolarWinds.”

Pronounced “salsa,” SLSA is a source-to-service security framework for ensuring the integrity of software artifacts by helping to protect against unauthorized changes to software packages throughout the software supply chain. It’s based on Google’s internal Binary Authorization for Borg (BAB), a deploy-time enforcement check designed to minimize insider risk by ensuring that production software and configuration deployed at Google is properly reviewed and authorized, especially if that code has the ability to access user data. Google has been using BAB since 2013 and requires it for all of its production workloads.

The SolarWinds hack, which ensnared Microsoft and breached U.S. federal government agencies and private sector companies, first was detected last December. Suspected Russian intelligence attackers injected malicious code into Austin, Texas-based SolarWinds’ Orion network monitoring platform that was downloaded into as many as 18,000 of its customers’ computer networks. Last month, Microsoft said the hackers behind SolarWinds also had developed a backdoor that exfiltrates sensitive information from compromised Microsoft Active Directory Federation Services servers.

Kurian pointed to both the increasing number of cybersecurity threats and the variations of those threats.

“A year ago, if somebody said ‘will your software supply chain be a source of vulnerability’…we at Google felt it would be, which is why we had built the technology that we now make available through this framework we call SLSA,” he said. “But most companies had not thought about it. Every time there’s a new boundary of how technology can be adopted, or a boundary where there’s a concern about a particular area…we’re always evolving our technology to meet those needs.”

Growth Area For Google Cloud

Cybersecurity is a new area of significant growth for Google Cloud, according to Kurian.

“We are seeing very, very strong interest in from customers,” Kurian said. “There’s almost a breach a week happening, and many customers have asked us how can Google help protect our system. So we offer products, we offer solutions, we offer advisory services. And that’s an area where new partners are building business with us, including…managed security service providers, many ISVs — Palo Alto (Networks), Fortinet, F5 Shape. There’s a long list of them.”

Google Cloud unveiled several new cybersecurity partnerships at Next ’21 in addition to a new Google Cybersecurity Action Team.

Its new Work Safer Program, launching today with cybersecurity partners CrowdStrike and Palo Alto Networks, is designed to help organizations and their employees and partners collaborate and communicate securely and privately in hybrid work environments.

Cybereason, which provides operation-centric cyberattack protection, is expanding its partnership with Google Cloud. Chronicle, Google Cloud’s security analytics platform, will power the Boston-based company’s Extended Detection and Response (XDR) service, providing a cloud-native XDR solution that automates prevention for common attacks, guides analysts through security operations and incident response, and enables threat hunting.

“We want to provide customers the best choice of the best technologies to use in concert with us,” Kurian said.

The new Google Cybersecurity Action Team will be comprised of experts from across Google and will provide strategic security advisory services, trust and compliance support, customer and solutions engineering and incident response capabilities.

Google Cloud’s Security Edge

Kurian outlined several primary benefits — in addition to protecting against more threat vectors and partnerships with ISVs — that he said give Google Cloud’s security an edge over that of chief competitors Amazon Web Services (AWS) and Microsoft Azure.

“First of all, we’ve made security much simpler for people by building it into the products,” Kurian said. “An example: Every organization wants to run communications and collaboration security. We’ve been in the market since 2004…when Gmail was launched. I think if you went out and looked at the (NIST’s National Vulnerability) database…we’ve never had a breach. We built technology into the way that Gmail works and our collaboration tools work — the same thing with GCP (Google Cloud Platform) — to make it much simpler.”

The “concrete proof” of Google Cloud’s security edge is its Risk Protection Program that gives customers access to a specialized cyber insurance policy from Allianz Global Corporate & Specialty (AGCS) and Munich RE, according to Kurian. The Risk Manager security diagnostic tool allows customers to measure and manage their risk on Google Cloud and obtain reports on their security postures that can be sent to AGCS and Munich Re, who can use them to assess customers’ underwriting eligibility for the Cloud Protection + policy.

“When you talk to executives, one of the key metrics that people struggle with is every cyber incident is a ‘black swan’ event, meaning the day before the cyber incident, the company thought it was secure, then the cyber incident happens,” Kurian said. “More importantly, they did not even know that they had been hacked for many months in certain cases. One of the challenges that everybody has had with cybersecurity is can you measure, manage and insure cyber risk?”

‘Immensely Safer Bet On Google Cloud’

SADA, a Los Angeles business and technology consultancy and Google Cloud Premier Partner, made the decision to go all in on Google Cloud in part because it’s so confident in the advantages Google’s security posture, according to chief technology officer Miles Ward.

“I have to make this bet with every customer that SADA serves — that we’re going to be able to keep them safe — and that is an immensely safer bet on Google Cloud,” he said.

Google Cloud’s security edge over AWS and Microsoft Azure is rooted in the sheer size of Google and its level of investment in security, according to Ward.

“Google is bigger,” Ward said. “It gets attacked more. It has more systems that are exposed to public internet traffic than Microsoft and Amazon combined. There are 10 products with over a billion users — there’s 2 billion Android users alone. So the level of persistent, nation-state-level attacks that go on against Google internationally has just forced a whole bunch of rigor that the other providers have never really had to deal with.”

An example of that rigor at the technology level is Titan, according to Ward. Titan is Google’s purpose-built chip to establish hardware root of trust for machines and peripherals on cloud infrastructure. It allows Google Cloud to more securely identify and authenticate legitimate access at the hardware level.

“Having a physical component that they can cryptographically confirm as a part of every device in the software supply chain, that’s enormous,” Ward said.

But there remains a lot of room for Google Cloud to make its security tools easier to use with better training materials, and make it simpler for users migrating from less secure systems into more secure Google systems, according to Ward.

“It’s kind of like, you can have a better padlock than everybody else, but if you’re not using it, it doesn’t count,” Ward said. “The overall solution from Google has to also include all of those pieces, and that’s certainly a spot where they can invest more.”RELATED TOPICS:

Back to Top

Leave a Reply

Your email address will not be published. Required fields are marked *