The Secure Path is the Easier Path: 10 Questions with Google CISO Phil Venables
I had the opportunity to speak with Phil Venables, CISO of Google Cloud, for the latest episode of Tech Matters. We had an engaging conversation around the current and future state of the cloud security space, and Phil shared some great advice for both companies and individuals on how to reduce security risks. You can listen to our full conversation or read the highlights below.?
Sri:?Phil, how are the best companies in the world innovating and protecting their customers, their infrastructure, and their platforms from known and emerging attacks??
Phil:?The first thing organizations must do to create a sustainable secure environment is to modernize their IT environment. There?have?been plenty of cases out there over the last decade where companies have invested a lot in cybersecurity or security products but have not upgraded their overall IT infrastructure or modernized their approach to software development. That is just like building on a foundation of sand. It may look okay initially, but ultimately degrades over time.?
In fact, some of the reasons why people see cloud as less of a risk to be managed and more of a means to manage their risks is because a lot of the security features are baked into these services. Companies are getting more mature, but there are still many companies that have challenges in moving from the old to the new while still sustaining?day to day?operations.?
Sri:?Strong security is always built on strong philosophies and strong principles. I know at?Google,?you believe in the concept of “defense in depth.” Can you talk about what that means??
Phil:?Classically, defense in depth, is to not rely on any one control as being the only thing that is between you and a bad event occurring. Typically, when you think about defense in depth, you?have to?understand where all your assets are and what threats and risks could occur to those assets. One of the things that is quite common in a lot of security breaches is that organizations have multiple controls acting as defense in depth, but they do not monitor whether those controls continue to be operational.?
Therefore, when they?need control?at the time of an attack, it is not there to stop the attack. The other way to think about this is, defense in depth against configuration errors that could ultimately result in vulnerability in your environment. So, you?have to?complement?your processes to specify the controls that should exist across multiple different risk types, not just cyber. This could be reliability, change management, or other risk mitigations but people?have to?think about how to make sure configuration error is equivalently defended against.?
Sri:?Hygiene around the integrity of the environment is foundational to any security posture. You must go all the way from your hardware up to the application and the network edge. At the same time, you?have to?make sure that this is not just about vulnerabilities and that you're also getting common vulnerabilities and exposures (CVEs) on, but also gaps that may exist on internal controls and processes. You must know how you manage your infrastructure and applications as well.?
Phil:?That is right. You could see just as many exposures and events occur even if a company is perfectly?patched?against all the latest vulnerabilities. They can still misconfigure?their environment?and leave themselves wide open to attack. This is exactly why you?have to?balance these things.?
Sri:?In the last six months, we have seen an increase in both the sophistication and scale of attacks. We saw supply chain attacks create a lot of damage in the industry, and ransomware attacks are now up to one a day. Tell us about how the industry needs to start thinking about protecting against these kinds of attacks and ensuring that they have the?protections?to continue to build trust with customers, but also protect their own platforms and employees.?
Phil:?On ransomware, companies have got to think across the whole spectrum of cybersecurity. In other words, across the whole?framework?of identify, prevent, detect, respond, and recover. On the identity piece, organizations?have to?understand their assets - where the IT assets are, how their business services are operating, and where all the data is. They?have to?think about preventative controls that protect those assets as well as detection and response to deal with active events.??
But, with ransomware especially you’ve got to know - not just think - you?have the ability to?recover. If you ask companies, "Do you have?great?backups?" and the answer is yes, then those are often the same companies that may?struggle?through a ransomware event?because they didn’t adequately test the ability to use their backups. We encourage organizations to not just take backups, but to really focus on testing regularly, so they can recover to a clean environment from backups. That true test of recoverability?is critically important.??
On the supply chain risk issues, a lot of organizations are reorganizing their software supply chains given this new type of threat environment: understanding your end-to-end software development life cycle, your external dependencies, and then how you protect the build systems that you're operating to make sure they cannot be compromised. This is where?cloud?providers and other service providers helping you to modernize your?applications and technology overall is crucial.???
Sri:?On your Twitter feed, you state that attackers have bosses and budgets too. What do you mean by this statement??
Phil:?There is often a lot of mythology around attackers. Attackers are rational economic actors like everyone else. They have bosses and budgets.?Generally speaking, even?for nation states, they have fixed objectives, with fixed budgets, and constraints that they operate under. Similarly, organized criminal groups have an investment?and?a plan to get a return on?that?investment and want to get in, get out, make some money, reinvest some of that into R&D (Research & Development) for the next attack.?
领英推荐
The reason it is worth thinking about this is that it means?that organizations?can often play a game of economics against attackers. If you can make life more difficult for them, throw sand in the gears of their processes and make yourself?comparatively harder to attack then you tilt the game somewhat in your favor.?
Sri:?What are your opinions on using hackers to improve your own company's security posture through a bug bounty program or other programs of a similar nature??
Phil:?I am a huge supporter of bug bounty programs and full disclosure, I am on the board of Hacker One, which is a one of the preeminent and the earliest bug bounty companies. The reason I like bug bounty programs is that even if you have a great software security program, a great internal vulnerability management program, a great internal penetration testing program, and a great internal red team program – there will still be vulnerabilities that slip through.??
So?most organizations?realize?that?they at?least need to have a vulnerability disclosure program such that they can get such reports and act on them. Then when you go to the next step to run a bug bounty program, it is generally good to have one of the various bug bounty companies to help with logistics and management.??
Sri:?You often talk about shared fate as against shared responsibility. Can you tell us about what that means and why providers like Google Cloud must practice this??
Phil:?The shared responsibility model says that cloud providers operate a set of services in a secure way. As a customer, when running on the cloud, you also have some part of that responsibility to make sure that what you deploy is configured and secured appropriately. Therefore, there is a shared responsibility between the client provider and the customer.??
When Google started talking about this move from shared responsibility to shared fate, it was a recognition that in certain cases cloud providers can appear to hide behind that line of shared responsibility when something goes wrong.?When a customer misconfigures something, the cloud provider might seem to put their hands up and?say, “Well look, that was not on our side of the shared responsibility divide.”?
At Google we think about how we move from shared responsibility to truly recognizing that we have a shared fate with our customers. This encourages us to reach across that line of shared responsibility to just say, how can we help customers more? And it drives an internal philosophy that I think is quite different compared to where it has been in providers historically?- like, what is our choice of secure defaults?e.g.?we encrypt all our storage by default, so customers do not have to think about flicking an encryption switch on storage buckets. We just do that for them.??
Sri:?How can we take that partnership further and have the industry in general collaborate better on security to build trust in digital interactions, commerce, and payments??
Phil:?There has been a lot of success in industry sharing within each sector and between the public and private sector, and between tech companies and customers. I think, however, that the challenge is that?the sharing?today is very threat and vulnerability centric.??
One of the things that we do not share enough is when a bad thing has happened - what?actually went?wrong. Going forward, we need to share more root cause analysis to learn new patterns on how we operate the environment. That is the next level of sharing?-?sharing future design patterns for how to effectively manage risk and operate security.??
Sri:?What advice do you have for our customers? And by our customers, I mean, the people around the world, all our customers. What advice do you have for employees within tech companies in terms of choices, methods, and protections that they need to take more seriously and start to consider by themselves on top of the platforms, products and services that are already provided??
Phil:?You can think about employees as customers of your own IT infrastructure. In many respects, the answers are quite similar. I may have an unusual opinion on this, although I think there?are a?lot of people starting to agree with me,?I do not think we should necessarily feel that we?have to?deeply educate customers and employees about all aspects of cybersecurity. Rather the focus should be to give them secure products and services to use that?makes?security easier as well as default choices that lead to the right security outcome.??
We need to surround our customers and employees with these defenses such that they only become apparent when they're starting to hit the edge of certain things. Ultimately, this is about making these capabilities intrinsic to what people do in a highly usable way that is conformant with the types of activities they want to do. I think that's what customers and employees should expect.?
Sri:?This has been a fascinating conversation about the breadth and depth of security today. Thank you so much for being with us and sharing all your wisdom.?
Phil:?It?has been?a pleasure, and I am certainly a very happy customer of yours as well.?
Vice President @dentsu | Former Microsoft & American Express | Legal & Commercial Strategy
3 年??
Founder of Cyb3rSyn Labs | Helping accelerate the transition away from mainstream management practices
3 年Thanks for sharing - that was a terrific listen! Phil Venables is one of those rare System Thinkers in the security community who always advocates about the need to think of the whole and knows that security, developer productivity, agility, etc. are not (and cannot be) zero sum games.
CISO | I help business Leaders solve AI & Cloud Challenges!
3 年Very insightful thanks for sharing Sri Shivananda! ???
Engineering Manager at Google
3 年Very insightful. Thanks for sharing the transcript Sri.
Giving employees 'secure' products and services is something I don't hear often, and wished was practiced more.