Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Google’s Office of the CISO Points the Way Towards Scaling Security
  • Data Breach
  • Vulnerabilities

Google’s Office of the CISO Points the Way Towards Scaling Security

5 years ago Chris Hudson
Google’s Office of the CISO Points the Way Towards Scaling Security

Amazon’s, Google’s and Microsoft’s experiences with building massive infrastructures for the world allows for some fascinating insights into the future of IT security at scale. As a result, when Google published The CISO’s Guide to Cloud Security Transformation earlier this year, I was curious about what priorities they saw in cloud security. It’s a short read, and it’s well worth the time invested in downloading a copy. 

I want to share my observations on some of the most interesting points that align with my own experiences and thinking.

Cultures of Security

The six core “cultures” are categorized to succinctly capture several important perspectives on security: Security by Default, Responsibility, Awareness, Inevitability, Review and Sustainability. In the mode of traditional security thinking, concepts such as responsibility, awareness and review are very well-known and understood, but the idea of Security by Default and Inevitability offer an almost nihilistic view that too few in the sector have embraced.

The idea that you have to act with security in mind all the time yet still expect it to fail sometimes is something that requires acknowledgment in the same way we approach health and safety in the “real world.” For instance, we build mechanisms to provide safety at all times whilst still including additional methods of reducing the negative effects when something does go wrong. As a more concrete example, we have long accepted the idea that we should have fire-resistant and fire-retardant materials in our homes and offices, but that doesn’t mean we forgo having fire extinguishers and escape plans as additional precautions to reduce the damage in the event that the protections fail to prevent every fire.

Super-Scaling Security

On the subject of scale, the concept of reduced surface area versus the massive scale of online operations also shows how it’s important to reevaluate some traditional processes. For too long, we have taken an approach to IT security that depends on maintaining small, manageable infrastructures that simply don’t reflect the level of demand on today’s IT systems. As we have outgrown these “single server” solutions, in many cases our methods for managing and securing the new infrastructure sprawl has not proportionally scaled-up, with poorly matched manual methods taking up lots of human resources and thus proving inadequate to protect these larger infrastructures regardless of whether they are on-premises or cloud-based. The shift to an always-secure cloud that’s constantly updated by the vendor with security features enabled by default thus makes a great deal of sense, especially when trying to reflect a world with not just massive variations between the scale of deployed server infrastructure but also a diverse variety of threats operating against small-, medium-, and enterprise-sized businesses.

As a result of the challenges posed by scale, the idea of deploying and managing infrastructure as code makes a lot more sense, too. Adopting decades of refinements of smart approaches to testing, compartmentalizing components and other methodologies that have made software development more robust than ever before becomes a logical way of managing infrastructure. When this approach for deploying infrastructure becomes the norm, so too can the idea of baking security into every deployment activity. With a solid model in place, getting security in early ensures not just a “security by default” stance but also improved recognition and acceptance of security from the start.

Roles and Responsibilities

Finally, the idea of further refining the roles of security in the cloud is one that should be seriously explored. From Policy and Risk Management to Security Assurance, it’s important to recognize that cloud infrastructure can bring about a number of significant changes to the roles of those involved with security, which in turn requires additional time investments within organizations.

Going beyond the security specific roles, security within application and infrastructure engineering interfaces also need to be adjusted when adopting or expanding in the cloud. As such, it’s heartening to see the Google whitepaper stressing the importance of education to ensure everyone can play a part, thus further strengthening the commitment to enable people to work with security by default.

CISO’s Insights

There’s more security insights in the whitepaper than I’ve covered here, including some useful remarks around designing your security operating model. Together, these insights make it a valuable piece of reading. For me, I will be keeping an eye out for the six “cultures” in the coming weeks, months and years ahead.

The post ” Google’s Office of the CISO Points the Way Towards Scaling Security” appeared first on TripWire

Source:TripWire – Chris Hudson

Tags: Cloud, Google, Medium Severity, Microsoft, TripWire

Continue Reading

Previous Scammers Pose as Meal-Kit Services to Steal Customer Data
Next A Simple 1-Click Compromised Password Reset Feature Coming to Chrome Browser

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

2 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

18 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

22 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

23 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

1 day ago [email protected] (The Hacker News)

Recent Posts

  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
  • Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT