Security in the cloud

Security is one of the biggest issues of our time. Countless companies and governments have lost data because of security incidents. And just one breach could cost millions in fines and lost business—and most importantly, lose customer trust.

As a result, security is increasingly top of mind for CEOs and Boards of Directors. That’s why, this week, I’ll join Google Cloud CEO Diane Greene and many of our colleagues in New York, where we’ll meet with more than 100 CEOs to discuss security in the cloud.

At its most basic level, security is a human issue. Whether performed by individuals or organizations, cybersecurity attacks are ultimately carried out by people, regardless of motive.

Often these attacks rely on exploiting human nature, such as through phishing emails. And it’s people that they ultimately affect. By some accounts, 179 million personal records were exposed just in 2017 through data breaches.

And as a human issue, security is something we can tackle together.

Leveraging the cloud to protect against threats

Cloud providers offer a vast army of experts to protect against threats—one far larger than almost any internal team a company could invest in. In fact, if businesses were to go it alone, there wouldn’t be enough security professionals in the world to adequately protect every single company and their users.

In industries from financial services to healthcare to retail, companies are relying on the automation and scale offered by the cloud to protect their data and that of their customers—allowing their employees to focus on building their business. Many are coming to the same conclusion we have: In many cases, if you’re not moving to the cloud, you’re risking your business.

Take the CPU vulnerabilities that were disclosed in January, for example. These were major discoveries; they rocked the tech industry. But for the most part, cloud customers could go about their business. Here at Google Cloud, we updated our infrastructure through Live Migration, which required no reboots, no customer downtime, and did not materially impact performance. In fact, we got calls from customers asking if we had updated our systems to protect against the vulnerabilities—because they experienced no impact.

These won’t be the last security vulnerabilities to be uncovered; humans will never write perfect code. But the cloud makes it much easier to stay on top of them. The scale of the cloud security teams that find and mitigate emerging threats, the ability to update many systems at scale, and the automation to scan, update and protect users all contribute to cloud’s unique position to keep information and people secure.

Security at Google Cloud

Security has been paramount to Google from the very beginning. (I would know!) We’ve been operating securely in the cloud for almost 20 years, and we have seven apps with more than a billion users that we protect from threats every single day, and GCP itself connects to more than a billion IPs every day. We believe that security empowers innovation—that if you put security first, everything else will follow.

Security is in the details—and we pay attention at the most granular level. We were the first to introduce SSL email by default in 2010, we created the U2F security token standard in 2014, Chrome was the first browser to support post-quantum crypto in 2016, and in 2017 we introduced Titan, a purpose-built chip to establish hardware root of trust for both machines and peripherals on cloud infrastructure. These examples show the level of depth that we go into when thinking about security, and the role we take in pushing the industry forward to stay on top of evolving threats.

In addition, Google’s Project Zero team hunts for vulnerabilities across the internet, and have been behind the discoveries of “Heartbleed” as well as the recently-discovered “Spectre” and “Meltdown.” We also provide incentives to the security community to help us look for and find security bugs through our Vulnerability Reward Program.

We know how complex the security landscape is, and we’ve spent a lot of time thinking about how to solve this tough challenge. We’ve developed principles around security that define how we build our infrastructure, how we build our products, and how we operate.

For example, we believe it’s not enough to build something and try to make it secure after the fact. Security should be fundamental to all design, not bolted on to an old paradigm. That’s why we build security through progressive layers that deliver true defense in depth, meaning our cloud infrastructure doesn’t rely on any one technology to make it secure.

Now more than ever, it’s important for companies to make security an utmost priority and take responsibility for protecting their users. That’s true for Google too. At the end of the day, any organization is accountable to people above all, and user trust is crucial to business. If we don’t get security right, we don’t have a business.

That’s one of the reasons why I’m so passionate about cloud as a means to improve security. Google has always worked to protect users across the internet. With Google Cloud, we’re extending those capabilities to help businesses protect their users as well.

In the coming days, we'll share more about how we're pushing cloud security forward. Stay tuned.