Google Cloud: When it comes to cyber risks, we’re all in it together
A Google employee rides a bike on the Google campus.
Image: Google
For Jeanette Manfra, director of risk and compliance at Google Cloud, overseeing the cybersecurity of a wide range of technical infrastructure and services is nothing new.
She previously served as Assistant Director of the Cybersecurity and Infrastructure Agency (CISA), where she led the Department of Homeland Security’s mission to protect and strengthen America’s critical infrastructure from cyber threats and its efforts to secure the 2018 midterm elections from digital interference.
Roles like these saw Manfra become one of the most influential cybersecurity officials in the US government, helping to shape strategies to improve business and infrastructure cybersecurity, before transitioning to the private sector in December 2019.
Now, Manfra’s role is to help many more businesses improve their cybersecurity positioning through cloud computing. That starts by taking the cybersecurity strategy Google uses to secure its own networks and applying it to cloud services used by clients and individual users.
“You can’t have that transactional relationship. You can’t say ‘you’re responsible for this, it’s not my problem’ – you have to be invested in the success of customers who meet their obligations – we think of it as a shared destiny, we’re in this together,” says Manfra.
SEE: A winning strategy for cyber security (ZDNet Special)
Manfra believes the adoption of cloud services is a key means of achieving this shared approach, especially if businesses are still running on legacy IT systems, something she says leads to “significant security vulnerabilities”.
These flaws can be in terms of using software or operating systems that are no longer supported, or older software and networked systems that have simply been forgotten and no longer receive security updates.
This is a cybersecurity problem in almost every industry, but legacy technology continues to form the backbone of many critical services to society, including critical infrastructure, schools and hospitals – and cybercriminals know it, as shown by the scourge of ransomware that is particularly problematic for organizations in these sectors. .
“They tend to target the most vulnerable—people who don’t have a lot of cybersecurity resources, who have a lot of issues with legacy technology, but they’re also doing mission-critical jobs. Closing schools, closing hospitals, you name it basic functions of society—and many of these organizations have a significant legacy of IT,” says Manfra.
While he says there is “no silver bullet” for ransomware, Manfra says Google Cloud is working with various organizations and bodies to help fight it.
“We feel passionate about having a big leadership role in the safety and security of the entire ecosystem. So we partner with many organizations that want to fight ransomware, everything from political organizations that want to identify criminals to those that ask about how you can to collectively build tools, so you can better understand the threat across ecosystems on a global scale.”
Manfra suggests that digital transformation and moving towards a cloud-based model can go a long way in protecting organizations from ransomware and other intrusive cyber attacks.
“Adopting the cloud makes you a harder target; you inherit security controls, you move away from legacy IT.”
However, adopting the cloud for business and security reasons doesn’t mean it can be set up and left alone – the tools are there to help organizations manage their cyber security posture and must be used properly. A poor approach to cloud cybersecurity can let hackers in, Manfra points out.
“Some organizations think ‘I’m fine, all my security is outsourced.’ This is not the case; you have to recognize that your attitude to risk is different now, your responsibilities are different and you have to understand what that means for your organization,” says Manfra.
The success of cyber security, crucially, is not only in the technology – but also in the people who use it and must be equipped to work in the new environment. While moving to the cloud can mean systems are more up-to-date, issues plaguing IT—such as bad passwords, unpatched software, and lack of multi-factor authentication—can leave holes in networks.
SEE: Securing the Cloud (ZDNet Special Feature)
Google uses a trustless cybersecurity model, where implicit trust in the user is removed and authentication or validation is required at every step of interaction with digital systems. Manfra says it’s something other companies could use.
“We’ve seen a lot of internal benefits from adopting that model. And as organizations can mature their security capabilities, they really need to think about how they can adopt zero trust. Pick areas where you know you have potential risk and apply zero trust principles,” she says.
The zero-trust model means that users must repeatedly verify their identity, creating a better chance of keeping accounts and information secure. That’s the approach the White House is encouraging federal agencies to take.
However, zero trust also relies on organizations knowing their networks extremely well, along with knowing their most sensitive data, where it is stored and who has access to it. Developing this awareness can be a challenge, especially if information security is run on a shoestring budget or businesses are still in the early stages of their cybersecurity journey.
The public sector is often among the slowest when it comes to digital transformation. Manfra says her experience in that arena shows that it’s possible to change views and advance a cloud-based security strategy, even if it’s difficult to do so—and that, in the end, this approach will ultimately benefit everyone.
“I appreciate where people have come from in the last 10 years or so, trying to embrace this new world, but doing it in a way that doesn’t break the organization, that you can manage as a security professional, and that’s challenging,” she says.
“But you’re leveraging your commitment to digital transformation and also changing the way you do security compliance.”
Deploying a cloud-based strategy, especially when cybersecurity is involved, can prove to be a difficult task, and there are potential pitfalls to overcome, particularly around identity and access, and the vulnerabilities that could exist if security is not managed properly.
According to Manfra, many potential problems can be managed if they are discussed at the beginning of digital transformation, rather than adding security later.
The key to this proactive attitude is understanding what data you have, how it is managed and how to protect it. Knowing these things can provide a great starting point for a robust cloud security strategy.
“If you understand where your data is and you understand the value of that data, and you optimize your resources to ensure strong protection of that data and partner with a cloud provider, you’re going to be in a much better position. place than you are right now,” says Manfra.
Comments are closed.