Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Cloud CISO Perspectives: January 2023

Published 02/27/2023

Home
Industry Insights
Cloud CISO Perspectives: January 2023

Originally published by Google Cloud.

Written by Phil Venables, VP and Chief Information Security Officer, Google Cloud.

Welcome to January’s Cloud CISO Perspectives. This month, we’re going to catch up with a few of the cloud security megatrends that I described a year ago, and see how they and the cloud security landscape has evolved.

Checking in on two megatrends

In January 2022, I described eight security “megatrends” that drive technological innovation and improve the overall security posture of cloud providers and customers. I posited that while it’s true – with significant effort and resources – an on-premise computing environment can achieve the same level of security as a cloud environment, the base security of the cloud coupled with a suitably-protected customer configuration is stronger than most on-premise environments.

These megatrends are unique because they’re going to guide security and technology development for far longer into the future than a traditional trend cycle – hence, the “mega.” While in the original blog, I explored economies of scale, shared fate, the value of healthy competition, increasing deployment velocity, simplicity, and sustainable sovereignty, I’d like to focus today on two of the most vital megatrends: the cloud as a digital immune system and software-defined infrastructure.

All of these megatrends are interconnected in one way or another, but the idea of the cloud as a digital immune system drives home the point that improving security in the cloud can improve it for all, even those organizations who don’t operate in the cloud. In order for defenders to succeed in tamping down on threat actor innovations, the defender’s Observe-Orient-Decide-Act (OODA) loop must outpace the attacker’s OODA loop. The fast feedback loop of global attack observability and rapid cloud response helps tilt the advantage in favor of defenders.

Taking advantage of the cloud as an immune system can happen almost passively. When cloud providers such as Google Cloud update products with new security features or even stronger default configurations, there’s often not much action that a customer organization must take in order to take advantage of the new features.

Just because your IT team hasn’t experienced a security problem first-hand doesn’t mean you have to wait to take advantage of a security update that eliminates or protects against that problem. When we understand that the cloud can function as a digital immune system, it can help reduce and even eliminate security threats as more organizations move to the cloud and undergo their digital transformations. It will continue to help protect organizations in 2023 and beyond.

The software-defined infrastructure megatrend, which is part of the overall shift towards infrastructure-as-code, also drives the advantage of cloud over on-prem. This means that cloud configurations are inherently declarative and programmatically configured. Configuration code can be overlaid with embedded policy intent, creating policy-as-code and controls-as-code.

This is vital to cloud security because it can help you verify that the configuration an IT team is using exactly corresponds to its specific security requirements. Policy-as-code and controls-as-code can help prevent breaches that occur due to a control not being deployed when it should have been.

These megatrends will continue to create a flywheel of innovation for security that will drive costs down and accelerate security initiatives. Staying aware of how they are guiding our industry can only help ensure that we are creating a more secure cloud environment for all.

Google Cloud Security Podcasts

We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed:

  • The view from the security architect’s perch: Michele Chubirka, senior cloud security advocate at Google Cloud, chats about her favorite cloud migration success stories — and those that didn’t go quite so well. She discusses the important lessons that can be learned from cloud failures, and how even those missteps can make cloud security better. Listen here.
  • Softbank’s migration and CISO evolutions: Gary Hayslip, CISO at Softbank, talks about his organization's cloud migration, the challenges he faced, how his team designed its security controls, and how the role of the CISO is changing. Listen here.
  • The Mandiant perspective on security incident response: Nader Zaveri, senior manager of IR and Remediation at Mandiant, now part of Google Cloud, sheds light on cloud security incident response do’s, don’t’s, and do-more-of’s. Listen here.
  • How do you Zero Trust your workloads? Anoosh Saboori, former Product Manager at Google Cloud, goes in-depth on BeyondProd, how it differs from BeyondCorp, and what we’re talking about when we talk about Zero Trust. Listen here
C-LevelEnhancing cloud security strategy

Share this content on your favorite social network today!

Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Enhance your cloud security skills with CSA's online training options.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management

Published: 11/22/2024

It’s Time to Split the CISO Role if We Are to Save It

Published: 11/22/2024

The Lost Art of Visibility, in the World of Clouds

Published: 11/20/2024

Group-Based Permissions and IGA Shortcomings in the Cloud

Published: 11/18/2024