Pt 2 - GCP security from a university’s CISO perspective.
Rick Howard: Last week, I did a solo deep dive on the Google Cloud Platform, or GCP, in terms of cybersecurity first principle thinking, and I'm so glad that I did. I discovered that Google's approach to zero trust, one of my four main first principle strategies, is fundamentally different than the approach taken by Microsoft Azure and Amazon AWS. I mean, it's not just a little bit different, like how all the cloud vendors have different product names for similar services and provide them in slightly different ways. I'm talking about a fundamentally different architecture.
Rick Howard: Google's marketing name for this little bit of internet disruptive engineering is BeyondCorp, and they implement the concept with two SaaS products called Identity Aware Proxy, or IAP, and their Cloud Identity Access Management system, or IAM. And I have to say that after all the online things I've read and listened to these past few weeks, from blogs to podcasts to YouTube videos, the GCP zero trust architecture BeyondCorp is totally brilliant and, in hindsight to me, so obvious that we all should do it this way that I found myself slapping the back of my head for not having thought of it myself. I guess that's why I'm just a poor CSO grinding away day by day in the trenches of the CyberWire's networking dungeons and not one of Google's site reliability engineers pulling in the big bucks in their pristine campus in Silicon Valley.
Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. On this episode, I asked an old military friend of mine, Bob Turner, the CISO for the University of Wisconsin at Madison, to join me at the CyberWire's Hash Table to talk all things GCP.
Rick Howard: He's prior Navy, but let's not hold that against him. And here's the thing - for the small sample size of the CyberWire's Hash Table of experts - I think we have some 23 CISOs and thought leaders now - the only one out of the group that has even dipped their toes in the GCP pool is Bob. For the others, they mostly occupy the Amazon AWS environments for virtual workloads and Microsoft Office 365, you know, for email and whatnot. And admittedly, Bob is not running the university's crown jewel workloads in GCP yet, but he is finding ways to experiment with university not critical workloads in GCP because he knows it's a better model and the university must eventually end up there.
Bob Turner: The thought process is we've already got workloads deployed in the others, and so to apply their individual zero trust solutions will be rethinking architecture. And we are just now creating workloads that we're going to deploy in GCP, and we've got a couple up there already, but they're not ones that I would be, you know, wanting zero trust on anyway. So we have an opportunity now, and what we're doing is we're really boning up and studying up and we actually have engineers looking at, OK, what does that really mean? But the thing that is our sales pitch here is that Google has been doing this for a while.
Rick Howard: What Bob is talking about is the story I told in the last episode when, after Google got hit by a massive Chinese cyberespionage campaign in 2009 and then went public with the information in 2010, the Google site reliability engineers decided to rebuild their internal networks from the ground up, using zero trust as the linchpin to the entire plan. They rolled it out first to their employees, this BeyondCorp architecture, and then, when they released GCP to the masses in 2012, BeyondCorp came along with it.
Rick Howard: Instead of providing many different ways to deploy zero trust configuration options, like Amazon and Microsoft did, that relied on the customer to implement, Google baked it into their cloud service. And by the way, when Google went public in 2010 that they had been breached, they were the first public company to ever do so. Before Google did this, most commercial companies wouldn't even consider telling the world that they had been breached if they didn't have to for fear that their reputation would be permanently damaged. Fast forward a decade later - there are so many commercial and government organizations going public with their breach info that you can't keep track of them all. We've come a long way, baby, and you can thank Google for breaking the dam. But for GCP, like Bob said, this BeyondCorp has been around for a while, since 2012 or so - longer if you count Google's internal implementation. And those are internet years, which are very similar to dog years.
(SOUNDBITE OF DOG BARKING)
Rick Howard: Nine years in the tech community is really like, you know, some 56 human years.
Bob Turner: The thing that I found amazing is it is very consistent as far as the architecture goes. And normally, you know, when somebody first puts their first release out, there's a world of difference between release 1 and release 2.0.
Rick Howard: Bob uses this great analogy. He says that BeyondCorp is like the old muscle cars that started to show up back in the 1940s and '50s, high-performance vehicles that hit the streets fully formed, ready to drag race. The first muscle car came out in 1949, the Oldsmobile Rocket 88. But the first one that Bob can remember is the Mustang Mach 1 that came out in 1971, and I loved those paint jobs with the flames rolling down the side bumpers. They looked so cool.
Bob Turner: The Mustang Mach 1 was one of the first ones that I can remember as a kid growing up, and it was built with everything it needed in it to be the most high-performance vehicle possible. So GCP, I think, is the first cloud component that was built with this engine in it. And I thought, we have to try to figure out how to get ahold of that. And now we have workloads lined up and, you know, kind of ready to go, so flame on.
Rick Howard: But according to Bob, Google got the basics of zero trust right.
Bob Turner: Put the basic components of zero trust together. It's know the user, know the rules and the behavior and then what device are they on? And if that device and the user seem to match, then what are the rules that are applying, you know? And it kind of goes on from there. And when you look at BeyondCorp in some of the early papers that I was reading, I mean, they did. They built it that way. Developers love it. I'm told that from a data accessibility and data manipulation standpoint, it is really well built. And I'm also told that even down to costing, I mean, the tiers, the contractual tiers that are set up there, it is so simple.
Rick Howard: Before this project, Bob had been doing some thinking about how to deploy zero trust at the university. He even had John Kindervag come up to speak at his annual security conference. John is the guy who wrote the original white paper on zero trust when he was working for Forrester back in 2010. As I have said in previous shows, the ideas around zero trust had been kicking around from various sources all through the 2000s, but John is the guy who corralled all of those ideas into something coherent.
Bob Turner: I have met John Kindervag. He came up and talked at our Lockdown conference. It might have been 2018 that he came up. And so I'm saying, zero trust, oh, and I went back, and I flipped through John's paper. And he had not indicated cloud as part of that because I think that was kind of precloud. So I started pulling a thread, and I said, you know, what does this really mean? And I started, you know, doing my research and finding the papers.
Bob Turner: When we first were doing the contracting with GCP, we were kind of looking at, you know, what are the security issues that they're bringing to the table? Because I didn't know much about them at the time. And so my analyst that was looking at it said, hey, they got this here zero trust thing. That opened up my eyes to say, let's look deep. Let's figure out how this works. It took a little while for the contracting issues to get solved, but once we got it solved, I said, you know, why don't we figure out what the workloads are going to be and how we're going to deploy them? And let's try to see if we can get one up there that would really benefit by this built into GCP the way that we can know that it comes as part of the apparatus.
Bob Turner: We're kind of slave to the academy and the researchers, right? And it really depends on their movements where we go. The reason why we're in GCP at all is thinking about which researchers in other organizations that we do work with, what do they have? What are they bringing to the table as a primary engine if we're joining them? And if we're designing a research environment, then we're designing it to be able to go with the larger initiatives.
Rick Howard: The big data lake project that Bob is using GCP for is something called the Unison Data Platform. It's a data analytics project designed to improve the delivery of university-level digital content with the goal to be the world's largest learning laboratory dedicated to improving the craft of education, which begs the question, what do you call all of that big data flowing in and out of Google?
Bob Turner: That's the big pile of data in Google, or, I don't know, does data travel in gaggles in Google? Anyway, Unison is a big data management thing, and it's built on GCP. Our university happens to be one of the founders and sponsors, and my CIO sits on the Unison board. It's a basically data lake. I mean, it's more than a data lake. It's a data ocean (laughter).
Rick Howard: Yeah (laughter).
Bob Turner: The idea is researchers from pretty much any of the consortium members can go in and get data and do what they need to do with the data to learn and then put the data back in rich so somebody else can take it to that next step. We're talking about research on education data. So they take a feed from Canvas or whatever their learning management system is, and they deidentify the data. So it's just white male student of 22 years old, and he's in a, you know, computer science curriculum. So now that data is now available, how that student is performing in class and how they performed in, you know, core classes in undergrad - math, science, English - and then how well are they performing in their major?
Rick Howard: With Bob spouting off about his gaggle of Google data and his muscle car analogies, you might get some sense of his Midwestern sense of humor crossed with his U.S. Navy time, but wait till you hear how he describes cyberattacks coming after his university. We were talking about conducting risk assessments with GCP telemetry, and then he said this.
Bob Turner: I can do a risk assessment going in. And I can say here's how they're built and here's how they work. But the real risk assessment I need to be doing is while things are operating. What are my conditions of weirdness, cyber shenanigans, whatever you want to call them? Conditions of weirdness - that's an...
Rick Howard: OK.
Bob Turner: ...Official Wisconsin term because conditions of weirdness - C-O-W - COWs.
Rick Howard: (Laughter).
Bob Turner: And the other one is we call them cyber shenanigans. That can happen from - you know, anywhere from digital roughhousing to, you know, trying to light somebody up (laughter).
Rick Howard: (Laughter).
Bob Turner: I guess you could call cyber shenanigans the equivalent of cyber cow tipping (laughter).
Rick Howard: (Laughter). Just in case you're not from Wisconsin, in reference to the conditions of weirdness acronym or COW, just so you know, in 2020, Wisconsin was ranked second in dairy production - California just barely nudged them out of first - and number one in cheese production. As Bob says, the cows are more than just a passing fad here. Wisconsin is, after all, America's dairy land. And I'm so glad that they are. And if you're regular listeners to the CyberWire, you know that I work on another podcast called "Word Notes," where we define a cybersecurity word, give it context and show where it fits in the cybersecurity culture. They're short. You should definitely check them out. But Bob has given me three new words to do shows on - conditions of weirdness, cyber shenanigans and my new all-time favorite, cyber cow tipping. How great is that? If you've been following along with the last five episodes about cloud provider first principle security services, you know that I think all three of them do resiliency quite well. And they're not too bad at zero trust either. Google is two notches above the other two for zero trust because of their BeyondCorp architecture. But none of them do badly here. Where I think they fall short is when it comes to intrusion kill chain prevention and risk assessment. I asked Bob if he thought I was barking up the wrong tree when it came to expecting some sort of intrusion kill chain prevention capability from all of the cloud providers' networks.
Bob Turner: Your first principles argument is absolutely not lost on me. I get it. Where the kill chain comes into place - we don't call it the kill chain, we call it the cyber event lifecycle. It's still same thing. Understanding what the adversary is thinking - they've already dissected this stuff, and they're trying to figure out how to break the chain. That's where you get your best information on what is really happening. It's not post-mortem.
Rick Howard: Right.
Bob Turner: It is while the event is happening. It's not magic. It is, you know, going into it with some sort of a security attestation in place and understanding that your end points connecting in are secure. You know that there is some sort of a data exchange going on, and then you can kind of watch it happen. And that's what I need to be watching so I can look for those indicators that tell me, hey, you know, something's going on here. Let's look at it carefully.
Rick Howard: So Bob and I agree that intrusion kill chain prevention is something that we both want as CISOs. And we will be encouraging all three cloud providers - Google GCP, Amazon AWS and Microsoft Azure - to pursue this first principle strategy with all speed. And speaking for Bob, we would both like to enlist your support in this endeavor. Clearly, none of the three cloud providers think it's important, and they never will unless they start hearing it from their customers. In terms of GCP adoption, I think Bob's journey is a pretty good test case. He likes the idea of the GCP zero trust architecture and so do I. But he has his own crown jewel workloads running in AWS and doesn't want to risk moving them over just for an experiment. He saw a new project coming down the pipe - the Unizen project - saw that the group is using GCP as the base cloud environment and decided to jump in to see what he could learn. That is probably the safest and most reasonable path to take advantage of the GCP service.
Rick Howard: And that's a wrap. Just a quick heads up. If you're a monthly CyberWire Pro subscriber, we're offering a huge discount if you upgrade to an annual subscription. Just go to thecyberwire.com and select the upgrade option under your profile to check it out. And while I'm talking about the CyberWire, the last three words we did on the weekly "Word Notes" podcast were supply chain attack, SOC triad and network telescope. Give those a listen. I'd love some feedback. Next week on the "CSO Perspectives" podcast, I will be doing a deep dive into how third-party security platforms like Palo Alto Networks, Cisco, Fortinet and Check Point might fit into your cloud architecture first principle strategies. I'm looking forward to that.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions. And the mix of the episode and the remix of the theme song was done by our insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.