Why Google Cloud is providing security for AWS and Azure users too

“To just focus on Google Cloud, we wouldn't be serving our customers,” Google Cloud security chief Phil Venables told Protocol.

Google building

Google Cloud announced the newest addition to its menu of security offerings.

Photo: G/Unsplash

In August, Google Cloud pledged to invest $10 billion over five years in cybersecurity — a target that looks like it will be easily achieved, thanks to the $5.4 billion deal to acquire Mandiant and reported $500 million acquisition of Siemplify in the first few months of 2022 alone.

But the moves raise questions about Google Cloud’s main goal for its security operation. Does Google want to offer the most secure cloud platform in order to inspire more businesses to run on it — or build a major enterprise cybersecurity products and services business, in whatever environment it’s chosen?

According to the cloud provider’s chief information security officer, Phil Venables, Google doesn’t need to pick just one of those goals to focus on.

“To just focus on Google Cloud, we wouldn't be serving our customers. Our customers' reality is a hybrid, multicloud environment,” Venables said in an interview with Protocol. “But as part of serving them there, and working with them, they inevitably move more things to Google Cloud for all of the advantages that we have.”

On Tuesday, Google Cloud announced the newest addition to its menu of security offerings that are available to customers. The Assured Open Source Software service will curate secure open source software packages on behalf of customers.

Ahead of that announcement, Protocol spoke to Venables about open-source security, enterprise security concerns and the talent shortage.

This interview has been edited and condensed for clarity.

With the Assured Open Source Software, I gather that this is about more than just securing customers that are running on Google Cloud?

It is a Google Cloud-delivered product. But we're not just going to do this for things that run on Google Cloud. It could be for any software that enterprises consume into their on-premises systems, or in fact, other clouds.

What we've done at Google for a long time is we don't automatically consume open-source software into our critical systems. We take this open-source software and then we do a whole series of tests, and we find and fix security vulnerabilities before those open-source packages are consumed into our software builds.

So as we saw more organizations, over the past year or so, become increasingly concerned about [the security of] open source, we came up with the idea that we should probably commercialize what we do for ourselves. And thus was born the Assured Open Source Service.

Beyond offering services like this one, how is your security strategy accounting for the talent shortage in cybersecurity?

We recognize the big challenges customers have around cybersecurity skills, and the fact that we need to somehow create a lot more cybersecurity professionals. That's true — but we also need to spend a lot of time thinking about how we 10x the productivity of the cybersecurity professionals we've already got.

A big part of what we're doing with Chronicle and Siemplify and the Security Command Center and VirusTotal, and other things that are coming, is to arrange all those together so that when customers buy and use those services, they're 10x-ing the capability they've got without 10x-ing the number of cybersecurity people they've got. We're very focused on enabling customers to run their security more effectively with the resources they've got.

How would you summarize the security strategy for Google Cloud overall?

We think the fact that we've got this built-in security capability for Google Cloud, rather than something that's been bolted on after the fact, is one of our key strengths. Our whole approach to default security across the platform is important. Secondly, we're very focused on how we can bring all of these tools together to enable customers to manage all of their security — not just on Google Cloud. It helps customers across all of their environments.

This is driving a lot of the investments you see us doing with things like Chronicle, Siemplify, VirusTotal, BeyondCorp Enterprise. You can see how Mandiant, assuming that acquisition closes, will be a key part of that story about how we help customers manage all their security, not just their security on Google Cloud.

If your goal is to grow the use of Google Cloud, why provide security that enables customers to run elsewhere?

We recognize that while we have some customers that run everything on Google Cloud, there are lots of customers that still run on-premises, and run in multiple clouds. Modern businesses have been built up over many years, and have quite complex IT environments. For us to not recognize and not help them with that reality, I think, is not the greatest thing for the customers. So a lot of our security tooling is capable of ingesting content from on-premise environments and other clouds. We're very focused on the reality that our big customers have.

We think if we keep doing that, customers will be better off. And ultimately, they'll want to run things more on Google Cloud. But we're certainly going to support them everywhere.

So you think that the fact that you’re working to serve customers wherever they are on security, that could be an entry point for them with Google Cloud?

I think that's right. I think when customers have the experience of not just the security products we provide, but the base level of security and capability of the platform, they see a lot of advantage in moving across to us. But to get going with that, we have to work with them where they are.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories