Cloud

Enterprises continue to adopt hybrid and multicloud as they migrate and leverage the cloud to build and run their applications. According to IDC studies conducted in 2022, 64% of customers were using multiple cloud providers for public cloud IaaS services1 and 79% indicated a need to simplify and unify how they manage and secure dedicated cloud infrastructure to improve business resiliency2. Enterprises need simple connectivity at the physical and service layers, and the ability to stand up distributed cloud applications and SaaS workloads within minutes. 

Networking is often the first step, but connecting and securing distributed environments can be complex. Today, we are announcing a significant expansion to our Cloud Interconnect portfolio with Cross-Cloud Interconnect, which lets you connect any public cloud with Google Cloud through a secure, high performance network, allowing organizations to run applications on multiple clouds, simplify SaaS networking in a multicloud environment, and migrate workloads from one cloud to another. Cross-Cloud Interconnect is now generally available in many global locations for customers connected to the following cloud providers — Amazon Web Services, Microsoft Azure, Oracle Cloud Infrastructure, and Alibaba Cloud — with support planned for additional cloud providers based on customer demand. 

We also made significant enhancements for Private Service Connect to support Cross-Cloud Interconnect, and automated service connection policies. In addition, we added new Cloud Interconnect capabilities, and released a new total cost of ownership (TCO) analysis showing lower costs of Google Cloud Networking. 

Seamless multicloud connectivity with Cross-Cloud Interconnect

The rise of distributed applications has been challenging for cloud infrastructure teams trying to ensure connectivity, performance, security, and reliability. Connecting clouds together often requires complex configurations, dedicated hardware, and lengthy operational processes. Cross-Cloud Interconnect simplifies the configuration, minimizes hardware, and reduces overhead.  

Available in 10 Gbps or 100 Gbps options, Cross-Cloud Interconnect does not require new hardware, has the same features as Cloud Interconnect, and is backed with a SLA. Customers with multicloud environments can leverage Cross-Cloud Interconnect to enable the following: 

Private and secure connectivity across clouds 

Line-rate performance and high reliability with 99.99% SLA

Lower TCO without the complexity and cost of managing infrastructure 

Cross-Cloud Interconnect is available in major cities around the world with many of our partners, and because Cross-Cloud Interconnect is a fully managed service, setting it up is simple, as you can see in this demo. 

“As enterprises, globally, look to adopt hybrid and multicloud network services – as part of their digital transformation journeys, they increasingly recognize the strategic value of cross-cloud interconnection capabilities as integral to their business success. Google Cloud’s Cross-Cloud Interconnect offerings address a broad range of hybrid and multicloud network connectivity use cases that span the datacenter, cloud core, and edge, while offering multi-gigabit speeds, disruptive pricing, high-availability, and ease of use.” – Vijay Bhagavath, Research VP for Cloud and Datacenter Networking, IDC 

Early access customers like Walmart and Pexip are leveraging Cross-Cloud Interconnect to enable faster business outcomes. 

“Walmart runs a seamless platform across multiple cloud providers to accelerate innovations. We partner with Google Cloud to leverage their global network for hybrid and multicloud networking. With Cross-Cloud Interconnect, we were able to simplify connectivity between cloud providers, shorten time to production, and reduce overall costs.” – Gerald Bothello, Senior Director of Software Engineering, Walmart 

“Pexip provides a secure, multi-technology video conferencing experience that helps our customers protect and personalize their meetings. With Cross-Cloud Interconnect and our partnership with Google, we can seamlessly connect platforms from multiple clouds to expand our reach and bring our solution to a broader audience at scale.” – Thomas Guggenbuhl, Principal Engineer Infrastructure Operations, Pexip

We continue to work with our partner ecosystem to extend co-location facilities worldwide and jointly drive the simplification of multicloud connectivity for our customers. 

“Equinix provides the world’s digital infrastructure enabling enterprises to connect anywhere. We are excited to collaborate with Google Cloud to expand on its multicloud networking strategy to deliver scalable, seamless, high bandwidth connectivity for enterprises.” – Bill Bushman, Business Development Director, Platform Alliances, Equinix

Hybrid connectivity to SaaS with Private Service Connect

Configuring the network to run producer services can be time-consuming, slowing down services rollouts and delaying cloud integrations. Private Service Connect makes it easier to create private and secure connections from your VPCs to Google, partner, or your own service, simplifying network configuration for published services and SaaS applications. In addition to Google services such as Apigee, BeyondCorp Enterprise, Cloud Composer, and Google Kubernetes Engine, Private Service Connect supports many partner services such as Datastax, Elasticsearch, MongoDB, etc. 

Recently, we announced hybrid and global access for Private Service Connect, allowing on-premises and multicloud clients to access producer services in Google Cloud privately, from anywhere. Private Service Connect global access, now generally available, allows customers to access Google and partner published services from their on-prem locations and between regions. 

Today, we announced the following new enhancements to Private Service Connect: 

Private Service Connect over Cross-Cloud Interconnect is now generally available. Customers can access producer services in Google Cloud from Cross-Cloud Interconnect.  

Service Connection Policies, in preview, lets network admins create policies that automate the connectivity of Private Service Connect for managed services. This makes it easy for service admins to deploy, update, and delete published services connected by Private Service Connect without opening networking tickets. 

A secure and highly resilient foundation 

Our Dedicated and Partner Interconnect offerings provide secure, highly resilient connectivity for hybrid cloud networking. Dedicated Interconnect is now available globally with 10 Gbps and 100 Gbps options in 144 locations, 14 of which we added recently. 

We also added new enhancements to Cloud and Cross-Cloud Interconnect with new encryption options, higher performance, and greater network resiliency with faster link detection to ensure your mission-critical applications are available and performing well. The enhancements include the following: 

Secure hybrid connectivity

MACsec for Cloud Interconnect, in preview in early 3Q23, provides point-to-point line-rate L2 encryption to protect “first mile/last mile” communications between the customer and Google Cloud. 

HA VPN over Interconnect is generally available, and provides IPSec encryption to protect communications between a customer’s on-prem VPN gateway and the HA VPN gateway in Google Cloud.

Higher performance 

9K MTU support, currently in preview, enables large packet sizes to deliver higher throughput over Interconnect offerings.

Bidirectional forwarding detection, now generally available, is a path-outage detection protocol that expedites detection of link failure to initiate traffic rerouting. 

BGP enhancements including support for custom learned routes, increased prefix scale, and non-link local addressing are currently in preview. 

Reduce TCO 

Google Cloud Networking provides planet-scale, enterprise-ready networking that provides seamless access to partner and third-party services with consistent management policy extending from on-prem to cloud — and it does so at a lower total cost of ownership (TCO) compared to other cloud service providers. 

According to a recent paper from Enterprise Strategy Group, customers running on Google Cloud can achieve a TCO reduction of up to 28%. In The Economic Advantage of Google Cloud’s Advanced Networking Services, ESG considered both the direct costs for networking services, as well as network administration and on-going management costs. ESG predicted that customers can see up to 22% lower connectivity and egress costs, and up to 28% lower cloud network administration costs when using Google Cloud compared to other major public cloud vendors. A blog with more details can be found here. 

These savings are a direct result of both the global scale and scope of Google Cloud’s networking services, and a rich set of native capabilities allowing customers to deploy, manage, scale, optimize, and secure hybrid or multi-cloud workloads easily. The new products and features discussed earlier in this article extend these capabilities even further. 

Learn more about Google Cloud Networking 

At Google Cloud Next ‘23, we’ll be offering several sessions to provide deep dives into the network innovations to help you build hybrid and multicloud networking transformation initiatives. Register today!

1. What Are Enterprise Multicloud Adoption Trends, IDC, Andrew Smith, IDC #US48902122, March 2022   
2. Multicloud Networking – An Essential Component of Digital Infrastructure, IDC, Brad Casemore, IDC #US48965022, March 2022

Enterprise Strategy Group (ESG) recently published a 15-page report on the Economic Advantages of Google Cloud’s Advanced Networking Services, detailing how these advantages can help customers realize up to a 28% total cost savings for their cloud networking. In this blog, we explore the six key areas customers should consider when evaluating public cloud providers, and some of the advantages gained by building on Google’s globally scaled cloud network.

The network

Google has an advanced, globally scaled, fiber-optic software-defined network. This global network supports billions of users accessing various Google services like YouTube, Search, and Maps, as well as Google Cloud. You can capitalize on this global network for your Google Cloud workloads with full confidence in its scalability and robustness. You can find the current count of regions, zones and edge location on the Cloud Locations page.

6 considerations when evaluating Cloud Networking

The report goes into quantitative and qualitative details as to areas that enterprises should look at when choosing between cloud provider networks. Let’s explore these areas and how Google Cloud Networking services support each of them.

# 1 – There are differences between cloud network architectures.
Robust cloud networks should be software-defined, scalable, simple, and automatable. A well-documented architecture, built upon consistent innovation and that is transparent about network performance, can greatly reduce administrative overhead. Google Cloud’s network meets all of these requirements and more. Google has documented its Andromeda stack for software-defined networking, contributes significantly to Internet Engineering Task Force (IETF) RFC standards, and provides a public global view of inter-region network latency and throughput. Unlike other cloud providers, its network capabilities are globally scoped, which helps customers reduce architectural complexity and simplify network management.

# 2 – A cloud network should provide simple and flexible hybrid cloud connectivity.
Google Cloud hybrid connectivity options offer flexibility for customers’ business requirements. Cloud VPN provides easy-to-set-up high-availability connectivity. For organizations that need more stable and higher bandwidth connections, Cloud Interconnect options like Dedicatedand Partner Interconnect provide connectivity. Private Service Connect, meanwhile, allows secure and private access to Google Cloud, third-party, or customer-managed cloud services.

In Google Cloud, a Virtual Private Cloud (VPC) is a global construct that is different from other cloud providers’. You can create a single VPC and provision different isolated subnets in any region within the same VPC. This allows customers to create and manage fewer VPCs, thus lowering operational overhead.

# 3 – A cloud network should make it easy to scale and accelerate workloads.
Google Cloud Managed Instance Groups and cluster autoscaling help you scale your resources automatically. In Google Cloud, there exist a robust set of Load Balancers that support various traffic options to meet both global and regional requirements. Load balancers distribute traffic across your backend targets, which can exist within and outside of Google Cloud.

With Cloud CDN for static content and Media CDN for streaming content, customers benefit from the same global footprint and network performance as other Google services such as YouTube. Customers can verify CDN performance as measured by Cedexis and made publicly available here.  

# 4 – A cloud network should ensure secure hybrid cloud operations.
Google Cloud services like Cloud NAT, Cloud Firewall and Cloud Armor can be utilized at different points in the environment to provide a layered defense-in-depth approach. Cloud Armor was in the news last year when it helped a customer mitigate a Layer 7 DDoS attack at 46 million requests per second. In addition to native capabilities, Google Cloud also supports third-party appliances including many partner solutions that are directly available in the Google Cloud Marketplace. 

# 5 – A cloud network should provide visibility and control.
Google Cloud Network Intelligence Center provides real-time observability for your network. It does this through individual modules (Network Topology, Connectivity test, Performance Dashboard, Firewall Insights, Network Analyzer) which provide targeted visibility into aspects of your network infrastructure including latency, throughput, connectivity between specific resources, and resource configuration. This resource analysis highlights configuration issues that can cause network failures, lead to resource exhaustion, or otherwise result in sub-optimal performance — often proactively before an issue can be observed by the end user.  

# 6 – Initiatives must support modernization efforts.
Google Cloud supports application modernization with many services to help customers both migrate and build applications on the platform. Google Kubernetes Engines (GKE) provides high-scale Kubernetes deployments with up to 15,000 nodes per cluster while introducing next-generation features such as the GKE Gateway Controller, a production implementation of the new Kubernetes Gateway API. Google also continues to develop and/or contribute to many popular open standards and open-source projects such as HTTP3, QUIC, gRPC, eBPF, Envoy, Istio, and, of course, Kubernetes itself.

Get the report

The full report goes into much greater detail with comparisons, percentages, charts, and diagrams to evaluate the economic benefits that customers can, and should, expect from their cloud provider. To read more, download your copy of the ESG Report: The Economic Advantage of Google Cloud’s Advanced Networking Services today. 

For more on cloud networking visit https://cloud.google.com/products/networking.

Today many companies manage their infrastructure and configure environments using multiple tools that are either stand-alone or a part of a larger CI/CD pipeline solution. Tools such as Cloud Build in Google Cloud, HashiCorp’s Terraform, or AWS CloudFormation, allow developers to use purpose-built languages such as HashiCorp’s HCL or Cloud Build Configuration language to define their environment’s infrastructure and/or automate its provisioning.

One of the popular tools, Terraform, is a widely used Infrastructure as Code (IaC) software tool to provision infrastructure on Google Cloud and other cloud platforms. Google is actively supporting Terraform by contributing to the Google Cloud Provider for Terraform and developing the Cloud Foundation Toolkit which includes many useful Terraform modules.

We would like to evaluate another solution called Config Connector (a.k.a., KCC), available on Google Cloud, and to show how cloud users can improve their operational processes using this solution compared with other available tools. Google announced it first in 2020. Config Connector is a Kubernetes operator that allows you to manage Google Cloud resources. Config Connector utilizes the Kubernetes Resource Model to enforce a contract between the configuration a developer has defined and infrastructure. This is often referred to as Configuration as Data. You can read more about Configuration as Data in this blog post. Compared to Terraform, Config Connector applies a reconciliation strategy to keep cloud infrastructure as close to the declared configuration as possible in real time.

Config Connector can provide a developer with a number of advantages:

Native integration with GKE and Anthos Configuration Management simplifies provisioning of both Google Cloud resources and application workloads across multiple environments.

Automated reconciliation observes the infrastructure state and repairs any discrepancies between the desired and observed states without need for additional monitoring or manual intervention.

Centralized configuration management lets you manage workload and infrastructure configurations for all environments in one place and in one format.

As a managed solution, Config Connector reduces operational and maintenance overload on DevOps teams, saving time and helping to speed up onboarding new team members.

You can reference the following decision tree when deciding which tool to use when provisioning Google Cloud infrastructure:

Using Config Connector also lets developers benefit from extensive observability capabilities. Leveraging integration with GKE and Cloud Operations suite, you can audit Config Connector operations and the reconciliation state of the configuration. Additionally, you can automate incident handling by defining alert policies to be triggered when there are problems with configuration, provisioning or reconciliation. For example, the following set of log filters can be used to query problems with configuration references (e.g., a resource references a Kubernetes Secret that cannot be found):

See the Config Connector documentation about monitoring and troubleshooting for more information.

Getting started with Config Connector is simple. All you need is a GKE cluster. Then, you can enable the Config Connector add-on to have Config Connector automatically installed on the cluster. There are several options to install Config Connector. The following paragraphs summarizes pros and cons of each option.

Config Controller is a great choice if you are looking to minimize maintenance cost and add support for GitOps components. To use it, you would have to enable Anthos in your projects which may introduce management and cluster fees. If you already use Anthos Config Management (ACM), Config Controller is already available for you. ACM hosts Config Connector and automatically upgrades it to the latest stable version.

Manual installation is useful when you need a high level of customization and control over Config Connector. Using this method you install a Kubernetes operator and additional CRDs on your GKE cluster. This also enables you to install Config Connector on other Kubernetes distributions. It comes at higher operational costs since you will own the hosting and configuration of Config Connector.

GKE Config Connector add-on is a good choice as a jump start solution. It can be installed on any new or existing GKE Standard cluster (starting version 1.15) using a single configuration setting. However, we would like to discourage you using it in production because of the significant lag behind the latest Config Connector version. It also comes with operational costs of provisioning and maintaining the hosting GKE cluster.

Once Config Connector is installed, you can provision Google Cloud resources like you do your Kubernetes workloads. For example, the following code snippet will create a BigQuery dataset:

(This example uses the user-specified resource ID to identify the BigQuery dataset)

In many scenarios Config Connector can replace multiple other tools while minimizing the time it takes to reconcile configured and actual states. The managed nature of the Connector together with a large coverage of Google Cloud resources and services, as well as integration with Anthos configuration, makes it a universal Swiss Army Knife of DevOps pipelines for Google Cloud users. You can familiarize yourself with Config Connector by reading the documentation. Give it a try!

Welcome to the second Cloud CISO Perspectives for May 2023. I hope you all enjoyed our previous newsletter from my Office of the CISO colleague MK Palmore, on Google’s new cybersecurity certification and how it can help prepare aspiring cybersecurity experts for their next career steps.

Before I jump into my column today, I’d like to encourage everyone to sign up for our annual Security Summit, coming in just a few weeks on June 13-14. This year, we’ll explore the latest technologies and strategies from Google Cloud, Mandiant, and our partners to help protect your business, your customers, and your cloud transformation. You can register for the broadcast in your choice of two time zones here. We hope to see you there.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Integrating digital sovereignty with cloud security

Today, I’d like to talk about one of the more complex and important topics in our current cloud discourse: digital sovereignty. Simply put, digital sovereignty is an organization’s intention to retain control over their data and how that data is stored, processed and managed when using third-party services — including cloud providers. 

Organizations should feel that they have control over their data. When those controls have been designed well, they should encourage even more organizations to use the cloud and benefit from all that the cloud offers. 

Digital sovereignty is a subject that we feel strongly about, and over the past few years, Google Cloud has worked extensively with customers, partners, policy makers, and governments to understand their evolving sovereignty requirements.

We take an expansive view of sovereignty requirements encompassing data, operations, and software. We also see the control of encryption as vital to addressing these requirements and have engineered leading encryption solutions. Along with having these solutions in our cloud, we also have led the industry on establishing partnerships with trusted local partners to address concerns of working with foreign providers.

Google Cloud has been leading dialogue and developing digital sovereignty solutions since 2019. Our ongoing discussions in the market have taught us that designing a digital sovereignty strategy that balances control and innovation is challenging because of four main reasons:

Foundational concepts are not always well-understood, including regulatory requirements, legal safeguards, and risk management.

Many organizations struggle to articulate their specific requirements, particularly when it comes to how sovereign strategies enable digital transformation. 

Choosing the best technologies and solutions to meet those requirements can be difficult. 

A shortage of advisory capacity and expertise in the market can make these challenges even harder to overcome.

While digital sovereignty challenges cross boundaries and oceans, we’ve focused many of our initial efforts in Europe. This has resulted in our “Cloud. On Europe’s Terms” initiative and a broad portfolio of Sovereign Solutions we have already brought to market to help support customers’ current and emerging needs as they bring more workloads to the cloud. 

We’ve also developed the Digital Sovereignty Explorer, a tool designed to help you make progress on your understanding of key concepts and potential solutions, which we introduced in March. Initially focused on the needs of European organizations, the Explorer is an online, interactive tool that takes individuals through a guided series of questions about their organizations’ digital sovereignty requirements.

One benefit of our early digital sovereignty investments has been that it has helped strengthen other areas we’re focused on. Confidential Computing has also proven to be a helpful additional control for organizations implementing digital sovereignty strategies, providing an encryption capability, and protection for data-in-use where encryption keys are not accessible by the cloud provider.

Innovating to address digital sovereignty requirements is important to advance digital transformation and technological creativity, and to join in the benefits of the cloud. We’re going to continue to engage with customers, our partners, governments, and regulators to deliver novel solutions that meet local requirements. 

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month: 

Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 is open now. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Register now.

Partnering with Health-ISAC to strengthen the European healthcare system: We’re growing our relationship with Health-ISAC to include CISOs and security leaders in Europe, the Middle East, and Africa (EMEA), starting with a joint 17-city tour across the region, as part of its European Healthcare Threat Landscape Tour. Read more.

4 ways to improve cybersecurity from the boardroom: Here are four ways that boards and cybersecurity teams can keep their organizations more secure and reduce risk. Read more.

How does Google protect the physical-to-logical space in a data center? Each Google data center is a large and diverse environment of machines, networking devices, and control systems. In these complex environments, the security of your data is our top priority. Learn how we keep it secure. Read more.

Introducing reCAPTCHA Enterprise Fraud Prevention: We are pleased to announce the general availability of reCAPTCHA Enterprise Fraud Prevention, a new product that uses Google’s own fraud models, machine learning, and intelligence from protecting more than 6 million websites to help stop payment fraud. Read more.

How Apigee can help government agencies adopt Zero Trust: Securely sharing data is critical to building an effective government application ecosystem. Rather than building new applications, APIs can enable government leaders to gather data-driven insights within their existing technical environments, which Google Cloud’s Apigee can help achieve. Here’s how.

News from Mandiant

New OT malware possibly related to Russian emergency response exercises: Mandiant identified COSMICENERGY, a novel operational technology (OT) and industrial control system (ICS)-oriented malware possibly related to Russian emergency response exercises, which has demonstrated a cyber impact to physical systems. Read more.

Don’t @ me: URL obfuscation through schema abuse: Mandiant has found attackers distributing multiple malware families by obfuscating the end destination of a URL by abusing the URL schema. This technique can increase the likelihood of a successful phishing attack. Read more.

A requirements-driven approach to cyber threat intelligence: Mandiant’s latest report on applying threat intelligence outlines what it means to be requirements-driven in practice, offering actionable advice on how intelligence functions can implement and optimize such an approach within their organizations. Read more.

Cloudy with a chance of bad logs: As organizations increasingly move to cloud and security teams struggle to keep up, Mandiant provides a hypothetical scenario of a cloud platform compromise with multiple components that would require investigation. Read more.

Google Cloud Security Podcasts

We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:

The good, the bad, and the epic possibilities of threat detection at scale: Good detection is hard to build, whether defined for a rule or a piece of detection content, or for a program at a company. Reliably producing good detection content at scale is even trickier, so we chatted with Jack Naglieri, founder and CEO, Panther Labs. Listen here.

Firewalls in the cloud: Nevermind the difference between firewalls and firewalling (although we discuss that, too) — does the cloud even need firewalls? Our own senior cloud security advocate, Michele Chubirka, gets us grounded on all things cloud firewall. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back at the end of the month with more security-related updates.