GCP – Cloud CISO Perspectives: Going beyond 2FA to address fast-rising, emerging threats

Welcome to the second Cloud CISO Perspectives for July 2025. Today, Andy Wen, director, product management, Workspace Security, discusses new efforts we’re making to defend against identity-based cyberattacks.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

The evolving threat landscape: Beyond traditional 2FA

By Andy Wen, director, product management, Workspace Security

How passkeys and Device Bound Session Credentials can help

To empower users and customers against identity-based attacks, we’ve introduced two critical innovations developed in close partnership with the wider security community: passkeys and Device Bound Session Credentials (DBSC). These advancements are designed to significantly strengthen account security and prevent account takeovers.

We highly recommend that all Workspace customers, especially those with high-value users such as IT administrators and business leaders, implement these controls.

Use passkeys for a simpler, more secure sign-in

We have made passkeys generally available to all 11 million Workspace organizations and billions of Google consumer users. Passkeys represent a fundamental shift away from passwords, offering a simpler and inherently more secure sign-in experience.

Unlike traditional passwords that can be guessed, stolen, and forgotten, passkeys are unique digital credentials cryptographically tied to your device. They use the robust FIDO2 technology, the same underlying standard used in hardware security keys like our Titan Security Key, and the added convenience of using a device you already own, such as an Android phone or a Windows laptop.

While absolute security remains an elusive goal, from the perspective of account takeover and phishing attacks, passkeys and security keys virtually eliminate these password-based threats. As a founding member and steadfast supporter of the FIDO Alliance, we are encouraged by the growing industry adoption of FIDO technology.

Disrupt cookie theft with Device Bound Session Credentials

We are also addressing the use of infostealers to exfiltrate session cookies, allowing attackers to bypass password and 2FA controls and access victim accounts from their own devices.

In addition to Mandiant’s M-Trends 2025 report, IBM’s 2025 X-Force Threat Intelligence Index observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year.

In close collaboration with the Chrome team, we are adding a powerful addition to our security arsenal, now in beta: Device Bound Session Credentials (DBSC). DBSC are designed to disrupt cookie theft by creating an authenticated session that is cryptographically bound to a specific device. This innovative approach can significantly mitigate the risk of exfiltrated cookies being used to access accounts from an unauthorized device.

DBSC introduces a new API that enables servers to establish an authenticated session bound to a device. When a session is initiated, the browser generates a unique public-private key pair. The private key is securely stored using hardware-backed storage, such as a Trusted Platform Module (TPM), when available.

The browser then issues a regular session cookie. It is crucial to note that throughout the session’s lifetime, the browser periodically proves possession of the private key and refreshes the session cookie.

This mechanism allows the cookie’s lifetime to be set short enough to render stolen cookies largely useless to attackers. While DBSC currently operates with Chrome and Workspace, numerous server providers, identity providers (IdPs) like Okta, and other browsers such as Microsoft Edge, have expressed strong interest in adopting DBSC to protect their users from cookie theft.

A combined approach for enhanced security

Combined, passkeys and DBSC can empower organizations to significantly strengthen account security and prevent account takeovers. Both of these security controls are readily available to all Workspace customers, and we strongly advocate for their implementation, particularly for your most critical users such as IT administrators and business leaders.

More information is available on how your organization can start using passkeys and implementing DBSC.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Secure cloud. Insecure use. (And what you can do about it): If the cloud is secure, why are there still cloud security breaches? Too many organizations don’t use it securely. Here’s how to change that. Read more.
• Tabletopping the tabletop: New perspectives from cybersecurity’s favorite role-playing game: A group of bio-cybersecurity experts did a TTX with us to practice and share ideas on how to respond to real-world challenges — without the real-world risk. Read more.
• How to enable Secure Boot for your AI workloads: Secure Boot can help protect AI from the moment GPU-accelerated workloads power up. Here’s how to use it on Google Cloud. Read more.
• Too many threats, too much data: new survey. Here’s how to fix that: Operationalizing threat intelligence remains a major challenge, say security and IT leaders in a new survey. Here are the survey results, and four steps security teams can take to get more out of their threat intelligence data. Read more.
• Your guide to Google Cloud Security at Black Hat USA 2025: We’re excited to bring our commitment to cybersecurity innovation and simplification to Black Hat. Here’s where to find us, and what we’ll be talking about. Read more.
• How SUSE and Google Cloud collaborate on Confidential Computing: Secure sensitive data on Google Cloud using SUSE Linux Enterprise Server (SLES) and Confidential VMs with AMD SEV, AMD SEV-SNP, and Intel TDX. Read more.
• Innovate with Confidential Computing: Attestation, Live Migration on Google Cloud: Confidential Computing has evolved rapidly since we first made it available. See what’s new with two key pillars: robust attestation and live migration. Read more.
• Introducing OSS Rebuild: Open source, rebuilt to last: OSS Rebuild is a new project to strengthen trust in open-source package ecosystems that can give security teams powerful data to avoid compromise without burden on upstream maintainers. Read more.
• We’re taking legal action against the BadBox 2.0 botnet: Recently, our researchers partnered with HUMAN Security and Trend Micro to uncover BadBox 2.0, the largest known botnet of internet-connected TVs. Building on our previous actions to stop these cybercriminals, we filed a lawsuit in New York federal court against the botnet’s perpetrators. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Exposing the risks of VMware vSphere Active Directory integration: The common practice of directly integrating vSphere with Microsoft Active Directory can simplify administration tasks, but also creates an attack path frequently underestimated due to misunderstanding the inherent risks. Read more.
• Defending your VMware vSphere estate from UNC3944: Take a deep dive into the anatomy of UNC3944’s vSphere-centered attacks, and study our fortified, multi-pillar defense strategy for risk mitigation. Read more.
• Ongoing SonicWall SMA exploitation campaign using the OVERSTEP backdoor: Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. Read more.
• Update on creative phishing attack on prominent academics and critics of Russia: We detailed two distinct campaigns in June observing a Russia state-sponsored cyber threat actor targeting prominent academics and critics of Russia, and impersonating the U.S. State Department. The threat actor is continuing the initial wave of their campaign with changed ASP names while also trying a new tactic: sending calendar invites in an attempt to convince targets to link an attacker-controlled device to their Microsoft Office 365 account through Microsoft’s device code authentication flow. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

• How to accelerate your SIEM journey: Manija Poulatova, director, Security Engineering and Operations, Lloyd’s Banking Group, joins hosts Anton Chuvakin and Tim Peacock for a lively chat on all things SIEM, from migration challenges to AI integration. Listen here.
• Governing AI agents, from code to courtroom: The autonomous decision-making and learning capability promise of agentic AI and AI agents presents a unique set of risks across various domains. Anna Gressel, partner at Paul, Weiss, discusses her key areas of concern with Anton and guest host Marina Kaganovich. Listen here.
• Cyber-Savvy Boardroom: Harnessing innovation while mastering compliance: Grant Waterfall, partner, PwC, joins Office of the CISO’s Alicja Cade and David Homovich with a deep-dive chat on using compliance to drive innovation. Listen here.
• Behind the Binary: A reverse engineer’s journey: Reverse-engineering pioneer Danny Quist talks with host Josh Stroschein about the evolving landscape of binary analysis tools, the constant battle with malware obfuscation, and building one of the first malware repositories for research. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.