View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
September 14, 2018updated 30 Jun 2022 11:52am

Google: It Takes Two to Tango if you Want Cloud Security

"Every data incident is unique, and the goal of the data incident response process is to protect customers’ data"

By CBR Staff Writer

Google Cloud has published new guidance on data incident response and security for its users, noting that while it employs advanced detection tools and alert mechanisms that provide early indication of potential incidents, along data encryption at rest, virtual private clouds and more, it takes two to tango in terms of security.

In the white paper Google continually emphasis the customer’s role in the security process: “While Google secures the underlying cloud infrastructure and services, the customer secures their applications, devices, and systems when building on top of Google’s Cloud infrastructure.”

The company adds: “Customers must properly configure security features to meet their own needs, install software updates, set up networking security zones and firewalls, and ensure that end users secure their account credentials and are not exposing sensitive data to unauthorized parties.”

The paper comes amid a rise in data breaches caused by security researchers finding unsecured public cloud buckets hosting confidential material.

See also: Misconfigured Cloud Storage Leaves 1.5B Sensitive Files Up for Grabs

Google define a data incident as a breach of Google’s security that leads to an unlawful or accidental loss, access, alteration or unauthorised disclosure of data controlled by Google.

The security white paper released by Google is part of the company’s efforts to be more transparent with its Google Cloud Platform users. Earlier this week it also launched a tool called the Access Transparency Logs, which allows enterprises to see when and why a Google administrator has accessed a customer’s account.

Joseph Valente Product Manager at Google Cloud commented in a blog that: “These logs provide visibility into access at every layer of the stack—not just when access happens through public APIs or high-level endpoints.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

All this follows an incident last July when Google Cloud nearly deleted a customer account over suspicious activity.

See Also: Google Cloud: “We’re Sorry”. Introduces Raft of New Account Management Measures

In highlighting the customer’s role, Google lists the security features it has in place for its Google Cloud Platform offering, such as identity access management which allows administrative users to control who has authorisation and can interact with specific resources. Access to accounts is done through a multi-factor authentication process and data is encrypted while being transferred and at rest by default.

Google White Paper

The company gives a breakdown of how a high-level data incident is treated. The process happens in four phases, Identification, coordination, resolution and then continuous improvement.

Identification of an incident occurs through the automated security process which scan for anomalies, these are then reported to the incident response team. From there they try to contain the issues and fix the underlying problem to restore affected systems.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU