Google Cloud CISO Phil Venables revealed that the cloud uses software from the vendor, SolarWinds, but said its use was "limited".
Google Cloud announced the hiring of CISO's first, Phil Venables, in mid-December, just as the United States began to understand the scope of the SolarWinds attack.
The violation affected the Ministry of Finance USA and the US Department of Commerce (NTIA) National Telecommunications and Information Service, the Department of Justice, its source code Microsoft And much more.
But Venables, a Goldman Sachs veteran, insists no Google system was affected by the attack. This is an important message from Google at a time when violations have undermined the confidence to well-known software vendors.
"Based on what is known about the attack, we are confident that no Google system has been affected by the SolarWinds attack," Venables said in a blog post.
"We make very limited use of the affected software and our approach to mitigating supply chain security risks meant that any ancillary use was limited. These controls have been reinforced by the sophisticated monitoring of our networks and systems. ”
Venables also shared some of the top tips Google uses to protect itself and its customers. This particular attack revealed how connected the entire software industry is and how vulnerable the ecosystem is because of of updates received from various suppliers.
According to Venables, Google uses secure deployment and ongoing testing frameworks to detect and avoid common errors programming. He goes on to explain what it means to have reliable cloud computing in Google Cloud, which comes under his control. hardware and software.
Google verifies that the software is built and signed into an approved, well-tested isolated build environment that has checked. Then the company makes several controls during the development, depending on its sensitivity code. Finally, the company ensures that at least one person besides the author confidently monitors changes to the code submitted by developers.
"Sensitive management actions usually require additional human approval. We are doing this to prevent unexpected changes - either mistakes or malicious imports. "
Source of information: zdnet.com