Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”. 

Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.

The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more. 

But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2. 

“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost

“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”

Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers. 

Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies. 

Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack. 

Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.

According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes. 

“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says. 

He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.  

“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.  

“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”

Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.

The company then enforces these controls during deployment, depending on the sensitivity of the code. 

“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.  

Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.   

“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.”