Google is trying to solve the software supply chain security problem
Building software is challenging work that takes a range of different tools, libraries and other components referred to as the 'software supply chain'. Any weak link in that supply chain can lead to cyber breaches with major consequences -- such as the 2020 SolarWinds breach that targeted a wide range of entities, including parts of the US government.
On Tuesday, Google Cloud shared how it's helping its customers take on the problem with a package of tools that help secure the software development process. The company unveiled the Software Delivery Shield during the Google Cloud Next conference.
Software Delivery Shield is a fully managed software toolkit designed for developers, DevOps teams and security teams. It includes services that cover five different parts of the software development process: application development, software "supply," continuous integration (CI) and continuous delivery (CD), production environments, and policies. Organizations don't have to sign onto using the entire package at once -- they can pick and choose the tools they need.
As part of the whole package, Google is introducing in preview a new service called Cloud Workstations, which offer fully managed development environments. Developers can access the customizable environments via a browser, while IT and security administrators can provision, scale and manage them on Google Cloud infrastructure. The environments come with built-in security measures, such as VPC Service Controls, no local storage of source code, private ingress/egress, forced image updates, and IAM access policies.
Software Delivery Shield also includes Artifact Registry for DevOps teams to manage and secure build artifacts, platforms such as Cloud Build and Cloud Deploy for securing the CI/CD pipeline, as well as platforms like Google Kubernetes Engine (GKE) and Cloud Run for securing runtime environments.
Google Cloud introduced other security tools on Tuesday, including Confidential Space -- an extension of its Confidential Computing portfolio. Google by default keeps all data encrypted when it's in transit and at rest. Confidential Computing keeps it encrypted while it is processed.
Confidential Space gives data contributors control over how their data is used and which workloads are authorized to act on it. Workload operators and cloud providers are not able to influence the workload in any way. The tool can help organizations that want to share sensitive data without putting it at risk -- data such as protected health information, personally identifiable information or intellectual property. For instance, healthcare companies could use it to collaborate on the development of pharmaceuticals.
Google is also introducing a new software suite called Chronicle Security Operations for detecting, investigating and responding to cyber threats. It brings together a range of capabilities, including incident management from Google's Mandiant acquisition, as well as the security orchestration, automation, and response (SOAR) tools from the company's recent Siemplify acquisition.