Google Cloud: When it comes to cyber risks, we're all in it together

Jeanette Manfra, director of risk and compliance at Google Cloud, explains what she learned at CISA, how cloud is the way forwards for cybersecurity, and the importance of fighting ransomware threats.
Written by Danny Palmer, Senior Writer

A Google employee riding a bicycle on the Google campus.

Image: Google

For Jeanette Manfra, director of risk and compliance at Google Cloud, overseeing cybersecurity of a vast array of technical infrastructure and services is nothing new. 

She previously served as assistant director for the Cybersecurity and Infrastructure Agency (CISA), where she led the Department of Homeland Security's mission to protect and strengthen American critical infrastructure from cyber threats and its efforts to secure the 2018 midterm elections from digital interference. 

Roles like these saw Manfra become one of the most influential cybersecurity officials in US government, helping to form strategies to improve the cybersecurity of businesses and infrastructure, before switching to the private sector in December 2019. 

Now Manfra's role is to help many more businesses improve their cybersecurity posture through cloud computing. That starts with taking the cybersecurity strategy that Google uses to secure its own networks and applying it to the cloud services used by customers and individual users. 

"You can't have that transactional relationship. You can't say 'you're responsible for this, it's not my problem' – you have to be invested in the success of customers fulfilling their responsibilities – we think of it as shared fate, we're in this together," says Manfra. 

SEE: A winning strategy for cybersecurity (ZDNet special feature)

Manfra believes adopting cloud services is a key means of achieving this joined-up approach, particularly if businesses are still operating on legacy IT systems, something that she says leads to "significant security vulnerabilities". 

These flaws could be in terms of using software or operating systems that aren't supported anymore, or older software and systems connected to the network that are simply forgotten about and no longer receiving security updates. 

This is a cybersecurity issue across almost all industries, but legacy technology still forms the backbone of many crucial services for society, including critical infrastructure, schools and hospitals – and cyber criminals know this, as demonstrated by the scourge of ransomware being particularly problematic for organisations in these sectors

"They tend to target the most vulnerable – people who don't have a lot of cybersecurity resources, who have a lot of legacy technology issues, but also perform critically important missions. Shutting down schools, shutting down hospitals, you're talking about core functions of society – and many of these organisations have significant legacy IT," says Manfra. 

While she says there's "no silver bullet" for ransomware, Manfra says that Google Cloud is working with a variety of organisations and bodies in order to help fight it. 

"We feel passionate that we have a large leadership role to play in the safety and security of the overall ecosystem. So, we're partnering with a lot of organisations looking to fight ransomware, everything from policy organisations looking to identify criminals to those looking at how can you collectively build tools, how can you better understand the threat across the ecosystem globally." 

Manfra suggests that digital transformation and moving towards a cloud-based model can go a long way to protecting organisations against ransomware and other intrusive cyberattacks. 

"Adopting cloud, it makes you a harder target; you're inheriting security controls, you're moving off legacy IT". 

However, adopting cloud for business and security reasons doesn't mean it can be set up and left alone – the tools are there to help organisations manage their cybersecurity posture and they need to be used properly. A poor approach to cybersecurity in the cloud can let hackers in, something the Manfra points out.

"Some organisations think 'I'm good, all my security is outsourced.' That's not the case; you have to recognise that your risk posture is different now, your responsibilities are different, and you have to understand what that means for your organisation," says Manfra. 

Ccybersecurity success, crucially, isn't just about the technology – it's also about the people who use it too, and they need to be equipped to operate in a new environment. While a shift towards cloud can mean systems are more up to date, issues that plague IT – such as poor passwords, unpatched software and a lack of multi-factor authentication – can leave holes in networks. 

SEE: Securing the cloud (ZDNet special feature)

Google uses a zero-trust model of cybersecurity, where implicit trust in the user is removed and authentication or validation is needed at every step of interaction with digital systems. Manfra says that's something that other companies could use, too. 

"We've seen a lot of benefit internally from adopting that model. And so as organisations are able to mature their security capabilities, they really need to think about how they can adopt zero trust. Pick areas where you know you have potential risk and apply zero-trust principles there," she says. 

A zero-trust model means users need to repeatedly verify their identity, creating a greater chance of keeping accounts and information safe. It's an approach that the White House is encouraging federal agencies to use

However, zero trust also relies on organisations knowing their networks extremely well, along with knowledge of their most sensitive data, where it's stored and who has access to it. Developing this awareness can be a challenge, especially if information security is being run on a tight budget, or businesses are still in the early stages of their cybersecurity journey. 

The public sector is often amongst the slowest moving when it comes to digital transformation. Manfra says her experience in that arena shows that it's possible to change outlooks and drive a cloud-based security strategy forwards, even if it's hard to do – and that, in the end, this approach will ultimately be beneficial for everyone. 

"I have an appreciation of where people have been coming from over the last 10 years or so, trying to embrace this new world but doing it in a way that doesn't break the organisation, that you can manage as security professional, and it's challenging," she says. 

"But you take advantage of your commitment to a digital transformation and also transform how you do security compliance."

Rolling out a cloud-based strategy, particularly when cybersecurity is involved, can prove to be a tricky task, and there are potential pitfalls that need to be overcome, particularly around identity and access, and vulnerabilities that could exist if security isn't managed properly.  

According to Manfra, a lot of the potential issues can be managed if they're discussed early in the digital transformation journey, rather than security being bolted on at a later date. 

Key to this proactive stance is understanding what data you have, how it's managed, and how to protect it. Knowing these things can provide a great jumping-off point for a robust cloud security strategy. 

"If you understand where your data is and you understand the value of that data, and you're optimising your resources to ensure you've got strong protection of that data and partnering with a cloud provider, you'll be in a tremendously better place than you are right now," says Manfra.  


Editorial standards