Security recap of 2022 Google Next and Microsoft Ignite
A rundown of the major security related announcements from Google Next and Microsoft Ignite with a view into where the major providers are heading with their security product offerings.
Two major cloud provider events overlapped last week: Google Next and Microsoft Ignite.
Google Next ran from October 11th to 13th and was a “global hybrid event” with most content streamed live and some small in-person events in NY and the Bay Area. Microsoft’s Ignite happened in Seattle from October 12th to 14th. Neither event was back to the pre-pandemic normal.
Unlike AWS re:Invent, Next and Ignite go beyond IaaS cloud offerings, their SaaS collaboration products (Google Workspace and Microsoft 365) featured prominently in the keynotes and product announcements.
They also talk about multi-cloud in the way politicians talk about their opponents. The rule in politics is you focus on the opponent in the lead, and you ignore the opponent that’s trailing. Amazon, as the market leader, doesn't acknowledge multi-cloud. Microsoft, the #2 player, supports AWS along with Azure. Google, plagued by people wondering if they still want to be a cloud player, focuses mostly on the GCP ecosystem.
Both keynotes hit on the same themes. Artificial intelligence was the buzzword, and the CEOs of Microsoft, Google, and Google Cloud spent a significant amount of their keynote talking about their AI products. You can check out Thomas Kurian’s Google Next Keynote and Satya Nadella’s Microsoft Ignite Keynote.
Both companies are positioning their security suites – Google Chronicle and Microsoft Defender – as complete multi-cloud enterprise solutions, unlike much of AWS’s security tooling that focuses only on your AWS footprint. Google also highlighted its acquisition of Mandiant, which is now part of Google Cloud.
Google touted their “Shared Fate” model which is like the AWS Shared Responsibility model, but with the self-realization that when a major breach happens to one of your customers, the press will vilify the customer and the provider. Microsoft deferred their security announcements to the end of the keynote, which won’t do much to dissuade many that security is an afterthought in Azure.
Ok, let's get into it. What were the big announcements that mattered to security practitioners?
Google Next Announcements
The most prominent announcement was the combination of Chronicle, their SIEM (Security Incident and Event Management) platform, with the SOAR (Security Operations, Automation, and Response) product they acquired when they bought Siemplify. The combined product is called Chronicle Security Operations.
The software supply chain was also a big theme for both events. Google announced Software Delivery Shield, their solution for “end-to-end software supply chain security”. However, the solution is only for tooling that lives within the Google ecosystem. If you’re using GitHub and Jenkins, this won’t help you much. As part of this, they announced Cloud Workstations, an in-the-cloud VDI (Virtual Desktop Infrastructure) solution similar to AWS Workspaces. Software Delivery Service also includes their Assured Open Source Software service in which Google vets the open source packages you depend on. I have no idea if that will protect you from the next Log4j, or even a disgruntled npm developer turned hacktivist.
For the tin-foil-hat crowd or anyone doing crypto (if you’ll excuse the redundancy), there’s a new confidential computing service called Confidential Space. Is this Google’s answer to Microsoft Azure’s cross-tenant breaches?
For folks new to Google, they’ve enhanced their Google Cloud Skills Boost. Now, for $299/yr, you get $500 in GCP credits, a free exam voucher, and another $500 in credits after you get certified. Given that I paid $350 for my AWS Security Specialty certification, $299 for a cert and $1000 in cloud credits is a decent deal.
Finally, the best talk I saw from the virtual Google Next was the Developer Keynote by Ashley Willis on Burnout. Her seven phases of burnout really spoke to me. As she says, please like this post so I can get my one serotonin.
Microsoft Ignite Announcements
I’ve got to hand it to Microsoft. They publish a Book of News ahead of each Ignite, and it’s an excellent summary of all the things they’re going to announce.
The big message from Ignite is that you can save 60% by adopting all Microsoft products. I’ve not seen a pitch for an ecosystem lock-in like this since the Apple/Android app store wars.
Microsoft also released several new security products, and not all of them had the word Defender in their names. They released Microsoft Defender Cloud Security Posture Management or Defender CSPM for short. One interesting twist:, while it supports Azure right now, the accompanying Microsoft Cloud Security Benchmark v1 covers both Azure and AWS. But not GCP. Remember: you focus on the frontrunner and ignore anyone trailing you.
Along with Defender CSPM, they released Microsoft Defender for DevOps. Like Google’s Software Delivery Shield, it aims to identify risk in your software supply chain. It also shifts left: the service will scan your infrastructure-as-code for misconfigurations. The marketing slide references ARM, Terraform, and CloudFormation, but I could find nothing in the product documentation on their support for the latter.
Two other new products in the Microsoft security family are the new Microsoft Entra for Identity Governance and Microsoft Purview for Data Governance.
Azure’s response to their cross-tenant breaches is to charge more for even more complex architectures. To wit, they released new Confidential VM capabilities for their Azure Kubernetes Service (AKS), SQL Server on Azure, and Azure virtual Desktops.
One of the more practical security advancements came in their Edge browser. They also have new anti-phishing typo protection and enterprise site trust profiles so administrators can block, allow, or gray-list specific websites to prevent you from clicking that thing you shouldn’t have clicked. These Edge features were covered in their keynote but not prominently highlighted in the security announcements. Also, be on the lookout for Edge Workspace, a new feature that offers a Google Doc-like experience for any webpage. This may change how you look at sharing data outside of your company.
The company that gave us Active Directory, and made lateral movement a household term, adds a new capability to Microsoft 365 Defender: automatic attack disruption. We don’t need any more supply chain problems this year.
Google and Microsoft have made Artificial Intelligence and Big Data part of their value propositions. Both are rapidly catching up with AWS on how easy it is to use their products. AWS’s mantra is “Now Go Build”; Microsoft’s keynote suggests theirs could be “No Build, Just Use”.
As a recovering cloud security practitioner, I’m coming to terms with the fact that in any organization, you’re going to have to support multiple clouds. This isn’t multi-cloud -- chasing pennies by dumbing down your application architecture so you can deploy it in AWS one day and Google the next. It’s about leveraging the strengths of each provider. In this new #AnyCloud world, you might use AWS for highly-resilient serverless architecture, Google for big data pipelines and analytics, and Azure for machine learning. Security practitioners have to support all the clouds and improve our understanding of each to better protect our organizations.