undefined | Better HN

0 pointsThorrez1y ago0 comments

>and security (post the Mandiant acquisition)

As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".

Disclosure: my thoughts are my own.

0 comments

belter1y ago

> Look at the number of times other tech companies get hacked compared to Google.

Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.

ThorrezOP1y ago

The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.

Additionally:

Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.

Another Google/GCP security product related to zero trust is Chrome Enterprise Premium: https://cloud.google.com/blog/products/identity-security/int... .

Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.

Security keys: I mentioned in my previous comment how they're used by consumers (that includes GCP customers). GCP is making MFA mandatory this year: https://cloud.google.com/blog/products/identity-security/man...

Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.

Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).

When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.

GCP products are also recognized for security:

https://cloud.google.com/resources/forrester-unstructured-da...

https://www.varonis.com/blog/forrester-wave-data-security-pl...

https://cloud.google.com/blog/products/infrastructure-modern...

https://cloud.google.com/blog/products/identity-security/goo...

https://www.teradata.com/press-releases/2020/forrester-2020-...

jopsen1y ago

Having previously used AWS, I would also say that GCP IAM is much better.

Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.

Disclosure: my thoughts are my own.

cyberax1y ago

The best way to use AWS IAM policies is to not use them at all.

AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).

It's not so easy with GCP.

bfeynman1y ago

That is insane. AWS has more complicated policies, GCP literally lacks ability to even have easy security posture in many cases.

decimalenough1y ago

That's quite the claim, can you provide an example?

GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.

1 more reply

eranation1y ago

Adding to it: deps.dev, osv.dev, SLSA (all are either free or fully open source) Google has been great contributor to the AppSec and Software Supply Chain community. I just pray daily that the “google graveyard” curse doesn’t touch these important projects.

shalmanese1y ago

> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".

There was one other time Google was hacked by a major government that also spurred massive internal security posture changes! https://en.wikipedia.org/wiki/Snowden_effect#Tech_industry

karencarits1y ago

I think this is also a good argument for why it is beneficial for society that Chrome stays in Alphabet; Google is good at some things and bad at some things - that people have access to a reasonably safe browser for free should not be underestimated

ignoramous1y ago

To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).

> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).

Do they mind if they're legally "hacked" by a (Western) govt? All that security sophistication couldn't prevent LEAs from owning us all, unfortunately: https://therecord.media/google-refuses-to-deny-it-received-u... / https://archive.vn/mzZtI

darthwalsh1y ago

I thought your link would be

https://www.bbc.com/news/world-us-canada-24751821 > Snowden leaks: Google 'outraged' at alleged NSA hacking

ExoticPearTree1y ago

As a GCP user, my view is that Google does Googly things and hopes others will use them. And if not enough people don’t buy into whatever Google builds because it is built by Google, they will cancel it.

underdeserver1y ago

These are all Google things. How do I benefit from them as a GCP customer?

ThorrezOP1y ago

See my reply here: https://news.ycombinator.com/item?id=43399981

j / k navigate · click thread line to collapse

0 comments

belter1y ago

> Look at the number of times other tech companies get hacked compared to Google.

Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.

ThorrezOP1y ago

The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.

Additionally:

Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.

Another Google/GCP security product related to zero trust is Chrome Enterprise Premium: https://cloud.google.com/blog/products/identity-security/int... .

Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.

Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.

Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).

GCP products are also recognized for security:

https://cloud.google.com/resources/forrester-unstructured-da...

https://www.varonis.com/blog/forrester-wave-data-security-pl...

https://cloud.google.com/blog/products/infrastructure-modern...

https://cloud.google.com/blog/products/identity-security/goo...

https://www.teradata.com/press-releases/2020/forrester-2020-...

jopsen1y ago

Having previously used AWS, I would also say that GCP IAM is much better.

Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.

Disclosure: my thoughts are my own.

cyberax1y ago

The best way to use AWS IAM policies is to not use them at all.

It's not so easy with GCP.

bfeynman1y ago

That is insane. AWS has more complicated policies, GCP literally lacks ability to even have easy security posture in many cases.

decimalenough1y ago

That's quite the claim, can you provide an example?

GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.

1 more reply

eranation1y ago

shalmanese1y ago

> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".

There was one other time Google was hacked by a major government that also spurred massive internal security posture changes! https://en.wikipedia.org/wiki/Snowden_effect#Tech_industry

karencarits1y ago

ignoramous1y ago

To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).

> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).

darthwalsh1y ago

I thought your link would be

https://www.bbc.com/news/world-us-canada-24751821 > Snowden leaks: Google 'outraged' at alleged NSA hacking

ExoticPearTree1y ago

underdeserver1y ago

These are all Google things. How do I benefit from them as a GCP customer?

ThorrezOP1y ago

See my reply here: https://news.ycombinator.com/item?id=43399981

j / k navigate · click thread line to collapse