Software Delivery Shield is Google Cloud’s answer to the software supply chain security crisis
The new suite offers developers a range of new security insights, driven in part by recently acquired tech
Google Cloud has announced the launch of Software Delivery Shield (SDS) which aims to fortify businesses' resistance to software supply chain attacks that have proliferated in the last 12 months.
Announcing the new product at its Google Cloud Next conference, SDS is a fully managed software supply chain solution that was designed to address five key areas of supply chain security: application development, continuous integration (CI) and continuous delivery (CD), supply of software, policies, and production environments.
The new product aims to equip developers and security teams with the tools to create cloud applications free from supply chain vulnerabilities which has become a mounting concern across the industry
It will also work alongside other Google Cloud services like Google Kubernetes Engine (GKE), Cloud Build, Cloud Deploy, and more, bringing with it a score of features that promote collaboration between IT, DevOps, and security teams.
Providing protection for software at the development stage, SDS includes a new service called Cloud Workstations (preview) which gives developers managed development environments on Google Cloud's platform.
These environments will be browser-based and fully customisable, with options for collaborative configuration across IT admins and security teams that aim to promote better overall app development security, according to Google Cloud.
Cloud Workstations won't store code locally and come with features such as private ingress/egress, identity access management (IAM) policies, and forced image updates to proactively prevent common security issues in development.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Redefining modern master data management in the cloud
Why you need a modern MDM solution built for the cloud
Google Cloud's family of integrated developer environment (IDE) plugins, Cloud Code, will also support a new feature called Source Protect which offers developers real-time feedback within their IDE, identifying vulnerable dependencies and license reporting.
Many of the software supply chain-related issues from the previous few years have been rooted in vulnerable dependencies which can be difficult to check manually. GitHub's Dependabot, for example, has been available since April 2021 and offers similar dependency-scanning capabilities to developers with the aim of securing the open source software space.
Software supply chain security is an area of increasing concern for tech leaders. A recent survey of C-suite executives identified that software supply chain attacks are a ‘chief concern’, with just 32% of respondents indicating that their supply chain was ‘very secure’.
Google Cloud said one of the primary routes to attack open source software is through the compromise of CI/CD pipelines and has strengthened both its CI and CD platforms, Cloud Build and Cloud Deploy, as a result.
New security feature integrations will be added to both platforms such as deep IAM controls, isolated environments, and approval gates to give DevOps teams greater governance over app builds. The cloud giant said these are "key parts" of the overall SDS product.
Protecting the runtime environments is also as important has protecting the development pipeline, Google Cloud said, which is why it also added new security features to the GKE and Cloud Run containerised app runtime platforms.
New capabilities for GKE, currently in preview, will now offer a more comprehensive view of the security posture of clusters and workloads. Teams can now access detailed reports, automatically assigned vulnerability severity ratings, and insights into operating system flaws and workload configurations.
All the new reporting available to GKE can also be fed into Cloud Logging allowing for security event information to plugged directly into a business' a security information and event management (SIEM) system.
SDS also introduces a policy engine for the strictest environments, Binary Authorisation, to establish a chain of trust across the entire software supply chain.
It's what Google Cloud is calling a deploy-time security control that only trusted container images can be deployed on GKE or Cloud Run - images must be signed by trusted authorities during the development process in order for them to be deployable.
SDS can be used alongside Google Cloud’s Assured Open Source Software service, announced in May, which ensures that open source software used within an environment has been vetted by Google.
The service now covers over 250 packages, written in both Java and Python, all of which have been scanned and tested for vulnerabilities by Google. In this way, Assured Open Source Software and SDS can both speed up and improve the security of cloud deployment, through the collection and distribution of verified software.
Faster response with Chronicle Security Operations
A separate announcement made at Google Cloud Next was the introduction of Chronicle security operations, a cloud-based software suite that aims to allow teams to detect, investigate, and respond to threats more quickly.
Chronicle Security Operations will bring together SIEM technology with the security orchestration, automation, and response (SOAR) products from its earlier Siemplify acquisition, as well as its Google Cloud's own threat intelligence and Mandiant's incident management tools, and bundle it all under new Chronicle branding.
“With Chronicle, we no longer have to make the tough decisions around which data we can afford to log and how little retention we can live with,” said Mike Orosz, chief information security officer at infrastructure management provider Vertiv.
“Insufficient security event monitoring is a thing of the past, and there is no better time than now to align to best practices.”
The branding for Siemplify's SOAR and SIEM tech will now be Chronicle SOAR and Chronicle SIEM respectively, and host of new features have reached the product family, all in preview.
The suite seeks to provide teams with cloud-scale security data using Google’s hyperscale infrastructure and petabytes of contextual information, up-to-date threat intelligence, and automated responses to common security threats including phishing and malware.
With Chronicle Security Operations, Google Cloud also aims to provide security teams with a number of quality-of-life features and data aggregation tools to improve threat insight.
These include a single display that combines information on chosen entities from multiple data sources, including Google Cloud Threat Intelligence, integrated alert management between Chronicle SIEM and SOAR, and pre-built responses to cloud-based alerts to speed up threat resolution.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.