In light of the many security incidents we can read about in the press, security continues to be a formidable challenge for many businesses. We believe that the move to a professionally managed secure Cloud infrastructure can help address this challenge.

Last week, Urs shared his thoughts on security, and we announced new initiatives such as Access Transparency as part of more than 20 security updates and enhancements to help enterprises protect their data and stay secure. Frequently, it’s better to learn about these topics in person and we can help with that.

Next month, many security professionals will come to San Francisco to the RSA Conference 2018, and we’ll offer our own Google Cloud Security Talks at Bespoke in Westfield San Francisco Centre, a five-minute walk from Moscone Center, where the RSA Conference will be held.

This series of 15 talks over two days will cover security across Google Cloud, the complex compliance and regulatory environment, shared responsibility, and best practices from Google’s own internal security processes. We’ll share more on our approach to security, as well as our roadmap from the beginning of this year through Next ‘18. Among others, featured presenters include Ben Hawkes, who heads up Project Zero, and Mark Risher, who leads Google’s Identity and Account Security team. You can see the full agenda below and register for the event on our website.

We’ll also have several interactive demos on hand to demonstrate how organizations can address security challenges such as ransomware attacks and data exfiltration.

We’re also excited that Googlers will be giving talks or participating on panels at the RSA Conference itself:

Threat Hunting Strategy: How to Catch Bears and Pandas [AIR-T10]
Heather Adkins
Tuesday, April 17, 2018 | 3:30 PM - 4:15 PM

Post-Quantum Cryptography [CRYP-W14]
Guillaume Endignoux
Wednesday, April 18, 2018 | 3:00 PM - 3:45 PM

How to Successfully Harness Machine Learning to Combat Fraud and Abuse [MLN-R12]
Elie Bursztein
Thursday, April 19, 2018 | 1:45 PM - 2:30 PM

Security and Privacy of Machine Learning [MLN-R14]
Ian Goodfellow
Thursday, April 19, 2018 | 3:00 PM - 3:45 PM

Google and Microsoft Debut: Replacing Passwords with FIDO2 Authentication [IDY-F02]
Sam Srinivas
Friday, April 20, 2018 | 10:15 AM - 11:00 AM

Google on BeyondCorp: Empowering Employees with Security for the Cloud Era [EXP-F02]
Jennifer Lin
Friday, April 20, 2018 | 10:15 AM - 11:00 AM

If you’re planning on attending RSA Conference 2018, please stop by—we’d love to say hello. For more information, or to register, visit our website.

Google Cloud’s goal for healthcare is very much a reflection of Google’s overall mission: to organize the world’s information and make it universally accessible and useful. Applying this mission to healthcare means using open standards to help enable data sharing and interactive collaboration, while also providing a secure platform. Just imagine if all healthcare providers could easily, securely and instantaneously collaborate while caring for you. Ultimately, we hope that better flow of data will inspire new discoveries with artificial intelligence (AI) and machine learning (ML), leading to insights that improve patient outcomes.

This week at HIMSS we’re showcasing our progress toward serving this mission through our Google Cloud Platform (GCP), G Suite and Chrome solutions, our work with customers and partners, and our focus on compliance and security.

Unlocking data with the new Cloud Healthcare API

We’ve recently launched the new Cloud Healthcare API, which addresses the significant interoperability challenges in healthcare data. The new API provides a robust, scalable infrastructure solution to ingest and manage key healthcare data types—including HL7, FHIR and DICOM—and lets our customers use that data for analytics and machine learning in the cloud.  

As part of our early access launch, we’re already working with a group of customers and partners, including the team at the Stanford School of Medicine. Here’s what Somalee Datta, Ph.D., Stanford School of Medicine Director of Research IT, had to say about our work together:

"Open standards are critical to healthcare interoperability as well as for enabling biomedical research. We have been using the Google Cloud Genomics API for a long time and are very excited to see Google Cloud expanding its offerings to include the new Cloud Healthcare API. The ability to combine interoperability with Google Cloud’s scalable analytics will have a transformative impact on our research community."

Our goal with the Cloud Healthcare API is to help transform the healthcare industry through the use of cloud technologies and machine learning. Healthcare is increasingly moving to the cloud, and the adoption of machine learning will allow the industry to unlock insights that can lead to significant clinical improvements for patients. The Cloud Healthcare API is currently available in an early access release, but over the next year, we plan to roll it out to more customers and partners—let us know if you’re interested.  

In addition to the the Cloud Healthcare API, we have a long history of supporting open APIs directly on GCP. Our Cloud Genomics API has provided an implementation of the Global Alliance for Genomics & Health APIs for many years now. Through an API-first approach, we can help healthcare enterprises simplify data interoperability by providing a strong foundation with cloud infrastructure and services. For example, Apigee enables healthcare enterprises to manage and deploy FHIR (Fast Healthcare Interoperability Resources) APIs on top of their existing electronic health record systems.  

How our healthcare customers are using Google Cloud

Beyond our work on APIs, our approach is to give healthcare customers the tools they need to accelerate projects in areas like population health, personalized medicine and clinical research. At HIMSS we’ll talk in more detail about how our customers are using Google Cloud. Here are a few examples:

M*Modal is working with Google Cloud to reinvent the experience of healthcare and mitigate widespread physician burnout. The collaboration leverages M*Modal’s success in adoption of its physician-assistive, AI-based solutions with Google Cloud’s expertise in AI at scale to align innovation with market needs. M*Modal solutions deliver AI-powered, real-time contextual understanding and more enhanced, actionable insights from clinical data to the doctor directly at the point of care.

Lahey Health is making the move to G Suite for its many benefits, including innovation, scalability, collaboration, security and productivity. From the security perspective, they chose G Suite for our team of dedicated security professionals, malware scanning for early detection of global campaigns, and secure end-to-end infrastructure that has built-in protections across many layers.

The Chilean Health Ministry is using Google Cloud’s Apigee platform to provide a nationwide API-based connectivity to help ensure data, applications and services are easily, yet securely, available when and where needed. This connectivity helps secure access to patient information, regardless of whether it’s needed in one of Chile’s 1,000 remote medical facilities or in one of its connected health centers.

Cleveland Clinicis using Google Cloud’s Apigee platform to realize the full potential of their underlying electronic medical record through FHIR APIs. Using a secure, scalable and industry-grade API platform, Apigee allows Cleveland Clinic to enable, augment and extend functionality of their EHR. It’s also enabling them to run advanced analytics and ML-based predictive models, revealing insights to clinicians that help them deliver improved patient care.

Rush University Medical Center is also using Apigee to enhance many aspects of patient care and patient experience. They're looking to optimize scheduling, identify excess costs, reduce emergency department wait times, reducing readmissions and identifying and predicting cybersecurity threats using Google Cloud's capabilities in AI and ML.

Color is using Variant Transforms—a new open source tool we recently released that helps export genomic variants directly into BigQuery—to discover new capabilities for their cancer diagnostic service. When the Broad Institute of MIT and Harvard first brought the GATK Best Practices pipeline to GCP in 2015, it was $45 to analyze a single genome. Since then, Broad has steadily brought down the cost to a little over $5 by optimizing its use of GCP, while maintaining (and even improving) the quality of the output, and has recently made this same pipeline—at the same cost—available to researchers around the world.

Middlesex Hospital and Chapters Health System are using Chrome to provide a secure, future-proof entry point to the cloud, connecting their staff to data-driven systems so they can focus on what’s most important: delivering great patient care.

How we're working with partners

Partners are essential to the work we do with healthcare customers. Here are a few that we’re talking about at HIMSS:

Flex introduced BrightInsight, a secure, managed services platform running on GCP. BrightInsight aggregates data to deliver real-time intelligence and optimize the value of connected drug, device or combination products. It’s designed to support CE-marked and FDA-regulated medical devices, combination products and Software as a Medical Device requirements for pharmaceutical and medtech companies. Flex is partnering with Google Cloud to deliver insights with customizable analytics dashboards that take advantage of our advanced machine learning and AI capabilities.

Imagia is transforming the way researchers can investigate disease characterization, progression and treatment response.

To address the increased demand for genomics, Kanteron Systems has introduced telegenomics on GCP as an addition to its Precision Medicine Platform.

Client Outlook has integrated their eUnity medical imaging viewer with the new Cloud Healthcare API, enabling them to provide a seamless visualization experience for medical images stored on GCP.

WuXi NextCODE’s massively scalable genomics database management system and clinical and research applications will be available to all Google Cloud users later this year.

And, on the hardware front, with Chrome solutions and technology partnerships, we’re also announcing a new collaboration between Healthcast, Citrix and Chrome OS that aims to provide a more secure and economical approach to data access. In another example, using VMware’s Digital Clinical Workspace and Point of Care solutions with a Chromebook allows users to securely access sensitive data and apps.

How we’re focusing on security and compliance

We can’t talk about improving healthcare without addressing security and compliance. We’re continuing to expand HIPAA compliance coverage across G Suite and GCP. Today, we announced that Google App Engine and Cloud Machine Learning Engine are covered, joining more than two dozen other HIPAA-compliant GCP services

https://cloud.google.com/security/compliance/hipaa/

Come by and say hello at HIMSS

There have been a lot of developments in our work in healthcare over the last year. We’re excited to be back at HIMSS and looking forward to working with everyone there. Stop by our booth and check out our sessions if you’re at HIMSS this week.

This week, McKinsey released a report titled “Making a secure transition to the public cloud,” the result of interviews with IT security experts at nearly 100 enterprises around the world. Leveraging the expertise of Google Cloud and McKinsey security experts, the research presents a strategic framework for IT security in cloud and hybrid environments, and provides recommendations on how to migrate to the cloud while keeping security top of mind.

The research shows what many already know: that public cloud adoption is accelerating thanks to increased technical flexibility, simpler scaling, and lower operating costs. What’s exciting is that the research also reveals that many Chief Information Security Officers (CISOs) no longer view security as an inhibitor to adoption but instead an opportunity—“In many cases [CISOs] acknowledge that cloud service providers’ security resources dwarf their own,” the authors write—and now these companies are focused on how to best adopt and configure cloud services for increased security.

When implemented properly, public-cloud adoption can significantly reduce the total cost of ownership (TCO) for IT security.

This requires enterprises, cloud providers, and third-party service providers to work together collaboratively and transparently within a shared security model. Google Cloud has long believed in creating trust through transparency, previously releasing a detailed overview of our infrastructure security, explaining our shared responsibility model, and how we already protect our users and customers at the lower layers of the stack—and we’re thrilled to see McKinsey’s detailed endorsement of the same approach.

Common security approaches, and their tradeoffs.

Every company has different IT needs, but the report found two common security decisions companies take when adopting cloud services: (1) defining the perimeter, and (2) deciding whether to re-architect applications for greater manageability, performance, and security in the cloud (interestingly, only 27% of companies surveyed actually do this—change is hard).

The research identifies three common archetypes for perimeter security: backhauling, cleansheeting, and adopting cloud provider controls by default.

• Backhauling allows companies to continue managing IT security on-prem, with an external gateway connecting the data center to the public cloud. Approximately half of the companies surveyed currently use this model, but only 11% plan to continue doing so, since it can keep companies from realizing certain cloud benefits, such as agility.

• Cleansheeting requires greater investment and expertise, as it calls for redesigning IT security around a “virtual perimeter” and leveraging multiple cloud-native tools and services.

• Using cloud provider controls is the most cost-effective solution, but—depending on the cloud provider—can limit autonomy and may offer limited capabilities.

McKinsey uses these three models, along with the decision to re-architect applications for the cloud, to identify six “archetypes” for cloud security. Each archetype has its own tradeoffs:

There isn’t a “right answer” for security when making a move to the cloud—it depends on your company’s expertise, flexibility, and cost decisions.

And, you don’t have to use only one archetype. For example, Evernote describes in their migration story to Google Cloud Platform:

“For most of our controls we found an equivalent, cloud platform version. For data encryption at rest, we gained a security control that we hadn’t engineered on our own. For some controls, like IP whitelisting, we had to adapt our security architecture to not rely on traditional network controls.”

— Rich Tener, Director of Security, Evernote

The economics of cloud security.

Relying on cloud service provider security controls is “the most cost-effective approach,” the authors write. “As organizations move more and more applications to the public cloud and lean towards using native CSP controls, a decrease in security operating and capex costs is likely.” Eighty percent of companies that choose to rely primarily on the cloud provider’s controls and re-architect their applications in parallel see cost savings.

So, if you’re planning a cloud migration, where should you focus your security efforts? McKinsey asked respondents about their approach to applying cloud security controls in several areas to find out what companies are doing:

• Identity & access management (IAM): 60% of enterprises are using on-premises IAM solutions; in just three years respondents expect that number to be cut in half. At Google, we provide a tool called Google Cloud Directory Sync, which helps users bring existing identities to Google Cloud and manage cloud permissions natively with IAM.

• Encryption: The majority of respondents encrypt data both at rest and in transit—and even more (upwards of 80% in both categories) will do so three years from now. Google Cloud already encrypts data at rest by default, and in transit when it crosses a physical boundary.

• Perimeter security: Today, 40% of enterprises are backhauling data traffic and using existing on-premises network security controls—but that will decrease, with only 13% expecting to be using the same approach in 3 years. To help enterprises make the move to cloud-based perimeter control, Google Cloud lets users connect to their on-premises environment using Dedicated Interconnect, an IPsec VPN tunnel, direct peering or carrier peering. Google Cloud users can also control their perimeter with a Virtual Private Cloud (VPC).

• Application security: 65% of respondents define security configuration standards for cloud-based applications, but less than 20% are using tools or template-based enforcement. To address this, Google Cloud offers Cloud Security Scanner, an automated way to scan apps for common vulnerabilities.

• Operational monitoring: 64% of respondents use existing SIEM tools to monitor cloud applications rather than creating a new set for the cloud. Google Cloud users can export logs from Stackdriver to the SIEM of their choice.

• Server-side endpoints: 51% of respondents have a high level of confidence in their cloud service provider’s approach to server-side endpoint security. Google Cloud customers can use a variety of partner tools for endpoint security.

• User endpoints: 70% of respondents believe that public-cloud adoption will require changes to user endpoints. Google created the BeyondCorp enterprise security model to allow its employees to work from anywhere, and our customers can do the same with Identity Aware Proxy. In addition, Chromebooks provide automatic software updates, and run applications in a restricted sandbox.

• Regulatory governance: When adopting public cloud, companies must navigate governance and compliance requirements, with data location and financial regulations topping respondents’ list of concerns. Google Cloud has a broad spectrum of compliance, including PCI, SOX, and HIPAA.

The report also includes a tactical 10-step plan for successful cloud migration. To learn more, download the full report.

In January, we joined an amicus brief with other technology companies in a case pending before the Supreme Court involving Microsoft and the U.S. Department of Justice. The companies that joined the brief argue that Congress must act to resolve the complicated policy questions raised by the case, as Congress is best-suited to weigh the important interests of law enforcement, foreign countries, service providers and, of course, the people who use the services.

Pending legislation in the U.S. Congress—the Clarifying Lawful Overseas Use of Data (CLOUD) Act—would make important strides in addressing the issues raised in the Microsoft case by updating the decades-old Electronic Communications Privacy Act. Notably, the bill clarifies that the physical location of data is not a relevant criterion in determining the data disclosure obligations of U.S. service providers.

We wanted to share a little more information on why we think this is important and what it means for our customers and users. Modern distributed networks function in ways that do not focus on data location. As more people and businesses turn to the cloud to keep their data secure and ensure their services are dependable, infrastructure has had to grow and evolve to meet those demands. Global networks offer end users a level of dependability that previously required the most sophisticated backup technologies and significant individual hardware investment. Understanding how a global distributed network like ours works is key to understanding the benefits it offers and the challenges that are presented by laws that focus on where data is stored.

Growth of the public cloud

It’s been an important goal of Internet companies like ours to offer services that can be accessed by hundreds-of-millions of users no matter where they are. These services have to be fast, reliable, robust, and resilient. From our earliest days, it was essential that our index, with its links to vast swaths of content, be as comprehensive as possible. But beyond that, it was also critical that the service be fast. Increasing the speed of search meant a vastly improved experience for users otherwise accustomed to long load times over slow internet connections.

Through the years, we’ve worked hard to continually improve how we serve users in all corners of the world. From an infrastructure perspective, this has meant focusing on how best to route data securely, balance processing loads and storage needs, and prevent data loss, corruption, and outages.

Public cloud services operate on a global basis, using geographically distributed infrastructure to ensure that the services that run on them have maximum availability and uptime. Data typically no longer resides on a single hard drive or server rack, or even in a single data center. Instead, it must be stored, secured, and made available in a way that allows it to be accessed by the users who depend on it just as easily in India as in Germany.

Focus on the user

The way we handle data is driven by what’s best for our users, regardless of whether that user is an individual or a large enterprise. To provide them with the reliability, efficiency, resiliency, and speed they depend on, data might need to be stored in many different configurations across a global network.

Cloud infrastructure also offers business customers more control over where and how their data is stored, depending on their needs. These customers may choose to store their data in a country or data center near their corporate headquarters, or as close to their users as possible.

With customer needs in mind, cloud providers balance factors ranging from internet bandwidth, the likelihood of power outages over available networks, and network throughput. This short video explains how these considerations come to life on a distributed network, using the photo a Gmail user attaches to a message as an example.

Enhancing the security and integrity of your data

As this video explains, individual data files may be broken up into smaller pieces, stored, or moved to keep them safe and accessible. Modern internet networks increasingly transmit and store data intelligently, often moving and replicating data seamlessly between data centers and across borders in order to protect the integrity of the data and maximize efficiency and security for users.

This technological reality underscores why it’s important that legislative solutions not use data location as a way of determining whether a particular country can exercise jurisdiction over a service provider. As internet providers continue to improve their global networks to better serve their users—whether they’re individuals, businesses, educational institutions or others—it’s important that the law reflects an understanding of technological innovation, and how modern distributed systems function.