Service

Modernize and innovate with Google Cloud Security

Augmenting security in the cloud with modern optimizations

The modern success of a business relies on how secure they can keep their data. Cloud has been shown as one of the next steps toward innovation in the new digital world. Google Cloud is a known organization in the cloud community. With KPMG and Google Cloud clients can accelerate digital transformation more securely. Through the alliance relationship between KPMG and Google Cloud Security we can provide experience, insight, technologies, and capabilities to exceed client expectations.

Business and information technology (IT) leaders are very aware of the crippling effects of a cyber incident. As a result, more of these leaders are aware of the need to invest in the data security sector. KPMG has been at the forefront of cloud security, and we have extensive cyber security experience bringing the knowledge together to assist clients in mitigating cloud risks, and where needed, helping clients rapidly respond and recover when incidents occur.
 

Automate hybrid cloud compliance, security and operations

Cloud adoption is often hindered by an organization's security and compliance requirements. KPMG's accelerator around automating hybrid cloud compliance and security operations brings a single pane of glass for all your compliance and security requirements across multiple cloud environments. Learn how to leverage the power and data analytic capabilities of Google Cloud and KPMG’s deep industry and cyber security experience to automate and streamline your security operations and compliance management requirements in the cloud, allowing you to focus on what matters the most for your business.

Transcript

Abhijeet (00:02):

Good morning, afternoon, evening, everyone. I hope you're having a great day so far. Now, often we hear maintaining and managing technical security compliance of infrastructure services and data in cloud is one of the challenges that keeps CISOs and cloud security teams up at night. Now, let alone the complexity of hybrid and multi-cloud environments, maintaining and managing regulatory compliance requirements and supporting scale for business critical workloads.

My name is Abhijeet Kulkarni, and I'm the Managing Director and the US leader for the Google Cloud Security Practice for KPMG LLP. With close to two decades of overall infrastructure transformation and engineering experience, I have helped a few of the Fortune 10 organizations adopt cloud in a safe and asecure way. At KPMG, I lead our Google cloud security business and our security alliance relationship with Google. Along with me, I have Niranjan, who's a director in my team. I will let Niranjan quickly introduce himself. Niranjan?

Niranjan (01:05):

Thanks, Abhijeet. And hello everyone. My name is Niranjan Girme. I'm a director in KPMG's cybersecurity practice, and I have close to 18 years of experience in cybersecurity technology risk and risk compliance. I help customers that are migrating to the cloud to manage their security compliance and governance needs to really help them build a secure and compliant journey to the cloud. The focus of our quick session here today is to understand more about KPMG solution for helping customers automate compliance and security management in multi-cloud and hybrid environments that eventually helps them maintain a consistent and compliance security and risk caution, and brings granular visibility and reporting capabilities.

Abhijeet, you bring up an interesting topic around an organization's ability to manage technical compliance in cloud environments, while maintaining scale. Can you outline the current challenges that some of your customers face and the business need for technical compliance automation?

Abhijeet (02:07):

Oh, absolutely. First and foremost, operating at scale is not a technology problem. Most of our enterprise customers will have presence across all major cloud service providers. I have seen them having at least 5,000 instances in cloud, at least 1000 developers, architects, engineers in their IT application teams and business teams, and about 5,000 to 8,000-plus code and infrastructure changes/summits that happen on a weekly basis. A simple three tier application typically has about 20- plus opportunities of misconfigurations. And now link this back and imagine if the organization or customer has 2,000, 5,000 or 10,000 workloads and the applications across their enterprise. Managing the technical compliance for these applications and workloads is just beyond any possible manual scale, right? But the second most identified challenge is application developers and engineers would think that they will enable logging and alerting and monitoring, and that would help them with their workloads.

Well, they would definitely get alerted every time there is an issue, but then think about the number of alerts that it's going to generate in an enterprise environment with just mere 5,000 workloads or 5,000 applications. This essentially leads into alert fatigue. Now, how do you know which ones out of these alerts are important ones? Which ones should you be paying attention to? This is a very typical signal and noise problem. How do you essentially eliminate noise to identify the critical signals? Try identifying signals from petabytes of logs and you are bound to hit a human/manual error, and you may actually end up missing a critical alert. This is what most of my customers have actually faced in their practical lives. Now, this is where technical compliance automation can really help. One of the highly overused buzzwords in cyber security today is automation and why not? Security orchestration and automation in true sense, solves fundamental problems with skills, allows our customers and their security teams to focus on critical tasks and activities, which are very important to their business.

Our customers are majorly omni present, which essentially results into an increased surface area for attacks and need for automation and technical compliance management. Your traditional methods of passively alerting your stock or security teams of a threat is just no longer going to be very viable. There is a need for an automated way to detect threats and to respond to these threats. This in combination with your legacy, seeing capabilities with data analytics and security orchestration and automation gives you that one single pane of glass that will eventually help you achieve the required compliance automation. Some of these challenges do bring a need for a solution that is able to detect infrastructure configuration drifts, threat vectors, and compliance violations early on in the build life cycle in an automated fashion. Tie this with providing automated remediation and you have a solid technical compliance automation and management system in place, effectively reducing the work pressure of your sec-ops teams and your cloud security teams. And it helps them maintain a ubiquitous security posture.

The fundamental driver to achieving technical compliance automation is to trust everywhere and verify anytime, anywhere using security automation and orchestration. Some of the above business technical challenges and key drivers for bringing technical compliance automation to bear. I hope I was able to outline, Niranjan, some of the current challenges which our audiences can connect to.

Niranjan, given you are one of the key technical architects and directors on the solution team, why don't you talk about a little bit more about how the solution works and what are some of the dimensions we apply when automating technical compliance and associated remediation?

Niranjan (06:34):

Yes. Sure, Abhijeet. So as you said, there is certainly a need for organizations to be able to rapidly detect threats in a highly scaled environment with large volumes of changes and ever increasing access. The critical thing here is being able to perform some real time or close to real time and remediation of security problems. And that really starts out by harvesting the data from various sources, harvesting the data from your cloud native API endpoints, harvesting the configuration data of your cloud resources, not only upon creation of the cloud resource, but also upon changes to those cloud resources. And then you unify the data so that it is consistent across your accounts, subscriptions, VPCs, projects and so on. And then you drive the analysis around that data. So what does it mean for our organization to be compliant? And that's really the analysis that needs to get done against that data.

And lastly, you need to action against that data. So what do I want to happen when X, Y, Z occurs? What steps and actions should a person, let's say sitting in the SOC, take or a resource owner take, or what are some of the automated actions that can be immediately triggered? The other thing I want to mention here is multi-cloud and the ability to do this at scale in multi-cloud and hybrid environments. And so considering that the solution primarily combines the power of the three Google security tools. Number one is Chronicle. Chronicle, as you know, helps you analyze and search large amounts of security and network data by ingesting logs and security data from various sources through their forwarders, APIs and third party integrations. It normalizes that data, indexes that data as well as correlates that data and analyzes that data to provide instant analysis and context on risky security activity.

The second solution is the Siemplify SOAR. Siemplify SOAR is the security orchestration and automation response tool, which provides the ability to respond to cyber threats to a higher degree of automation by automating your SOC playbooks, case management, and provides really a cohesive threat intelligence through a very intuitive and simple to use portal.

And then the third tool is Security Command Center, which is focused on your Google cloud resources and Google cloud infrastructure. It really helps you strengthen your security posture by providing an inventory of cloud assets, identifying misconfigurations within those assets, vulnerabilities and threads and helping you mitigate and remediate the security risk. Now, the one additional aspect to this solution here combined with the three security tools that I just spoke about is this concept of shifting left with security. And what that means is identifying security misconfigurations as early as possible in the infrastructure life cycle, not when the infrastructure is deployed, but even earlier when the infrastructure is still in code format. Most companies, as you know, obviously these days use infrastructure as code to deploy their cloud infrastructure.

Most companies will also start modularizing that infrastructure meaning creating consumable modules of the infrastructure, almost like templates that they then release out to their application teams to consume with minimal changes and a few variable options. So helping them implement processes, controls, and even tools to identify misconfigurations right in the CICD pipeline prior to them even getting deployed into production, and that coupled with minimal human user access in production environments should reduce the number of alerts and security logs that are generated from your production environments. That really is the basic summary of the solution, which is to detect and remediate threads, leveraging the power of the security tools provided by Google combined with this shift left approach to detect and manage cloud misconfigurations early in the cloud life cycle.

 So that being said, Abhijeet, would you like to tell our listeners about some of the outcomes and benefits that clients can realize from this approach?

Abhijeet (10:49):

Absolutely, Niranjan. So the outcomes essentially, here are all aligned with business needs that I was talking about earlier, which is being able to identify, remediate security threats, infrastructure drifts, and achieving the technical compliance or technical compliance in an automated fashion at scale in large multi cloud environments with constant changes. So ultimately with this, the goal here is to help our customers with early detection of cloud misconfigurations' detection and automated response, and overall make it easier to identify threats and actions upon high risks. The foundation of the solution is based on some great tools that have been built by Google and to take them and deploy them in our client's infrastructure, tailored to their use cases. As customers deploy their cloud infrastructure and cloud resources, they need to have some assurance that the infrastructure is meeting their security requirements. The security requirements could be driven by their internal security policies, control framework, by their compliance requirements, or simply leading good cyber practices.

So really the outcome we hope for is for CISOs, CROs, and CIOs, to understand the state of their cloud infrastructure, get a meaningful idea and a meaningful visibility of which resources are in a non-compliant state, which of those non-compliant resources pose a threat scenario that can be exploited. And if so, how are those threat scenarios being actioned upon immediately? Now that we have spoken about some of these outcomes, and as we conclude to this session, I want to talk about some of the key takeaways from this discussion. What should our clients think about from a cloud security threat detection and threat management standpoint? So in addition to the outcome that I was just talking about, if I were to talk about the key takeaways from this discussion, I would essentially start off saying our customers need to succeed in their digital transformation and cloud journeys. They need to think about security as a whole.

The holistic perspective for security as a part of their transformation is required to achieve that ubiquitous posture, that security posture that they're going to require. This includes customers and companies needs to enable some sort of automated remediation to their threats. They need better ways to unmask real security threats and minimize noise, essentially targeting the signalization. Companies and clients need to move towards enforcing automation through policies and helping build compliance automation at the build time. Last, but not least, manage compliance to the development life cycle. I would say these are the four essential key takeaways from this conversation for any customer that is in their cloud journey or as a part of their process. This brings us towards the end of this session. If there are any questions, feel free to reach out to any of us. We would be more than happy to talk about our technical compliance automation and how you can achieve this within your environment. Thank you for your time and have a great rest of your day.

Contact us

Abhijeet Kulkarni

Abhijeet Kulkarni

Managing Director, Advisory, Cyber Security Services, KPMG US

+1 214-840-8889