Imho, and as a xoogler who's been in Google Cloud's ecosystem the past few years, Google Cloud's three big focus areas have been AI (this is an evolution from their historical focus on data, then also analytics), Distributed Cloud (Anthos++) and security (post the Mandiant acquisition). They'll never be able to compete on base infra, given their late entry into the game, lack of presence in certain markets, and the lock the competition has in some industries (Azure in industrial/mfg, AWS in pharma, etc), and they know that, so they've lately been focused on what they believe they can control. One of those things is the narrative that Google Cloud is the most secure cloud.
It shouldn't be overlooked that acquiring Wiz is also a way for Google to secure a beachhead in half the Fortune 100, many of which are "enemy" territory.
The price is high, but there aren't many options available and Wiz has the advantage of being built on Google Cloud natively, and already have Marketplace integrations completed.
As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
> Look at the number of times other tech companies get hacked compared to Google.
Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.
The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.
Additionally:
Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.
Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.
Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.
Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).
When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.
The best way to use AWS IAM policies is to not use them at all.
AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).
That's quite the claim, can you provide an example?
GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.
So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.
AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.
Adding to it: deps.dev, osv.dev, SLSA (all are either free or fully open source)
Google has been great contributor to the AppSec and Software Supply Chain community. I just pray daily that the “google graveyard” curse doesn’t touch these important projects.
> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
I think this is also a good argument for why it is beneficial for society that Chrome stays in Alphabet; Google is good at some things and bad at some things - that people have access to a reasonably safe browser for free should not be underestimated
To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).
> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).
As a GCP user, my view is that Google does Googly things and hopes others will use them. And if not enough people don’t buy into whatever Google builds because it is built by Google, they will cancel it.
> a way for Google to secure a beachhead in half the Fortune 100
If that is their objective, they will fail again, since this is the land of good account management. Being able to call somebody on the phone if required. Something AWS excels on, Microsoft a little bit, while Google is rumored to have humans working there, but they are rarely seen.
We have a relatively modest commit with GCP, around $1M a year, and have a dedicated account rep who I can contact whenever I need to. In fact, we've had a similar relationship even when we were half the size.
Google simply does not have a culture of giving a shit about people's experiences with their product. If you are having a problem you better either have that problem so frequently and severely that it shows up on whatever monitoring system they're using to evaluate release health, or you better get comfortable with it for the long haul.
This is such an underrated weakness of Google. When I was working at AWS ProServe, we never even took GCP as a serious competitor. Their customer service, acount management and enterprise sales team was so horrendous it was laughable.
I don’t think we even had talking points about why AWS was better than GCP like we did Azure.
what drives me mad is that it's not even underrated! everyone knows, everyone has been talking (and complaning) about this for something like 15 years!
I personally know of 2 big GCP customers who, over the years, left GCP because of this and the impact it had in critical situations. This very feedback was given in both cases to people considerably high up on GCP's ladder and... nothing's ever changed.
I'm sure plenty other big migrations off GCP provided the same feedback, to no avail.
When Diane Greene first and then Thomas Kurian became Google Cloud CEOs people thought that finally, due to their previous experiences in very Enterprise-aggressive companies, they would improve massively on that front.
Did they improve the situation? a bit. Massively? bringing GCP finally on-par with anyone else (not better than anyone else, just... the same)? nope, not even close.
Google is, at its core, an advertising company that tries to disguise itself as a technology company. When necessity calls, they will undoubtedly elect to divert resources towards their core business and away from their hobby projects (which GCP is).
I think you'd be quite surprised by how big it is inside Google. & Kurian won himself a lot of favor when Cloud figured out how to make sure it became profitable in Q2? 2023.
It was the last Google organization to have a genuine sustained hiring spree and didn't face nearly the same amount of cutbacks
I can't help feel like this will be rolled into GCP and quickly lose support for Azure and AWS and then just die. That's a lot of money to spend to kill off a business.
I rolled out their "workloads for AWS" stuff recently, it was pretty slick to be able to have AWS IAM roles just translate to GCP roles. You don't have to run your own CA like you do for AWS Anywhere.
I'm slightly baffled by this acquisition but arguing against you actually helps me make some sense of it.
If Google wants to be "the best of the best" at security and some set of potential customers use Wiz as their "best of the best" security, then this is a way to convert those customers to Google.
Consider some org that prioritizes security, like at the board level. They maybe don't really care about the nickel and dime cost of AWS vs. Azure vs. GCP since it comes out to 10s or 100s of millions of opex in the end. What they do care about is the cleanest record possible with respect to security. And Wiz is a key component to their position on security that is communicated to investors - it is a social proof that they are taking security very seriously.
This now becomes a tool for Google when trying to win their business. By degrading the value of Wiz on AWS/Azure/Oracle/Salesforce they are taking away that bullet point on security for a subset of competitors customers. And that may entice some of them to move their entire cloud service to GCP. So whatever revenue they lose on the Wiz side from a dozen or so cancellations they would hope to make up with a few 100 million dollar whales.
I just find it hard to believe that enough whale level cloud compute business will be generated in this way to justify $32b. This is really the best take I have on the acquisition and it feels unsatisfying, as if there is some other decisive information that would provide a justification for such a valuation.
Maybe there is some government mandate coming down the pipeline that isn't very public yet? Some kind of legislation that will force companies to adopt stricter security policies? That could precipitate the kind of changes that would justify this kind of massive valuation.
Customers will not start using GCP more instead of AWS for example just because Google owns Wiz.
Degrading Wiz capabilities on AWS/Azure/etc will not drive more customers to Googke. CSPM and cloud workloads don’t go hand in hand. What will happen is that other companies will capture the market share left by Google. Will the offerings be less then Wiz quality-wise? Sure, but it will be way cheaper than moving to GCP.
The best option will be to leave Wiz as it is - standalone.
That hasn't stopped them before. Fitbit and Nest, for example. Granted, this is an order of magnitude more money to waste. Maybe they'll come up with a better strategy this time.
Google doesn't have a strong record keeping enterprise products around either. I would expect them to absorb this product, release a similar product based on the technology but fully integrated, then sunset Wiz asap.
it's obviously from their own quotes but you can get most of the names in their various customers use cases, joint PRs and the likes (and those required the customers' direct approval )
I don't think that makes much sense in business. They want to move customers from competitors and as an underdog you need to provide some migration path. You don't get these kind of system integration freely. Provide your service in competitors to smooth their transition path but keep the latest and best features in GCP. This was the idea of k8s.
It shouldn't be overlooked that acquiring Wiz is also a way for Google to secure a beachhead in half the Fortune 100, many of which are "enemy" territory.
The price is high, but there aren't many options available and Wiz has the advantage of being built on Google Cloud natively, and already have Marketplace integrations completed.
https://cloud.google.com/customers/wiz