As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
> Look at the number of times other tech companies get hacked compared to Google.
Your whole post is confusing Security of the Cloud with Security in the Cloud. And conflating GCP with Google but those are just examples of why GCP has such a small market percentage.
The security of GCP rests on the security of Google. If Google gets hacked, GCP customers are not secure.
Additionally:
Google offers BeyondCorp products as GCP products. A big example is IAP. Do AWS and Azure offer something like IAP? If so, I think they were created in response to IAP.
Another innovative GCP security product is VPC Service Controls. Do AWS and Azure offer something like that? If so, I think they were created in response to VPC Service Controls.
Bug bounties protect GCP customers by making sure GCP products don't have vulnerabilities.
Project Zero protects GCP customers by finding vulnerabilities in products that GCP customers use (although it also finds vulnerabilities in products that AWS and Azure customers use).
When Microsoft got hacked by China in 2023, China stole Microsoft's signing key, and used it to mint tokens to impersonate Azure AD users of Microsoft customers. That's relevant to security in the Cloud.
The best way to use AWS IAM policies is to not use them at all.
AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).
That's quite the claim, can you provide an example?
GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.
So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.
AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.
Adding to it: deps.dev, osv.dev, SLSA (all are either free or fully open source)
Google has been great contributor to the AppSec and Software Supply Chain community. I just pray daily that the “google graveyard” curse doesn’t touch these important projects.
> (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
I think this is also a good argument for why it is beneficial for society that Chrome stays in Alphabet; Google is good at some things and bad at some things - that people have access to a reasonably safe browser for free should not be underestimated
To me, the security posture of Android (esp, the Pixels) & Chromium stands out as an outstanding contribution to humanity (given the reach of both those platforms).
> Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government).
As a GCP user, my view is that Google does Googly things and hopes others will use them. And if not enough people don’t buy into whatever Google builds because it is built by Google, they will cancel it.
As a Googler who works in GCP security, security has been a key differentiator for GCP long before the Mandiant acquisition. Google invented BeyondCorp (a primary driver of Zero Trust). Google helped create security keys (U2F, FIDO, Webauthn), and was I think the first major company to adopt them, both for employees, and for consumers. Google was one of the first major companies to offer a bug bounty, in 2010. Google's Project Zero searching for vulnerabilities in other companies'/organizations' software I think was pretty much unprecedented when it was created. Look at the number of times other tech companies get hacked compared to Google. Google got hacked in 2009 by China (I believe that was the first time a major company admitted to being hacked by government). That was a major turning point. Ever since then it's been "never again".
Disclosure: my thoughts are my own.