Google Cloud moves towards total security transparency with CVE announcement
SOPA Images/LightRocket via Getty ImagesThe Common Vulnerabilities and Exposure system is one of those things that many people will claim knowing nothing about while at the same time being strangely familiar. That’s because it’s the CVE bit at the start of any security vulnerability listing. It’s boring but essential as it provides context for how severe a security vulnerability is and so can help prioritize for patching. Microsoft has been issuing CVEs for critical cloud service vulnerabilities, whether users need to patch them or not, since June, 2024. Now Google has joined the “let’s make the cloud less cloudy” critical vulnerability party. Here’s what you need to know.
Google Expands Security Common Vulnerabilities and Exposure Program For Cloud
Recognizing that keeping up to date with the latest security vulnerabilities is a critical part of helping users, be they consumers, enterprises or vendors, stay secure., Google Cloud’s head of security response, Sri Tulasiram, has announced a major expansion to its CVE program.
“We have seen the Common Vulnerabilities and Exposure system evolve into an essential part of building trust across the IT ecosystem,” Tulasiram said, adding that “CVEs can help users of software and services identify vulnerabilities that require action, and they have become a global, standardized tracking mechanism that includes information crucial to identifying and prioritizing each vulnerability.” So, you might think it odd, then, that Google Cloud is to start issuing CVEs for critical Google Cloud vulnerabilities that require no such patching, or any user action at all for that matter.
So, what’s the reasoning behind the move? The new CVEs that don’t require any customer action will have additional notation by way of an “exclusively-hosted-service” tag, which some could argue is just adding more confusion to an already somewhat confusing area of security. Unsurprisingly, Google Cloud’s chief information security officer, Phil Venables, doesn’t see it in that light. ”Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors,” Venables said, “we will continue to lead and innovate across the community of defenders.”
The Journey Towards A Culture Of Security Transparency For Google Cloud Users
The Cyber Safety Review Board reported that a lack of a strong commitment to security creates preventable errors and serious breaches, which should be a concern to all. Google takes the position that by partnering with the industry through programs such as its own Cloud Vulnerability Reward Program for bug bounty hunters, and now further improving visibility on vulnerabilities with CVEs, it can advance security best practices at scale. “CVEs are publicly disclosed and can be used by anyone to track and identify vulnerabilities,” Tulasiram said, “which has helped our customers to understand their security posture better.”
Anything that contributes to the building of trust in Google Cloud by its customers should be seen as a good thing. This latest announcement is just another step in the direction of a culture of transparency around security vulnerabilities which should be seen as the new norm.
