Google Cloud

When logging is enabled, Cloud DNS logs all DNS queries for a public zone from external sources. The logs contain useful information such as the query name, query type, response code, and source IP address. Users can query the data in Cloud Logging to find specific information or to troubleshoot an ongoing issue. However, Cloud DNS does not publish any metrics for public zones, and there is no direct way to visualize all the logged data.

This blog post will show you how to create a log-based metric using Cloud DNS public zone logs data. We’ll then use Cloud Monitoring to create a custom dashboard to view the data.

The pre-configured dashboard will provide the following information:

Query Count for All Public Zones: Total number of DNS queries received for all public zones during a specified time period.

Query Count per Target Name: The number of DNS queries received per public zone during a specified time period.

Response Code: The total number of occurrences of a specific response code for all public zones during a specified time period.

Response Code per Target Name: The number of times a specific response code was returned, grouped by public zone.

Errors: The total number of response codes excluding NoError for all public zones during a specified time period.

Errors per Target Name: The total number of response codes excluding NoError, grouped by public zone.

Server Latency: This distribution metric reports statistical data on request latencies, not individual values. A heat map chart shows the 50th, 95th, and 99th percentiles of server latency. The 50th percentile is the median latency. The 95th percentile is the value that 95% of requests took longer than. The 99th percentile is the value that 99% of requests took longer than. See the official documentation for details on how to interpret heat map charts.

Steps to create Cloud DNS custom dashboard

The following steps will be performed:

Enable logging on public zonesUnderstanding the log entry for public zoneCreate log-based metricsCreate the custom dashboard

1. Enable logging on public zones

Unlike private zones, where logging is enabled or disabled by the DNS server policy on the client network, logging for public zones is enabled or disabled at the zone level. To enable logging for an existing public zone, use the following command:

Command

Note: Cloud DNS only logs queries that reach its name servers. Queries that are answered from caches are not logged.

2. Understanding the log entry for public zone

You can review a table of all the fields in the Cloud DNS logging and monitoring documentation. This section will review the fields that will be used later to create the log-based metrics.

The following fields will be used to create the log-based metrics:

queryName: The DNS query name, eg www.example.com.

queryType: DNS query type eg A, AAAA, SOA, NS, etc. In the sample log entry provided below, the query is for an A record.

sourceIP: IP address of the DNS resolver from which Cloud DNS received the query

responseCode: DNS response codes, eg NOERROR, NXDOMAIN, SERVFAIL, REFUSED, etc.

project_id: Google Cloud project ID for the project which owns the public zone.

target_type: Type of target resolving the DNS query: public-zone, private-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external.

target_name: The target name, for example, zone name, policy name, internal zone name, external domain name

3. Create the log-based metrics

We require the creation of two distinct log-based metrics: a counter metric and a distribution metric.

We will use the counter metric to count the number of log entries for a specific DNS query name, query type, or response code.We will use the distribution metric to extract the distribution of server latency.

To create log-based metrics, use the gcloud logging metrics create command. Logging metrics configuration can be passed to gcloud using a .yaml file.

Note: All user-defined log-based metrics are a class of Cloud Monitoring custom metrics and are subject to charges. For pricing information, please refer to Cloud Logging pricing: Log-based metrics. The retention period for log-based metrics is six weeks. Please refer to the data retention documentation for details.

Create the counter metric

1. Download the config.yaml from Github:

2. To create counter metrics, use the gcloud logging metrics create command.

Command

Create the distribution metric

1. Download the latency-config.yaml from Github:

2. To create counter metrics, use the gcloud logging metrics create command.

Command

4. Create the dashboard

1. Download the dashboard.json from Github. We will use this file to import the pre-configured dashboard

2. Use the gcloud monitoring dashboards create command to create the dashboard. This command will create a custom dashboard named gcloud-custom-dashboard.

Command

Access the dashboard

In your Google Cloud console, click Monitoring and then Dashboards.

2. Click the custom dashboard named gcloud-custom-dashboard

3. The dashboard can be refined using the Group By and Filter functions. For example, the screenshot below shows a filter that only shows entries where the QueryType is A records.

Considerations

Log-based metrics have higher ingestion delays than other types of metrics, making them unsuitable for real-time monitoring or highly sensitive alerts.Your metric counts may be delayed. The log-based metric could also have delays in displaying the correct log count due to a potential 10-minute delay for log ingestion.Users should set the alignment period to at least 5 minutes when configuring alerts for log-based metrics to prevent minor fluctuations from triggering alerts.

Learn More

To learn more about DNS capabilities and customization options, please check out the following:

Repo: cloud-dns-public-zone-dashboardDocumentation : Using Cloud DNS LoggingDocumentation : Log-based metrics overview

Service Extension callouts on Google Cloud Application Load Balancers, which we recently announced at Google Next ‘23, are now available in public preview. Service Extensions empower users to quickly and easily customize the data plane of Google Cloud Networking products. This custom logic can address unique workflow requirements, offer an on-ramp for partners to integrate their software with Google services, or help organizations implement Cross-Cloud Network services.

Service Extensions offers two methods to inject custom logic into the networking data path: plugins and callouts.

Plugins allow users to insert WebAssembly (wasm) code to run the extension inline in the networking data path. Since they are a fully managed resource, they are a friendly option for users that want the benefits of a Google-managed offering. Plugins are currently only available on Media CDN.Callouts allow users to instruct Google Cloud Networking products to make RPC ‘callouts’ to custom services running in Google Cloud, multi-cloud, or on-premises from within the data processing path. Callouts are deployed on user-managed general-purpose computing.

With the introduction of Service Extensions callouts for Google Cloud Application Load Balancers, users instruct the load-balancers to forward traffic from within the Cloud Load Balancing data processing path via gRPC to a user-managed or partner-hosted application. These applications can apply various policies or functions, such as header or payload manipulation, security screening, custom logging or authentication on the traffic before returning the traffic to the load-balancer for further processing.

Two callout extension types, route extensions and traffic extensions, are planned. Each of these types has a primary customization focus:

Route extensions execute first in the request processing order and can be used to insert custom logic near the beginning of the request path. These extensions can be used to influence how Cloud Load Balancers choose which backend service to send the request.

Traffic extensions execute last in the request processing path and can be used to insert custom logic just before the request goes to the backend. These extensions support a wide variety of use cases, such as adding a request header, modifying the payload or enabling custom logging.

Benefits of Service Extensions callouts include:

Bespoke implementation – Traffic handling is tailored to address unique workflow requirements and can optimize the performance of cloud applications or services.User empowerment – Organizations can develop their own applications or purchase programs to change how a service is delivered to support new or custom requirements.Partner integration – Partners can programmatically integrate their software with Google Cloud Application Load Balancer services and deliver new advanced use cases.

While Service Extensions can deliver a wide variety of functions and services, customer feedback is that the following are very popular use cases:

Incorporating partner software or services allows users an easy, quick, and efficient way to integrate partner applications or services with Google Cloud Load Balancing. Typical areas of interest for this use case include integrating leading security capabilities, such as web application firewall (WAF), API security, and bot management. We are excited to see partners including Fortinet, Palo Alto, Traceable and Human Security share an interest in this use case.Data plane customization focuses on modifying traffic headers and payloads, including rewriting HTML responses to inject security or adtech JavaScript, customizing cache keys by geography, or adding/removing/changing app-specific headers or device types.Security and logging enables users to support custom user authentication and authorization based on JWT payloads, translate and implement custom URL signing mechanisms, support custom TLS fingerprinting, or establish custom logs based on custom attributes.Traffic steering allows callouts to rewrite header information to influence backend selection based on user location and HTTP method, implement custom sticky session logic, and support geo-based regional Load Balancer traffic routing.

Early feedback on Service Extensions callouts from customers and partners such as Palo Alto Networks, Fortinet, Traceable and Human Security, has been very positive:

“With Google’s new Service Extensions callout capability, Fortinet and Google Cloud customers get even better, more seamless protection for their workloads on Google Cloud.” – John Maddison, Chief Marketing Officer and EVP, Product Strategy, Fortinet

“API security is critical with 90% of web traffic being routed through APIs and becoming the primary targets for modern day AuthN/AuthZ based attacks, data exfiltration and fraud. Traceable’s collaboration with Service Extensions for Google Cloud Load Balancing solves a key customer need of seamless L7 Traffic steering for comprehensive API security. This innovative integration between Google Cloud and Traceable empowers our joint customers to quickly operationalize API security and continuously discover, test, analyze, and protect the digital assets and systems powered by APIs.” – Sanjay Nagaraj, Chief Technology Officer/Co-founder, Traceable

“We are excited to be at the forefront of leveraging Service Extensions callouts to simplify and streamline the integration of the Human Defense Platform for our Google Cloud customers. With this expansion of our partnership with Google Cloud, we are making it easier for our valued partners and clients to safeguard their applications from cybersecurity threats, fraud and abuse. This innovative approach allows effortless integration of the Human Defense Platform into our customers’ applications running anywhere, all without any additional modification of their applications.” – Ido Safruti, Chief Technology Officer, Human Security

“Service Extensions callouts on Google Cloud Load Balancing have the potential to unlock and simplify multiple use cases for our business. The flexibility to use our code or third-party software to change how traffic is secured and processed is particularly attractive to us. We look forward to participating in the public preview and partnering with Google to guide the Service Extensions roadmap.” – Roiy Berko, Vice President of Technical Operations, DoubleVerify

Please see the Service Extensions documentation for additional information.

Power generation and distribution networks are essential to modern life and must keep pace with dramatically increasing demand for electricity. The Energy sector is uniquely critical because it enables all other critical infrastructure sectors. Without reliable and secure electricity networks, economies and communities cannot function.

Cybersecurity is particularly important for energy and utility companies because they face the challenges of protecting vast supply chains, electricity grids, and customer information against myriad malign actors. The energy sector must contend with cyberattacks that include ransomware, supply chain compromise, botnets, and worm attacks. These significant threats emanate from state actors, quasi-state organizations, and terror groups who all see electricity infrastructure, companies, and their systems as valuable targets.

To enhance our commitment for this sector, today we are announcing a new partnership with the Electricity Information Sharing and Analysis Center (E-ISAC). Google Cloud is proud to be the first leading cloud provider to join the E-ISAC Vendor Affiliate Program.

By joining E-ISAC as a vendor affiliate, Google Cloud will contribute to the electricity industry’s collective defense by providing subject matter expertise on critical vulnerabilities and security solutions. In its role as a Vendor Affiliate Program partner, Google Cloud will devote resources and experts to work alongside industry leaders to transform, secure, and defend the electricity sector.

E-ISAC, in collaboration with the U.S. Department of Energy (DOE) and the Electricity Subsector Coordinating Council (ESCC), serves as the primary security communications channel for the electricity industry and enhances the industry’s ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents. E-ISAC aggregates and analyzes security data to share with stakeholders, coordinates incident management, and communicates mitigation strategies to reduce cyber and physical security risks to the electricity industry across North America.

“Partnering with E-ISAC is a critical step in our commitment to help the energy sector transform and secure its critical infrastructure and is aligned with the US Government’s grid modernization and critical infrastructure security priorities,” said Phil Venables, VP and CISO Google Cloud. “As one of the world’s largest tech providers, we believe we have a responsibility to share our expertise and resources with organizations that are working to protect the energy grid and critical infrastructure. This partnership will help us to raise awareness of the security threats facing the energy sector and to develop new solutions to help address these threats.”

As a Vendor Affiliate Program partner, Google Cloud will bring experts and resources — including unique insights from Mandiant, our Threat Horizon reports, and the Google Cybersecurity Action Team — to help the electricity industry protect against cyberattacks. Googlers will work with defenders and leaders in the power and energy sector, sharing knowledge we’ve learned building and deploying secure technology at Google.

This partnership is a continuation of Google’s August 2021 commitment to invest at least $10 billion over five years to advance cybersecurity. This same commitment has enabled us to join other organizations like Health ISAC and Financial Services ISAC, so we can continue to support the security and resilience of our critical infrastructure across key sectors.

“The E-ISAC is pleased to welcome Google Cloud as a Vendor Affiliate Program partner,” said Manny Cancel, NERC SVP and CEO of the E-ISAC. “Our partnership with Google Cloud is a significant and positive step in furthering collaboration between industry and vendors as we work together to reduce risk around supply chain interdependencies and strengthen our collective defense.”

Learn more

For more information on Google Cloud’s E-ISAC partnership, please visit the Google Cybersecurity Action Team page.

Digitalparking serves more than half of drivers in Switzerland through its parking payment solutions. With a history that reaches back to far more basic parking payment options in the 1960s, the company has evolved alongside the proliferation of smartphones and digital payments to meet the demands of today’s customers.

To transform its services, Digitalparking migrated its infrastructure away from on-premises legacy technology to cloud computing. “Everything changed when reliable, secure management of digital payments became possible,” says Reto Schläpfer, Chief Executive Officer and Chief Technology Officer of Digitalparking. “We realized we had to transform from a hardware to a software company.”

Let’s take a look at how a combination of technologies from Google Cloud and partners Aiven and Datadog modernized Digitalparking’s technology stack while improving uptime, security, and simplicity—and the services people rely on daily.

Keeping IT simple

According to Schläpfer, roughly 2.5 million of the 4.8 million cars in Switzerland have used Digitalparking’s system in the past year. The company started processing a low number of digital payments in 2018, but has seen demand skyrocket to up to 60 million transactions annually.

To accomplish this, Digitalparking takes an approach to innovation that emphasizes customer experience.

“The people using our services value reliability and consistency over everything else,” says Schläpfer. “Our customers park 24 hours a day and want to pay for their parking spot quickly and effortlessly. Any issues can result in hassles for them and problems for us. A big challenge for us was looking at how to scale to handle such a big jump in digital transactions without increasing complexity. We knew we needed a simple and reliable IT infrastructure to support our parking software.”

Digitalparking chose to migrate its VPS-provider-based infrastructure to Google Cloud. Today, the company uses a combination of Compute Engine, Cloud Storage, and Cloud Run, as well as Secret Manager. As maintaining security is vital, Digitalparking takes advantage of firewall configuration capabilities through Terraform by HashiCorp. This enables the business to avoid the costly and time-intensive provisioning of firewalls on individual operating systems while maintaining compliance with data security regulations.

Further, network peering has been critical to Digitalparking’s success, as it allows the company to keep all IT assets within one system.

“Between network peering and Google Cloud firewall capabilities, we not only improved our general data and IT security, but also our system reliability,” says Schläpfer. “Network peering dramatically reduces latency compared to a more fragmented architecture and that translates to better reliability and higher uptime.”

Leveraging a dynamic partner ecosystem

Digitalparking looked at multiple approaches to simplify its IT environment. In addition to adopting Google Cloud solutions, the company began working with a cloud data platform from Google Cloud partner Aiven to remove maintenance and management demands from its DevOps team. The company proved Aiven’s reliability after a year of testing as a secondary database.

Now, Aiven acts as the core database that stores transaction history and other customer data from more than two million customers. “Aiven was the best solution for us. It works great with Google Cloud via network peering and alleviates security challenges as our digital business grows,” says Schläpfer. “Now, we don’t worry about building or managing our own database — that is all outsourced to Aiven. It has had a very positive impact on our business.”

Digitalparking also works with Google Cloud partner Datadog for all of its logging and application monitoring (APM) needs. “We get a lot out of a relatively small integration effort with Datadog,” says Schläpfer. “We don’t have a big team, but with Datadog, we can efficiently observe our machines’ load, manage logging, and ensure high uptime with little to no management or maintenance burden.”

The combination of Google Cloud, Aiven, and Datadog has enabled Digitalparking to manage roughly 2,000 database queries per second without having a DevOps team.

“The beauty of the Google Cloud, Aiven, and Datadog partnership is that we can connect the systems we need once and then never have to worry about it,” says Schläpfer. “We can focus on scaling our business, meeting our customer needs, and keeping our systems secure.”

Gaining even greater customer trust

In the future, Digitalparking intends to continue refining its architecture to achieve the highest levels of security, scalability, and affordability.

“Our market requires us to be as dependable and affordable as possible,” says Schläpfer. “There are actions we can take to further reduce the total cost of ownership for parking lot operators while providing reliable and secure services to their customers. Google Cloud, Aiven, and Datadog help us optimize simplicity across our systems. They will play a primary role in our success going forward.”

Check out the Google Cloud Marketplaceto learn more about how partners like Aiven and Datadog can simplify your IT. Additionally, read Aiven’s article on its work with Digitalparkingfor further details on this great customer success story.

One of Europe’s leading providers of artificial intelligence (AI) solutions, Mistral AI, is on a mission to design highly performant and efficient open-source (OSS) foundation models.

Mistral AI is teaming up with Google Cloud to natively integrate their cutting-edge AI model within Vertex AI. This integration can accelerate AI adoption by making it easy for businesses of all sizes to launch AI products or services.

Mistral-7B is Mistral AI’s foundational model that is based on customized training, tuning, and data processing methods. This optimized model allows for compression of knowledge and deep reasoning capacities despite having a small number of parameters. These optimized foundational models can lead to benefits in sustainability and efficiency by reducing training time, cost, energy consumption, and the environmental impact of AI.

Mistral’s model utilizes Grouped-Query Attention (GQA), which balances high speed and accuracy for model inference, and leverages the Sliding Window Attention (SWA) method to handle longer sequences at lower cost, as well as improving the accuracy of the resulting large language model (LLM).

A consistent approach in AI

At Google, we believe anyone should be able to quickly and easily turn their AI dreams into reality. OSS has become increasingly important to this goal, heavily influencing the pace of innovation in AI and machine learning (ML) ecosystems. These OSS efforts are aimed at enabling a broader spectrum of developers and researchers to contribute to the improvement of these AI models and make AI explainable, ethical, and equitable.

Google Cloud seeks to become the best platform for the OSS AI community and ecosystem. Bringing Mistral AI model to Google Cloud furthers this mission.

Freedom to innovate anywhere

Mistral AI users will benefit from Google Cloud’s commitment to multi-cloud and hybrid cloud, and to high standards of data security and privacy. Concretely, they can keep their data in accordance with their privacy rules and fine-tune and run their models in the environment of their choice — whether on-premises, in Google Cloud, on another cloud provider, or across geographic regions. Through Google Cloud and open source technologies, users enjoy freedom of choice.

Organizations need AI ecosystems with data sharing and open infrastructure. Google Cloud customers can run and manage their AI infrastructure on open source technologies such as Google Kubernetes Engine, Ray on GKE, or Ray on Vertex AI. They can leverage BigQuery Omni to access data in external data sources and cloud providers, and use BigLake to unify data lakes and data warehouses across clouds.

AI/ML privacy commitments for Google Cloud

At Google Cloud, we are committed to providing customers with increased visibility and controls over their data.

Customers own and control their data, and it stays within their Google Cloud environment. We recognize that customers want their data to be private, and not be shared with the broader Google or LLM training corpus. Customers maintain control over where their data is stored and how or where it is used, helping them to safely pursue data-rich use cases without fear of data privacy breaches. Google does not store, read, or use customer data outside of the customer’s cloud environment. Customers’ fine-tuned data is their data. We are able to provide Cloud AI offerings such as Vertex AI and Mistral AI models with enterprise-grade safety, security, and privacy baked in from the beginning.

Mistral-7B now available in Vertex AI

Today we are pleased to announce that Mistral AI’s first open source model “Mistral-7B” is integrated with Vertex AI Notebooks.

This public notebook allows Google Cloud customers to deploy an end-to-end workflow to experiment (i.e., test, fine-tune) with Mistral-7B and Mistral-7B-Instruct on Vertex AI Notebooks. Vertex AI Notebooks enable data scientists to collaboratively develop models by sharing, connecting to Google Cloud data services, analyzing datasets, experimenting with different modeling techniques, deploying trained models into production, and managing MLOps through the model lifecycle.

Mistral AI’s model integration in Vertex AI leverages vLLM, a highly optimized LLM serving framework that can increase serving throughput. By running the notebook, users will be able to automatically deploy a vLLM image (maintained by Model Garden) on a Vertex AI endpoint for inference. When defining the endpoint, users can have many accelerators to choose from to optimize model inference performance.

Leveraging Vertex AI model deployment, users can benefit from Vertex AI Model Registry, a central repository where they can manage the lifecycle of Mistral AI models and their own fine-tuned models. From the Model Registry, users will have an overview of their models so they can better organize, track, and train new versions. When there’s a model version they would like to deploy, they can assign it to an endpoint directly from the registry, or using aliases — deploy models to an endpoint.

Learn more about Mistral AI performance and features in their blog post. You can also see how other partners are leveraging generative AI on Google Cloud.

Windows Server 2012 reached End of Support (“EOS”) on October 10, 2023. This means that Microsoft will no longer provide security updates, patches, or technical support for this operating system version. For those of you purchasing Extended Security Updates (ESUs) from Microsoft to continue to receive critical security updates, you can applythem to your VMs running in Google Cloud. Furthermore, we are committed to ensuring that Windows Server 2012 and R2 continues to work well beyond the EOS date in Google Cloud. In this blog post, we discuss your options for running a Windows Server 2012 instance on Google Cloud, even though it has reached EOS.

Upgrade to Windows Server 2016 or later

Whenever an operating system reaches EOS, your first and best option is to upgrade to a supported version of the OS. At Google Cloud, we have a range of options to help you do this quickly and easily. But even if upgrading isn’t an immediate option for you, you can rest assured that Windows 2012 will continue to work beyond the EOS date on all machine types where its supported today (E2, N1, N2, N2D, T2D, C2, C2D, M1, and M2).

If you’re running Windows Server 2012 today on Google Cloud, there are two ways you can easily upgrade to Windows Server 2016 or later:

Create new VM instances using Windows Server 2016 or later and migrate your applications from existing VMs.If you don’t want a fresh new install, perform an in-place upgrade for your Windows Server 2012 instances by following the upgrade documentation.

Some older applications might not be compatible with newer versions of Windows. In such cases, partner solutions such as CloudHouse can be a great option for enabling an upgrade path for otherwise incompatible applications. Also, you may want to consider modernization options. For example, if you’re running SQL Server on Windows Server, you can move to a fully managed service (Cloud SQL), or if you are running .Net apps on Windows, you can modernize them to .Net core and run in Linux containers.

On-premises Windows Server 2012 workloads also welcome

If you have Windows Server 2012 workloads running on-premises, now is an opportune time to move them to Google Cloud. You can easily migrate your Windows Server 2012 VMs using our Migrate2VM or Image import tooling. For licensing, you can either bring your own license (BYOL) (if you have BYOL-eligible licenses) or use Google-provided licenses on a pay-as-you-go basis.

Securing your Windows Server 2012 workloads

While upgrading your Windows Server 2012 is your best bet to getting security updates for your OS, you can purchase ESUs to get critical security patches and use them on your Windows Server 2012 instances in Google Cloud. Simply purchase them from Microsoft and apply them to your VMs running in Google Cloud.

In addition to using ESUs, we also recommend a number of ways to secure your Windows Server 2012 environments, such as isolating them using Virtual Private Cloud (VPC), assigning an internal (not publicly routed) IP address, following best practices on limiting user access, and using services like VM Manager to providing patching for critical vulnerabilities.

Finally, if commercial incentives for ESUs are tempting you to choose a different cloud provider, don’t count us out — we might be able to help you both technically and commercially. Please reach out to us at windows-2012-eos@google.com or engage with your Google account team to learn more.

APIs provide direct access to application functionality and data, making them a powerful developer tool. Unfortunately, that also makes them a favorite target for threat actors. Proactively identifying API security threats is top of mind for 60% of IT leaders according to Google Cloud’s 2022 API Security Research Report. Most of the current approaches to securing APIs focus on detecting security vulnerabilities, but rapidly reacting and responding to API security issues once they are detected is just as important in maintaining a strong application security posture.

This is where Advanced API Security for Apigee API Management can help. It’s an add-on that automatically detects misconfigurations, malicious bot attacks, and critical abuses, and today, we’re excited to announce the public preview of two new Advanced API Security capabilities:

Alerts are notifications that inform you about security threats or anomalies as soon as they are detected.Actions are automated operations, triggered in response to security threats or anomalies, based on predefined conditions.

Actions and Alerts enhance Advanced API Security capabilities by reducing the time between threat detection and resolution through automation, minimizing the potential impact, and making your API security approach more proactive.

Actions in Advanced API Security

Actions automate operations including allowing, denying, flagging, and redirecting API traffic from specific clients. You can choose to specify these clients manually or rely on built-in detection rules in Advanced API Security. These detection rules identify known API threats or patterns detected by our machine learning models pinpointing malicious activities, such as API scraping or anomalies.

To stop API attacks, developers often need to manually exclude specific IP addresses via their Web Application Firewalls (WAF) or through implementing policies — a process requiring a full development cycle for each change. Worse, these processes are often ineffective against adaptive attacks that constantly change IP addresses. But now, with Actions, developers can automatically defend against malicious traffic.

How does it work?

Before your API proxies process traffic, you can choose to apply the following actions:

Flag requests by adding up to five headers in the request sent to an API proxy, allowing you to precisely define the behavior of the traffic inside the proxy. For example, you may not want to intercept suspicious traffic, but rather track and observe it for further analysis.Deny requests that meet certain conditions, such as originating from a scraping activity. You can even customize the response code that is sent back to the client. For example, you can deny traffic from specific clients previously isolated and identified as suspicious.Allow requests by overriding any traffic that would otherwise be blocked by a deny action. For example, you can allow traffic from specific clients even if they are captured in a detection rule associated with a deny action.

You also have the option to pause all active security actions, ensuring uninterrupted API requests. You might want this capability as a failover mechanism or allow all traffic in a few controlled scenarios. You can further refine the security measures by analyzing API traffic data associated with specific actions.

Alerts in Advanced API Security

Alerts inform relevant stakeholders when a potential security incident or anomaly is identified. With our new Alerts capability, you are notified of any unusual API traffic (as identified by the detection rules) or of any changes to your security scores.

Today, users have to constantly monitor their security scores or dashboards to identify new attacks. Now with Advanced API Security, you can configure an Alert to send notifications by text, email, or other channels upon detection of unusual traffic.

How does it work?

You can use Cloud Monitoring to set up the alerts to be notified about potential security incidents or even customize how you receive these alerts, be it through text, email, or other channels.

For instance, if there’s a sudden spike in suspicious requests from a particular region, you can set up an alert to be notified immediately. This alert ensures that you’re always in the loop and can take swift action.

Next steps

Minimizing the time it takes to detect and mitigate an API security threat is one of the most important ways to minimize negative business impacts. Advanced API Security shifts most of that burden to the platform, allowing developers to minimize overhead while maintaining precise control. Advanced API Security is offered as an add-on to Apigee API Management.

Check out our technical documentation to learn more about these new capabilities or explore them hands-on by getting started with Apigee.

Editor’s note:Today, we hear from Parthasarathy Ranganathan, Google VP and Technical Fellow and Amin Vahdat, VP/GM. Partha delivered a keynote address today at the OCP Global Summit, an annual conference for leaders, researchers, and pioneers in the open hardware industry. Partha served on the OCP Board of Directors from 2020 to earlier this year, when he was succeeded by Amber Huffman as Google’s representative. Read on to hear about the macro trends driving systems design today, and an overview of all of our activities in the community.

At Google, we build planet-scale computing for services that power billions of users, and these services have led to incredible opportunities for system designers to create hardware that operates with high performance, resilience, efficiency, and all at scale. In short, we have embraced open innovation for a new era of systems design.

Today, we are at a new fundamental inflection point in computing: the rise of AI. Google products have always had a strong AI component, but in the past year, we have seen a tectonic shift in the industry and have supercharged our core products with the power of generative AI.

These advances have shown up across our computing systems and workloads, from the original Transformer model in 2017, to PaLM in 2022, to Bard today. Large language models have grown from having hundreds of millions of parameters to trillions of parameters, growing by almost an order of magnitude every year. As model sizes increase, so does the computation needed to run these models. That, in essence, sets up the challenge and opportunity that the open innovation community needs to solve together.

AI isn’t just an enabler of new applications — it also represents a fundamental platform shift — something that we need to innovate on across hardware and software. Together, we need to build the hardware and software platforms that deliver powerful AI solutions across complex machine-learning supercomputers, all in a sustainable, secure, and scalable manner.

Towards sustainable systems

Sustainability is an imperative that we all share. Here are several efforts we are engaged in to help our industry towards achieving net-zero emissions:

Net Zero Innovation Hub: The industry answered our call from the OCP Regional Summit in April for a pan-European public and private collaboration to advance sustainability at a regional level. We launched the Net Zero Innovation Hub with co-founders Danfoss, Google, Microsoft, and Schneider Electric on September 28 with an ambitious agenda across all scopes, including waste-heat reuse and grid availability.Greener concrete: In collaboration with iMasons Climate Accord, AWS, Google, Meta, and Microsoft, we delivered an ambitious technology roadmap to decarbonize concrete. We invite the community to partner with us to execute this roadmap together.Sustainability metrics: Last year, we formed the OCP Data Center Facilities Sustainability Subproject, co-led by Google and Microsoft. The group is making important progress on establishing clear, consistent and standardized metrics for emissions/carbon, energy, water, and beyond. This work will enable an apples-to-apples data-driven approach to assess the best approaches to help achieve our shared goals.

Enhancing security across the systems stack

Security includes both trusted computing and reliable computing, and there are several exciting developments coming in this space, including:

Caliptra: Caliptra is a re-usable IP block for root-of-trust management. Last year, with industry leaders, AMD, Microsoft, and NVIDIA, we contributed the draft Caliptra specification to OCP. The Caliptra specification will be complete this year, with the IP block ready for integration into CPUs, GPUs, and other devices. Check out the code repository at https://github.com/chipsalliance/caliptra.OCP S.A.F.E.: In partnership with OCP and Microsoft, we have developed the OCP Security Appraisal Framework and Enablement (S.A.F.E.) program. OCP S.A.F.E. provides a standardized approach for provenance, code quality, and software supply chain for firmware releases. Learn more at https://www.opencompute.org/projects/ocp-safe-program.Reliable Computing: Last year, we formed a server-component resilience workstream at OCP along with AMD, ARM, Intel, Meta, Microsoft, and NVIDIA to take a systems approach to addressing silicon faults and silent data errors. The team has made great strides, including publishing the draft specification and open-sourcing Silent Data Corruption (SDC) frameworks (e.g., Intel and ARM collaborating on Open Datacenter Diagnostics, AMD’s Open Field Health Check, and NVIDIA’s Datacenter GPU Manager). To advance this important area faster, we are launching a new academic grant program — the first of its kind at OCP — with member companies supporting significant academic research in this area.

Scalability from silicon to the cloud

Scalable infrastructure is a primary area of focus for both Google and OCP, from silicon all the way to the cloud. At the OCP Summit this week, we will discuss a few advancements, specifically:

Accelerators: This year, we partnered with AMD, ARM, Intel, Meta, and NVIDIA to deliver the OCP 8-bit Floating Point specification to enable training on one accelerator and serving on another. We partnered with Microsoft and NVIDIA to deliver a set of firmware specifications for GPUs and accelerators covering reliability, manageability, and updates.AI: During the AI Track, we are highlighting the progress we are making with partners in the OpenXLA ecosystem. We are also discussing the Architecture Gym, a new effort in collaboration with MLCommons to go beyond systems for AI, to AI for systems, looking at how AI can transform systems design.Networking: To truly build large-scale AI infrastructure, you need world-class networking systems innovation. To help with this, we are opening Falcon, Google’s reliable low-latency hardware transport, and sharing some of the advances we have made over the past 10 years on performance, latency, traffic control, etc. This is part of our ongoing effort to advance Ethernet to the industry as a high-performance, low-latency fabric for hyperscaler environments. Learn more in the blog “Google opens Falcon, a reliable low-latency hardware transport, to the ecosystem”.Storage: Google is joining the OCP Data Center NVM Express™ (NVMe) specification, working group with Meta, Microsoft, Dell, and HPE to provide clear requirements for features in datacenter SSDs including Flexible Data Placement, security, and telemetry. We are also kicking off a new open-source hardware effort to develop an NVMe Key Management block with partners Microsoft, Samsung, Kioxia and Solidigm.

There is tremendous opportunity for all of us in the industry to create even more open ecosystems for innovation. At Google, we have a legacy of embracing and fostering open ecosystems, whether it’s Android, Chromium, Kubernetes, Kaggle, Tensorflow, or Jax. We set industry standards, grow communities, and share our innovations broadly. Our contributions to the Open Compute Project Foundation go back several years, from our first 48V contribution to today, sitting on the OCP Board and being one of its largest contributors. We believe the best is yet to come, through codesign and collaboration across hardware and software, multiple layers of the stack, compute, network, storage, infrastructure, industry and academia, and of course, across companies.

It is exciting to be in an era where we are literally inventing the future with new AI advances every day. All these amazing AI advances in turn need a healthy innovation ecosystem around infrastructure, from all of us — to build the sustainable, secure, scalable societal infrastructure that we need for this AI-driven future. And all of this will be possible only through collaboration across all of us in the community. You can learn more about the OCP Global Summit agenda here and talks by Google here. We are looking forward to the vibrant discussions this week.

At Google, we have a long history of solving problems at scale using Ethernet, and rethinking the transport layer to satisfy demanding workloads that require high burst bandwidth, high message rates, and low latency. Workloads such as storage have needed some of these attributes for a long time, however, with newer use cases such as massive-scale AI/ML training and high performance computing (HPC), the need has grown significantly. In the past, we’ve openly shared our learnings in traffic shaping, congestion control, load balancing, and more with the industry by contributing our ideas to the Association for Computing Machinery and Internet Engineering Task Force. These ideas have been implemented in software and a few in hardware for several years. But going forward, we believe the industry at large will see more gains by implementing the set with dedicated and flexible hardware assist.

To achieve this goal, we developed Falcon to enable a step function in performance over software-only transports. Today at the OCP Global Summit, we are excited to open Falcon to the ecosystem through the Open Compute Project, the natural venue to empower the community with Google’s production learnings to help modernize Ethernet.

As a hardware-assisted transport layer, Falcon is designed to be reliable, high performance, and low latency and leverages production-proven technologies including Carousel, Snap, Swift, PLB, and CSIG.

Falcon’s layers are illustrated in the figure below, including their associated function. We show the RDMA and NVM Express™ Upper layer protocols (ULPs), however, Falcon is extensible to additional ULPs as needed by the ecosystem.

The lower layers of Falcon use three key insights to achieve low latency in high-bandwidth, yet lossy, Ethernet data center networks. Fine-grained hardware-assisted round-trip time (RTT) measurements with flexible, per-flow hardware-enforced traffic shaping, and fast and accurate packet retransmissions, are combined with multipath-capable and PSP-encrypted Falcon connections. On top of this foundation, Falcon has been designed from the ground up as a multi-protocol transport capable of supporting ULPs with widely varying performance requirements and application semantics. The ULP mapping layer not only provides out-of-the-box compatibility with Infiniband Verbs RDMA and NVMe ULPs, but also includes additional innovations critical for warehouse-scale applications such as flexible ordering semantics and graceful error handling. Last but not least, the hardware and software are co-designed to work together to help achieve the desired attributes of high message rate, low latency, and high bandwidth, while maintaining flexibility for programmability and continued innovation.

Falcon reflects the central role that Ethernet continues to play in our industry. Falcon is designed for predictable high performance at warehouse scale, as well as flexibility and extensibility. We look forward to working with the community and industry partners to modernize Ethernet to serve the networking requirements of our AI-driven future. We believe that Falcon will be a valuable addition to the other ongoing efforts in this space.

Industry perspectives

Our partners across the industry are enthusiastic about the promise that Falcon holds for developing the next generation of Ethernet.

“We welcome Google’s contribution of Falcon as it shares the Ultra Ethernet Consortium’s vision to drive Ethernet as the best data center fabric for AI and HPC, and look forward to continuing industry innovations in this important space.” – Dr. J Metz, Chair, Ultra Ethernet Consortium (led by AMD, Arista, Broadcom, Cisco, Eviden, Hewlett Packard Enterprise, Intel, Meta, Microsoft, and Oracle)

“Falcon is first available in the Intel IPU E2000 series of products. The value of these IPUs is further enhanced as the first instance of an Ethernet transport to add low tail latency and congestion handling at scale. Intel is a Steering Member of Ultra Ethernet Consortium, which is working to evolve Ethernet for high performance AI and HPC workloads. We plan to deploy the resulting standards-based enhancements in future IPU and Ethernet products.” – Sachin Katti, SVP & GM, Network and Edge Group, Intel

“We are pleased to see a high-performance transport protocol for critical workloads such as AI and HPC that works over standard Ethernet/IP networks and enables massive application bandwidth at scale.” – Hugh Holbrook, Group VP, SW Eng., Arista Networks

“Cisco is pleased to see the contribution of Falcon to the OCP. Cisco has long supported open standards and believes in broad ecosystems. The rate and scale of modern data center networks and particularly AI/ML networks is unprecedented, presenting a challenge and opportunity to the industry. Falcon addresses many of the challenges of these networks, enabling efficient network utilization.” – Ofer Iny, Cisco Fellow, Cisco

“Juniper is a strong supporter of open ecosystems, and therefore we are pleased to see Falcon being opened to the OCP community. Falcon allows Ethernet to serve as the data center network-of-choice for demanding workloads, providing high-bandwidth, low tail latency and congestion mitigation. Falcon provides the industry with a proven solution today for demanding AI & ML workloads.” – Raj Yavatkar, Chief Technology Officer, Juniper

“Marvell strongly supports and is committed to the open Ethernet ecosystem as it evolves to support emerging, demanding workloads such as AI. We applaud the contribution of Falcon to OCP and welcome Google sharing practical experiences with the industry.” – Nick Kucharewski, SVP & GM Network Switching Group, Marvell

Learn more

Networking is a foundational component in building the sustainable, secure, scalable societal infrastructure that we need for this AI-driven future. To learn more about Falcon, join us for the OCP Summit presentation, “A Reliable and Low Latency Ethernet Hardware Transport” by Google’s Nandita Dukkipati at 11:45am at the Expo Hall. We’ll contribute the Falcon specification to OCP in the first quarter of 2024.

To learn more about Google’s contributions to the Open Compute Project and our presence at the OCP Global Summit, check out the blog “How we’ll build sustainable, scalable, secure infrastructure for an AI-driven future”.

Managing high risk data, whether Protected Health Information or social security numbers, is difficult for academic researchers across many domains. Each institution has its own guidelines to safeguard different kinds of datasets, and governmental agencies and funding organizations have their own regulations and compliance requirements. To address these challenges, Stanford Research Computing Center (SRCC) teamed up with Stanford’s School of Medicine and Google Cloud to fund, design, and launch Carina, a customizable high-risk data platform for Stanford researchers. Powered by Google Anthos and Kubernetes, Carina aims to reduce lead time for project setup through a scalable yet compliant compute environment that meets the different needs of each research project. “The privacy as well as the security of the data are paramount. That means we need to architect technological solutions that are tighter in many ways,” says Ruth Marinshaw, SRCC’s CTO for Research Computing. “Our goal was to make reproducible science easier on our platforms. Carina fills the need for a secure on-premise compute environment for high-risk data.” Started in 2021 and rolled out to beta users in 2022, the platform is now ready for Stanford’s research community to access on demand.

SRCC advances research at Stanford by offering and supporting traditional high-performance computing (HPC) systems, as well as systems for high throughput and data-intensive computing, platforms for working with high-risk data, and data storage at scale. “But it’s not just about the hardware,” says Nan McKenna, SRCC’s Senior Director of Research Computing. “Team members also help researchers transition their analyses and models from the desktop to more capable and plentiful resources, providing the opportunity to explore their data and answer research questions (on-premise or in the cloud) at a scale typically not possible on desktops or departmental servers.” The group partners with other campus organizations to offer training and learning opportunities around high-end computing tools and technologies. In addition, SRCC provides consultation to help researchers find the best solution for the kinds of computing and analytics they want to do.

Cutting workflows from one day to one hour

Stanford has had a longstanding relationship with Google, so when SRCC began working on their own platform for high risk data it made sense to start on Google Cloud. “There’s a good community of support for Kubernetes, and that seemed to meet the needs for what we were trying to do,” says Addis O’Connor, Director, Research Computing Systems at SRCC. “Researchers come to us with a variety of requests for packages or workflows they need to run. We would like to make it as easy as possible for them to get up and running.” Google Anthos allows for simple and consistent administration and management across various Kubernetes compute clusters, regardless of their location. “Leveraging tooling from Google allows us to automate and streamline the way we deploy all these different containers,” says O’Connor. “That frees up resources and staff for other things. Having cluster infrastructure and deployment as code within source repositories helps to easily identify problems and audit changes in real time,” adds Neal Soderquist, Research Services Manager with SRCC.

In an initial pilot with internal beta testers, SRCC was able to deploy bare metal and cloud clusters successfully while adhering to Kubernetes CIS Benchmarks. They also added two primary tools–JupyterHub and Slurm–to meet researchers’ needs. Now, Carina is running on-premise high-risk data for over 100 Stanford researchers conducting research ranging from natural language processing of legal texts to analyzing COVID outcomes for the School of Medicine. O’Connor estimates that workflows that used to take a day and a half to analyze on a faculty laptop now take about an hour on Carina.

The SRCC team expects to continue iterating on Carina to streamline workflows as the tools and technologies evolve and mature. They are already in conversations with other peer institutions to share knowledge for greater collaboration in secure settings. O’Connor believes they reached their goal: “we’ve organized the platform in a unique and secure way that gives researchers a lot of flexibility and compute power to make discoveries and potentially change patient outcomes or improve understanding in their fields.”

To find out how you can get started with generative AI for higher education, sign up for an interactive half-day workshop with Google Cloud and partners Nuvalence and Carahsoft. Participants will work with experts in small groups to design a gen AI strategy package customized for their needs. To learn more about funding opportunities, check out the eligibility for cloud training and academic research credits.

As an interdisciplinary research center, Stanford’s Center for Population Health Sciences (PHS) aims to improve the health of populations by bringing together researchers and data to understand and address social, environmental, behavioral, and biological factors on both a domestic and global scale. This entails making large-scale biomedical datasets available for research and analysis while keeping personal health information and electronic health records private and secure. Recently, PHS collaborated with the Center for Disease Control (CDC) to de-identify, standardize, and manage access and permissions to the American Family Cohort (AFC) medical records, which represent over 6.6 million patients from over 800 primary care practices across 47 states. This comprehensive, longitudinal dataset can provide a unique window into the impact of the COVID-19 pandemic throughout the U.S. With the AFC dataset now hosted through PHS on Google Cloud, researchers can analyze COVID-19 disease patterns, progression, and health outcomes; evaluate COVID-19 clinical guidelines uptake, treatments, and interventions; and conduct public health surveillance for COVID-19 and related conditions.

Analyzing high-value, high-risk data at scale

Based on the American Board of Family Medicine’s extensive clinical records since the pandemic began, the AFC dataset comprises three terabytes of medical data– from lab values, medications, procedures, diagnoses, insurance type, vital signs, and social history to about one billion notes by clinicians. It is particularly valuable because of its breadth: it represents populations that are underserved and often missing from other data sources, including rural, low income, and racial and ethnic minorities. It comprises patients on Medicare and Medicaid as well as private insurance plans, making it a more representative sampling of the overall U.S. population.

But the challenges of managing data at this scale are daunting. “Because the datasets we work with are both large and high risk, we needed flexible, scalable, and customizable computational resources for our users,” says David Rehkopf, Director of PHS and Associate Professor in the Department of Epidemiology and Population Health and Department of Medicine at Stanford. The tools also need to be accessible for epidemiologists without a data science background.

Accelerating workflows from four days to 30 seconds

By managing the AFC data on Google Cloud, PHS makes them secure and easy to analyze with cutting-edge AI and machine learning tools. “Features which are standard in Google would be prohibitively expensive to develop in a bespoke fashion for research use,” says Rehkopf. “With Natural Language Processing, we can start to examine those clinical notes for signs of long COVID before there were even any diagnostic codes for it. With Big Query, we can cross-reference demographics to look for risk factors we wouldn’t see otherwise.” Rehkopf reports that the preliminary results are promising: in fact, long COVID may not be as prevalent as other studies have predicted. The team also noticed that workloads that took four days to run on servers now run in about 30 seconds on Google Cloud.

PHS was an early adopter of Google Cloud at Stanford. For the past eight years, the center has managed more than 74 datasets on their Secure Data Ecosystem, which was built on Google Cloud for its affordability, scalability, and stability. Rehkopf says that “the culture is an excellent fit with research and science in the public interest and the continual improvements are invaluable. It’s very difficult to replicate the quality and quantity of compute, and especially the stability, offered by Google. During the COVID-19 pandemic, many on premises systems were overwhelmed by an influx of users, but Google systems remained stable.”

The AFC project is just one example of how PHS uses cloud technology to accelerate biomedical research and develop evidence-based health policies. Rehkopf says that “as we move into machine learning, natural language processing, and transforming our data to synthetic data, we rely on the power and scalability of commercial cloud.” With secure access to real-world data, researchers can address complex community health issues and improve patient outcomes.

If you’re a researcher interested in exploring the benefits of the cloud for your projects, apply here for access to the Google Cloud research credits program in eligible countries. To find out how you can get started with gen AI for higher education, sign up for an interactive half-day workshop with Google Cloud and partners Nuvalence and Carahsoft. Participants will work with experts in small groups to design a gen AI strategy package customized for their needs.

Today, we are excited to announce general availability of the C3D machine series powered by 4th Generation AMD EPYC™ Processors (code-named Genoa) to Google Compute Engine (GCE) and Google Kubernetes Engine (GKE) customers.

The C3D machine series is a general-purpose VM that offers the enterprise-grade performance and reliability of AMD Genoa. Based on our testing performed in October 2023, and compared to our previous generation N2D, web-serving applications such as NGINX can see up to an 54% improvement in performance, relational databases such as Postgres or MySQL up to 62%, in-memory databases such as Redis up to 60%, development workloads up to 33%, and data analytics such as SparkSQL up to 21%.

C3D VMs are optimized to provide consistent performance and maintenance experience with minimal disruptions for general-purpose workloads that can’t tolerate performance variance. These are oftentimes workloads that are end-user facing, interactive, low-latency, or business-critical, including: web, app, and ad servers, databases and caches, streaming applications, or data analytics.

C3D scales up to 360 vCPUs and 2.8 TB of DDR5 memory across three memory configurations: highcpu (2GB/vCPU), standard (4GB/vCPU) and highmem (8GB/vCPU), with up to 12TB of Local SSD on the standard configuration.

Powered by Titanium

C3D VMs are built on Titanium, Google’s system of purpose-built custom silicon, security microcontrollers, and tiered scale-out offloads. The end result is better performance, lifecycle management, reliability, and security for your workloads. Titanium enables C3D to deliver up to 200 Gbps of fully encrypted networking, 3x faster packet-processing capabilities than prior generation VMs, up to 350,000 IOPS and 5 GB/s throughput with Hyperdisk Extreme (see below), near-bare-metal consistent performance, integrated maintenance updates for the majority of workloads, and advanced controls for the more sensitive workloads.

Hyperdisk storage

Hyperdisk is the latest generation of block storage in Google Cloud. Hyperdisk leverages Titanium to deliver significantly higher levels of performance, flexibility, and efficiency by decoupling storage processing from the virtual machine host. With Hyperdisk, you can dynamically scale storage performance and capacity independently to efficiently meet the storage I/O needs of data-intensive workloads such as data analytics and databases. Now, you don’t have to choose expensive, large compute instances just to get higher storage performance.

Certified for SAP NetWeaver

C3D VMs are certified by SAP to run SAP NetWeaver and SAP workloads on non-SAP HANA databases. SAP NetWeaver is the foundation layer for deploying, managing, and scaling SAP’s enterprise applications, including: SAP S/4HANA, SAP Business Suite (ERP, CRM, SCM, SRM), SAP Business Warehouse, SAP BW4/HANA, and SAP Solution. For more information on the SAP certification, visit: Certifications for SAP applications on Google Cloud and Google Cloud Certification SAP Note 2456432 (login required).

Accelerated performance for AI workloads

The 4th Generation AMD EPYC™ processors support AVX-512 with bfloat16, Vector Neural Network Instruction (VNNI) extensions and high-performance DDR5 memory that’s 50% faster than DDR4. These features allow for acceleration of AI inference on CPUs for common deep-learning use cases. You can take advantage of C3D’s features and further improve performance when using an inference runtime such as Neural Magic’s DeepSparse. Based on Google internal benchmarking, natural language models such as BERT and YOLO saw 2x higher throughput, and computer vision models such as ResNet saw 3x higher throughput on C3D with DeepSparse over N2D, as of October 2023.

What our customers are saying

“Operational and cost efficiencies are more important than ever as organizations move forward with AI adoption. As models continue to grow in size, the computational complexity and specialized hardware requirements can be overwhelming. Neural Magic’s work with Google Cloud and AMD helps companies deliver AI anywhere they want with readily available infrastructure they already know how to manage.” – Jay Marshall, VP of Business Development, Neural Magic

“After having significantly sped up our workflows and kept our costs low with last-generation AMD VMs, we eagerly anticipated the next-gen EPYC processors. With C3D, our job server workloads experience 25% higher peak performance over N2D and 20% over C2D. This sped up operations that cannot be further parallelized while offering much larger shapes for massively parallel tasks.” – Dimitrios Kechagias, Principal Developer, SpareRoom

“The Google Silicon team develops custom silicon solutions that provide differentiated user experiences in Google hardware. By leveraging Compute Engine C3D VMs, we saw a 40% reduction in simulation runtime compared to C2D. The faster runtimes can increase engineering and schedule efficiency as we build the next generation of devices.” – Rajat Bhargava, Senior Director, Silicon Engineering at Google

Get started with C3D today

C3D VMs are available today in the following regions: us-central1 (Iowa), us-east1 (S. Carolina), us-east4 (North Virginia), europe-west1 (Belgium), europe-west4 (Netherlands), and asia-southeast1 (Singapore). To start using C3D instances, select C3D under the General Purpose machine family when creating a new VM or GKE node pool in the Google Cloud console. Learn more at the C3D machine series page. Stay up-to-date on regional availability by visiting our regions and zones page or contact your Google Cloud sales representative for more information.

With businesses increasingly relying on cloud-based applications and distributed workforces, data loss prevention (DLP) is fundamental in any organization’s secure enterprise browsing journey. According to IBM’s latest annual Cost of Data Breach report, the global average cost of a data breach in 2023 has surged to USD 4.45 million, marking a 15% increase over the last three years. Beyond the financial impact, data breaches can also significantly damage a company’s reputation and customer confidence due to perceived negligence in safeguarding sensitive information.

Symantec Endpoint DLP and Chrome Enterprise integration for data loss prevention

Keeping enterprise data safety at the forefront, we’re happy to share that the DLP integration betweenChrome Enterprise and Symantec Endpoint DLP is now available and is now a part of the Chrome Enterprise Recommended program. This new integration enables your IT and security teams to establish and enforce policies that control how sensitive data is handled and shared within your browser environment, eliminating the need to manage DLP browser extensions and improving data compliance.

Whether you’re managing Personally Identifiable Information (PII), intellectual property, or financial data, this integration is designed to provide a more secure browsing experience, minimizing the risk of unintentional data leaks and strengthening compliance.

The integration between Chrome Enterprise and Symantec Endpoint DLP detects, monitors and protects sensitive data across various scenarios, including:

Uploading files containing sensitive data to Chrome via File PickerUploading files containing sensitive data in Chrome by dragging and dropping them into the pagePasting sensitive data into web pages and applicationsPrinting sensitive data from websites and applications

Getting started

Getting started is easy. The first step is to set up Chrome’s cloud management tool for your organization and start enrolling browsers. This tool allows organizations to manage Chrome browsers from a single cloud-based admin console across Windows, Mac, Linux, Android, and iOS at no additional cost. It is also the same console where IT teams can manage Chrome OS.

Once you have your browsers enrolled, you can then follow this setup guide.

Secure enterprise browsing with Chrome Enterprise

Chrome Enterprise is dedicated to helping businesses work more securely on the web, and DLP is only one aspect of the secure enterprise browsing journey we support. We work with leading security providers like Broadcom to deliver secure browsing solutions, enabling organizations to build best-of-breed technology stacks to meet their unique needs. Enterprises can count on Chrome Enterprise Recommended partner solutions to support their workforce, wherever they work.

Learn more about Chrome Enterprise security here.

Helpful links to get you started:

Symantec by Broadcom support page

Help center article for DLP Connectors

Setting up Chrome Browser Cloud Management

Best practices for using Chrome Browser Cloud Management

Help center article for Chrome Enterprise Connectors Framework

Google Cloud (Apigee) has been recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for API Management, the eighth time in a row we’ve been recognized. We believe we are consistently recognized for our ability to support a diverse range of use cases and the comprehensive capabilities we offer in API Management for organizations of all sizes. Google Cloud (Apigee) has been recognized again for its Ability to Execute and Completeness of Vision in this year’s report.

In the last couple of years, we have seen a surge in the adoption and a sprawl of APIs across organizations. The infusion of generative AI and ML capabilities across existing application architectures is elevating the need for APIs to ensure secure data access for these models. In parallel, developers are shouldering an increasing burden, tasked with not only enhancing security measures but also quickly adapting to changing security and compliance requirements.

Apigee API Management is helping customers around the globe like Lean Business Services, City of Zurich, and Conrad Electronics build APIs for use cases ranging from modernization to monetization, whether on premises, hybrid, or cloud based environments — and all at incredible scale. As organizations increasingly rely on APIs to fuel digital interactions and embrace emerging technologies like AI/ML, the complexities in API Management also evolve rapidly. Addressing these dynamic challenges is a responsibility we hold in high regard, and we are deeply honored by the acknowledgment and trust we receive from our customers, users, and community.

Selecting an API Management vendor is more than a mere technological choice — it’s a decision with profound business implications. We believe the Gartner Magic Quadrant for API Management is an instrumental tool because of its incisive insights into the efficacy of providers — both in terms of how well they address current market problems and execute on their product vision.

We believe Gartner has recognized us for the investments we make day in and day out, but we’re just getting started when it comes to Apigee product innovation. This year, we continued to invest in a few key areas:

Commercial flexibility – In response to the positive reception of the Pay-as-you-go pricing introduced in August 2022, we’ve since seen an increased desire for even more flexibility, and introduced further simplifications to align our pricing attributes across all models and provide increased granularity in Pay-as-you-go pricing. These changes are designed to help you on-board into Apigee at a lower cost and meticulously align your expenses with actual usage.

Versatility – Apigee addresses a diverse range of API use cases operating at any scale, and with backend services hosted in any public cloud or on-premises. Developers even have the flexibility to deploy their API proxies to any environment using Apigee Hybrid. This year, we also introduced the ability to deploy a lightweight API proxy (Standard API Proxy) to orchestrate traffic at 1/5th the cost of traditional API proxies deployed in Apigee. With this capability, API proxies built in Apigee become more multifaceted, be it just orchestrating application traffic or even turning into products that monetize transactions.

Gen AI innovation – To reduce toil for developers, we introduced Duet AI in Apigee API Management in private preview at Google Cloud Next ‘23. Duet AI in Apigee API Management allows developers to build API specifications with natural language prompts, and even use these specifications to create extensions that provide secure, real-world data access for tools like ChatGPT and Vertex AI. We also incorporated large language models trained on a corpus of Google traffic to automatically detect security anomalies.

API security – APIs have become a common target for attackers, as they provide direct access to application functionality and data. Last year, we launched Advanced API Security to detect API misconfigurations and bot attacks. This year, we added machine learning models to detect business logic attacks. We also recently added the ability to be notified of anomalies and take proactive action, such as flagging, redirecting, or blocking traffic. These capabilities are accessible via the Google Cloud console or specialized APIs, simplifying security management and integration into your existing systems.

Developer experience – We are dedicated to simplifying the developer experience, especially as the demand for API development and security intensifies. With ever-growing API portfolios, developers can automatically catalog API specifications that they designed anywhere into API Hub, a universal catalog. Finally, we made Application Integration generally available, helping practitioners bolster interoperability between Google Cloud and third-party applications. We aim to reduce the burden on developers ensuring they are not being overwhelmed by “shifting down” workloads to platforms.

We believe that the Gartner Magic Quadrant is a good source for vendor evaluations, and we’re delighted that our ongoing investment in supporting our customers is being recognized within the industry. Most importantly, we’re thankful to our customers for the support and for sharing our belief that for Apigee, the best is yet to come.

Download the full report here (requires an email address) or learn more.

Gartner, Magic Quadrant for API Management, Shameen Pillai, Kimihiko Iijima, Mark O’Neill, John Santoro, Paul Dumas, Andrew Humphreys, Nicholas Carter, 11 October 2023. This Magic Quadrant report was previously published as Magic Quadrant for Application Services Governance (2015) and previously published as Magic Quadrant for Full Life Cycle API Management (2016; 2018-2022)

Previously recognized as Google (Apigee) in 2018-2022 and as Apigee in 2015-2016. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Apigee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed, or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner Inc. and/or its affiliates in the U.S. and internationally and MAGIC QUADRANT is a registered trademark of Gartner, INc. and/or its affiliates and are used herein with permission. All rights reserved.

What makes Google an extraordinary technology company is its relentless focus on the end-user. It’s what’s led to billions of people interacting every day with products and services like Search, Maps, and Gmail. And it’s what’s led to my joining Google Public Sector shortly after it was formed in July of 2022.

Underpinning Google products and services – which provide an intuitive, personalized consumer experience – is artificial intelligence and security. AI is delivering great experiences to our users, securely and at global scale at every moment. It is what we have come to think of as the “Google magic.”

Google Public Sector is bringing the Google magic – evolving cloud and AI technologies, security, and scale – to the mission of the government to transform the way citizens experience public services and the way agencies operate. For two decades, we have leveraged the power of AI to organize the world’s information and make it useful to people, businesses, and public organizations. We want to bring that power – and its mission-critical capabilities – to our government workers and military service men and women.

Bringing Google innovation to the public sector

Imagine if the public sector brought this same “innovation” mindset to its employees by developing a relentless focus on the end-user experience. In our post-pandemic society, the majority of individuals anticipate higher technology use and expect improved digital services from their government. But governments are not yet meeting citizen expectations.

Government agencies face procurement roadblocks when it comes to investing in transformational technologies. This has led to increasing frustration among government workers and citizens. One source estimates that in the U.S. as much as $140 billion dollars in governmental benefits go unclaimed. The White House’s Office of Management and Budget attributes this bottleneck to the “time tax,” or the amount of effort required to fill out applications, assemble documents, and schedule government visits. At the same time, 92% of citizens report that “improved digital services would positively impact their view of government,” with the ability to complete processes online being their top choice for state service improvements.

Google Public Sector works with a broad ecosystem of partners to meet customers where they are. Our partners help local, state, and federal agencies define their technological needs and curate solutions that leverage their existing technology investments and create new opportunities via modern digital tools to better serve their constituents.

In Dearborn, Mich., for example, we helped the local government implement a call center so residents can access city services in multiple languages, anywhere, any time. Most recently, we partnered with the DoD’s Defense Innovation Unit to develop AI models to assist augmented reality microscopes (ARM) with cancer detection, leading to earlier and more accurate diagnoses. That’s real-world impact.

Driving mission outcomes for defense and security organizations

Migrating to the cloud can be transformational for all organizations: It modernizes infrastructure and accelerates data analytics at scale. At Next ‘23, I heard panelists from the U.S. Department of Defense’s Chief Digital and AI Office (CDAO) and the Joint Warfare Cloud Capability (JWCC) PMO describe the need for innovation and cloud adoption to further their mission objectives. Our country’s defense and security organizations, however, require the highest levels of data security and privacy with a reliable network and tools that are easy to use in mission-critical contexts.

Google has been a thought leader and a pioneer developer in security for decades and we are excited to bring these capabilities to our defense and national security customers. For those with the highest security needs, Google Distributed Cloud Hosted (GDCH) offers a private, disconnected cloud network with client-side encryption and the ability to support classified workloads from the enterprise level to the tactical edge. It delivers advanced cloud services, including many of our data and machine learning technologies, while remaining air-gapped and disconnected from the public internet.

Fueling a digital future together

Constituents expect their governments to deliver secure, personalized experiences comparable to those offered by private enterprises. Our commitment to the public sector is just that – to meet customers where they are to help them bring the Google magic to their public services. With our industry expertise, our vast partner ecosystem, and our technologies, we can work together to ensure mission success in a secure,responsible, scalable way that leaves the doors open to future innovation.

Learn how Gen AI can improve the future of citizen engagement and services by downloading the new 10 step guide by Google Public Sector.

In our new age of low-code and no-code application development, AI has become the tool of choice for rapidly extending, powering and modernizing applications. With our ever-shifting technology landscape bringing new potential and opportunity to connect and engage with customers, or optimize and infuse insights and experiences, leading organizations are racing to build new applications faster. Whether it’s to embrace generative AI technologies, or maintain their competitive advantage, AI-infused application development is quickly becoming a necessity to to make it in today’s market .

In this blog, we will discuss how to use Gradio, an open source frontend framework, with Vertex AI Conversation. Vertex AI Conversation allows developers with limited machine learning skills to tap into the power of conversational AI technologies, and seamlessly develop gen AI proof-of-concept applications. With these two tools, organizations can deploy a PoC with an engaging, low-lift generative AI experience that wow your customers, and inspire your development team.

Gen AI powered chatbots can provide powerful and relative conversations by learning from your company’s own unstructured data. The Gradio front-end framework is an intuitive interface to build custom, interactive applications that allow developers to easily share and demo ML models.

Vertex AI Conversation

One of Gradio’s framework main capabilities is to create demo apps on top of your models with a friendly web interface so that anyone can use it and provide to your organization immediate feedback. Integrating a Gradio app with a generative AI agent built on Vertex AI Conversation unlocks key features allowing you to tweak and tune to your individual needs and feedback from users. Using the power of programmability, you can drive deep personalization and contextualization into your chatbot’s conversations with your customers using your organization’s data and demo them rapidly.

Gradio

With the unprecedented boom in generative AI, businesses need an accessible and seamless interface to validate their machine learning models, API, or data science workflow. Chatbots are a popular application of Large Language Models (LLMs). Because the interaction with LLMs feels natural and intuitive, businesses are turning to conversational interfaces such as voice-activated chatbots or voice bots. Voice bots are gaining popularity because of the convenience they bring; it’s much easier to speak than to type.

Gradio is an open-source Python framework that makes it easy to build quick interfaces like chatbots, voice-activated bots, and even full-fledged web applications to share your machine learning model, API or data science workflow with clients or collaborators. With Gradio, you can build quick demos and share them, all in Python with just a few lines of code. You can learn more about Gradio here.

Introducing a Gradio application that integrates with Vertex AI Conversation

Vertex AI Conversation’s data ingestion tools parse your content to create a virtual agent powered by LLMs. Your agent can then generate conversations using your organization’s data to provide a contextual and personal interaction with end-users. Seamless deployment through a web browser means demonstrating your application is easier than ever with the Gradio framework.

How it works

Gradio can be used to build chatbots that can answer user questions using a variety of data sources. To do this, you can build a middleware that uses Vertex AI Conversation to process the user’s input and generate a response from an agent. The agent can then search for answers in a data store of documents, such as your company’s knowledge base.

When the agent finds an answer, it can summarize it and present it to the user in the Gradio app. The agent can also provide links to the sources of the answer so that the user can learn more.

Here is a more detailed explanation of each step:

The user asks the chatbot a question.The middleware sends the question to the genAI agent via Dialogflow APIThe genAI agent searches for answers in the data store.If the agent finds an answer, it summarizes it and provides links to the sources.The middleware sends the summary and links to the Gradio app via Dialogflow API.The Gradio app displays the summary and links to the user

The following diagram describes a high level architecture to be presented that can be used as a foundational building block for a MVP with core functionalities.

The following is a description of the components of the chatbot architecture

BackendAuthentication: Verifies the user’s identityMiddleware: Orchestrates all requests and responses to generate answersGenerate Answer: Generates responses from a virtual agent grounded by the enterprise data. The underlying components or products areVertex AIVertex AI Conversation: Creation of generative AI agent capable of understanding and responding to natural language.Dialogflow CX: Conversations are handled via Dialogflow.Cloud Storage: Storage of the enterprise dataData Store: Storage index data created automatically by Vertex AI Conversation to index the enterprise data and to allow Dialogflow to query it.Speech to Text: Converts voice recordings from the user to text to be passed to Generate Answer.Gradio FrontendChatbot: Provides a voice-activated chatbot that can understand both keyboard inputs and voice-based messages. The bot’s interface is built using the Gradio framework.Speech Recording: Enables users to send voice-based messages.

User Interface

Once the application is launched, the interface will look like the image below.

Record from microphone: Allows users to send voice-based messages.
Start a new conversation: Erases chat history and initiates a new conversation.
Source: Displays links to the sources of the response, such as the user manual.

You can find examples of the implementation on Github repo genai-gradio-example.

The code is illustrating a deployable PoC application which demonstrates some basic functionalities implemented through Vertex AI and complemented by a Gradio custom UI UX portal. As next steps, we recommended exploring and generating ideas for user centric products that can be powered by Vertex AI in your company. Google can help.

Conclusion

In this post, we have discussed how to integrate your Gradio conversations with a generative AI agent using Vertex AI Conversation. This can be used to build rapid generative AI PoC applications, and begin the discussions within your organization for how you can harness the power of generative AI. We are also providing you with the high-level architecture for your application and sample code to get you started right away. We hope that this information will be helpful to developers who are looking to rapidly build gen AI-powered applications. While still in its early stages of development, gen AI is already changing how organizations connect, engage, and support their customers, and with such fast-shifting technologies, fortune favors the bold.

Editor’s note: In this post AJ Ross, CTO at Fluxon, discusses the key considerations and comparative technologies for startups looking to move from AWS to Google Cloud.

If you’re a startup considering migrating from Amazon Web Services (AWS) to Google Cloud, it’s important to understand the technical differences between them. Luckily, modern cloud platforms are to some extent interchangeable. In our experience at Fluxon, if you’ve already decided to move, you’ll be pleasantly surprised by Google Cloud’s advanced solutions.

When migrating, it’s important to understand not just the costs of your application’s workloads, but also how a cloud platform can lower expenditure thanks to technology that is functionally superior or easier to adopt. For this reason, Google Cloud stands out for a range of proven solutions and APIs that offer attractive features, performance, and reliability all at a competitive price point. In some cases, such asKubernetes andBigQuery, Google Cloud’s offerings are vastly superior to competitors’.

In this article, I will discuss key considerations and comparative technologies for startups looking to move from AWS to Google Cloud. I will also provide a comparison of the two platforms in terms of features, pricing, and scalability. If you’re looking for a “rosetta stone” of translations from one cloud to the other for common full-stack applications, or to see where Google Cloud is vastly superior to the competition, then read on.

Taking control of Identity Access Management (IAM)

It’s no secret that IAM, with its complicated web of users, groups, roles, and permissions, is one of the more difficult aspects of managing a cloud platform. Both AWS and Google Cloud are highly customizable when it comes to IAM granularity, but it’s important to understand their different approaches.

A major difference you’ll notice with Google Cloud is that there is first-order support for dedicated service accounts. These are effectively users under which your (and Google Cloud’s) programmatic APIs operate. While top-levelGoogle Workspace users are dedicated to human-driven authentication and actions, service accounts are expected to do all of the programmatic work. Google Cloud service accounts provide the benefit of least privilege by creating fine-grained access control. Service accounts are used so extensively in Google Cloud that service accounts are created automatically to run services for you that you tune to isolate roles and servicess, which saves time and effort.

In AWS, nearly every action is governed by a policy and users, which belong to groups and roles, and each action can be checked against a policy. This is different from Google Cloud where, in addition to having generalized roles and policies for each user, resources can also define which users can access them.

For example, on AWS you might create a new user that can access your production database and S3 buckets. To do this you generate a policy that grants access to specific actions on these resources for the new user. On Google Cloud, you create a user or service account, but you set the permissions for that user on the bucket itself. AWS used to have resource-specific policies for S3 buckets, but they have been deprecated for some time.

Where should my application run?

Most of the applications we build atFluxon are web-based, so determining where and how to deploy our applications is a crucial question. At a basic level, both AWS and Google Cloud offer virtual machines through EC2 andCompute Engine. Both platforms enable you to create VMs by configuring your CPU, RAM, and attached storage parameters. Both platforms also offer opportunities to reduce costs with reserved and spot instances, and both offer VPCs to isolate services securely.

If you’re looking to move your existing VM-based workload to Google Cloud from AWS, you’ll find that the offerings are very similar, with the notable advantages that Google Cloud provides Migration Center for a seamless end-to-end experience, as well as a more modern and holistic interface that can make managing your resources much easier.

However, managing servers adds operational overhead for engineering teams. For this reason, most people start with container-based deployments.Cloud Run is a great solution if you’re migrating a container from an AWS Elastic Container Service (ECS) pipeline, such as ECS Fargate. Cloud Run enables you to host and scale any container easily, and withCloud Build, you can quickly build a pipeline that deploys new versions of your application.

If you have a workload with microservices or multiple services that need to interoperate,you’ll find that Google Kubernetes Engine (GKE) is best-in-class. GKE is the only managed Kubernetes service that can offer scaling up to 15,000 nodes and delivers multiple types of automation. Unlike the competition, Google Cloud has made it easy to use both Cloud Run and GKE, letting you move between them as needed, without forcing your teams to choose.

If you already have a Kubernetes application on AWS, moving to Google Cloud should be straightforward since there is feature parity in terms of deployment, monitoring, availability, and command-line tools. But with Google Cloud you also have the advantage ofGoogle Cloud console, which provides a cleaner UI for Kubernetes management compared to AWS, which is a bit more fragmented.

Deciding on a database

Both AWS and Google Cloud offer nearly identical options for transactional databases. Both provide fully managed PostgreSQL, MySQL, and SQL Server that are attractive to developers. Both support VM configurability, replication options, and availability zone and replication options for redundancy. But with Google Cloud, you can manage access control through theIdentity and Access Management system, so database access can be cleanly integrated with Google Cloud instead of managing users and roles individually on each database.

If you’re looking for lightweight or ephemeral storage such as Memcache or Redis, Google Cloud offers a Redis API-compatible service calledMemorystore that is perfect for caching or other high-speed key-value set operations you would expect from Redis. However, keep in mind that Memorystore doesn’t offer persistence. While Memorystore’s more-expensive Standard tier utilizes multiple high-availability replicas, your data isn’t flushed to disk anywhere. This should be fine in theory, but make sure to understand the difference before fully switching to Memorystore.

One area where Google Cloud excels is with reporting databases. If you have a data lake in AWS, you’ll be pleasantly surprised by BigQuery, which is a cost-effective solution for storing massive amounts of data that can be queried with SQL. BigQuery enables you to stream records to it (similar to Kinesis), store them in its own proprietary format (like Redshift), and you can use it to scan external data sources (like Spectrum or Athena).

To migrate data from AWS, check out the Google CloudStorage Transfer Service (for cross-cloud synchronization) or theirTransfer Appliance, a high-capacity storage device that enables you to transfer and securely ship your data to a Google Cloud facility, where your data is uploaded to Cloud Storage. If you already have a business intelligence and analytics platform, it most likely supports BigQuery, but if you don’t you can try outLooker Studio (free) or subscribe toLooker Studio Pro.

Cloud Storage is comparable to AWS S3 — both are cost-effective platforms where you can store and serve objects. However, the pricing options vary on both platforms according to storage class, region, redundancy, data transfer amount and direction, and access frequency. In terms of functionality, Cloud Storage features are very familiar, and although Cloud Storage doesn’t directly speak the S3 protocol, which is now a de facto standard across cloud providers, you can import data from other providers by using the “gsutil” command line utility or with the Storage Transfer Service.

Over to you

Depending on the complexity of your applications, migrating from AWS to Google Cloud could be easy and straightforward, or it could involve a lot of complexity and require a lengthy transition. While many of Google Cloud solutions should be directly translatable from AWS, the hard part is always in the details, such as access control, networking, and other platform idiosyncrasies. In the meantime, I hope this guide has been useful and given you a broad overview of how to approach a transition from AWS to Google Cloud. And while many services are similar, Google Cloud stands out for their easier, more modern interfaces and their stronger security controls.

If you want to learn more about how Google Cloud can help your startup, visit our page hereto get more information about our program, and sign up for our communicationsto get a look at our community activities, digital events, special offers, and more.

Welcome to the first Cloud CISO Perspectives for October 2023. This month, I’ll be discussing the increasingly-important (and often undervalued) organizational skill of crisis communications — and how boards can help prepare their organizations for the inevitable. Effective crisis communications was a central pillar of our third Perspectives on Security for the Board report, published last week.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

How boards can help cyber-crisis communications

Boards of directors serve in oversight capacities to assure their organizations are ready to handle security incidents, and a big part of this includes cyber crisis communications. I believe that a board that can help its organization prepare for worst-case scenarios is taking part in preemptively reducing the impact of those scenarios.

Effective crisis communications can create a vital lifeline to continuity of business efforts and can help minimize the impact of a cyber incident. Of course, it’s crucial that organizations have timely detection, containment, eradication, and recovery capabilities. Yet just as important is training in advance the organizational muscles needed to communicate quickly and effectively with stakeholders, customers, and the wider public during a cyber-crisis, maintaining and possibly even improving trust.

Phase 1: Strategic readiness

This foundational phase is an essential activity for all organizations, regardless of size, sector, or location. The approach to planning should be customized to the organization, providing a written and repeatable plan with clearly defined roles and responsibilities, a governance structure with formal decision authority levels, and a framework for response.

The crisis response team should include representation from across the organization. You can’t anticipate what you’ll need, especially when it comes to provisioning hardware, disseminating actionable intelligence, and conducting insightful data impact assessments. The team should also implement a governance and management model, with specific working groups aligned to functional responsibilities.

Phase 2: Assurance

The second phase, also part of the pre-breach response, is the “Assurance” or exercise phase. During this phase, organizations should exercise their team’s response based on real-world attacks and scenarios. Some states have even moved to mandate this as part of the board response. Regularly conducting cybersecurity tabletop exercises and crisis simulations can significantly enhance your preparedness. These exercises not only help refine incident response processes, but also provide invaluable experience for organizations in managing real-world scenarios.

Phase 3: Incident Response

Response execution will be defined by the priority and attention you put into the first two phases. When the day comes, it is imperative that organizations are able to quickly spin up their teams for response. Actions taken during the first two phases should have helped delineate roles and responsibilities, and should have helped establish a working governance structure to guide the response.

Response teams will be able to organize the requisite information exchange sessions, and track the action items and tasks. They will have already mapped their stakeholders and communication channels, and be able to quickly assess channel readiness. The smoothest and most-effective responders are usually those who are well-trained, well-equipped, and have pre-staged the requisite tools ahead of time.

Phase 4: Post-incident review

Emotionally and operationally, managing a breach can exact a high toll on those who’ve lived through it. Many people never want to talk about the incident again. However, as difficult as it may be, it’s important to complete the post-incident review. This phase starts just as the dust settles — the investigation is complete, the remediation activities restored business

operations, and notifications have been made to regulators or victims. Some may also call this the “After Action” or “Lessons Learned” phase, and second to planning, it is one of the most important phases.

You can hear more frontline stories of how Mandiant Crisis Communications supports organizations who’ve been breached in this podcast.

Questions to ask business leaders

Because of its oversight position, the board is well-suited to helping to craft a multifaceted approach that intertwines robust technical defenses and crisis communications strategies. This integration creates a better foundation to safeguard your organization’s digital assets and reputation. Key questions that boards should ask their C-suite, IT, and security leadership include:

What is your role in the event of a cyber incident?What are your organization’s regulatory and legal reporting requirements when it comes to an information security, data, or privacy incident?How will you be contacted in the event of an incident, and what is your process to authenticate the communications?Do you have a secure method to share and receive communications related to an incident?How often are you receiving regular threat intelligence briefs that will help inform your risk-based decision making?Have you confirmed your organization has cyber incident response plans, playbooks, and documentation?Are you participating in executive tabletop exercises?

The critical role of communication in managing incidents can not be overstated for business leaders. As we navigate an ever-changing and complex business landscape and risk environment, the ability to respond swiftly and effectively hinges on our communication strategy. Timely and transparent internal and external communication ensures the safety of employees and assets, and safeguards an organization’s reputation and stakeholder trust.

Each board member should champion this cause within their respective spheres of influence, encouraging a culture of open and effective communication at every level of the organization. Adopting and training a crisis communication strategy as a team can help mitigate risks and create opportunities for growth and innovation. Organizations can often emerge stronger and more resilient to face their future challenges.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

Google mitigated the largest DDoS attack to date, peaking above 398 million rps: Google Cloud stopped the largest known DDoS attack to date, which exploited HTTP/2 stream multiplexing using the new “Rapid Reset” technique. Read more.How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack: Learn how the new DDoS attack technique Rapid Reset works, and how to mitigate it. Read more.How Sensitive Data Protection can help secure generative AI workloads: Here’s a data-focused approach to protecting gen AI applications with Google Sensitive Data Protection, along with some real-life examples. Read more.Reddit uses Web Risk to protect users against phishing, malware, and social engineering: To keep Reddit a welcoming and real space for users, Reddit used Google Cloud’s Web Risk API to evaluate URLs in user-generated content at scale. Read more.Introducing Google Cloud Firewall Plus with intrusion prevention: This update to Cloud Firewall Plus provides protection against malware, spyware, and command-and-control attacks on a customer’s network. Read more.Deliver and secure applications in less than an hour using Dev(Sec)Ops Toolkit: The Dev(Sec)Ops toolkit helps customers accelerate the delivery of internet-facing applications with Cloud Load Balancing, Cloud Armor, and Cloud CDN. Read more.Manage infrastructure with Workload Identity Federation and Terraform Cloud: Terraform Cloud workspaces integrate with Workload Identity Federation to authenticate and then impersonate Google Cloud service accounts. Read more.Introducing Advanced Vulnerability Insights for GKE: Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights. Read more.Additional signals for enforcing Context Aware Access for Android: BeyondCorp Enterprise, Workspace CAA, and Cloud Identity can now receive critical Android device security signals for both advanced managed devices and, for the first time, basic managed devices. Read more.reCAPTCHA Enterprise and the importance of GDPR compliance: Google Cloud reCAPTCHA Enterprise can help businesses comply with GDPR by securely processing personal data to customer instructions. Read more.

News from Mandiant

Assessing North Korean cyber structure and alignments in 2023: North Korea’s offensive program continues to evolve, showing the regime is determined to continue using cyber intrusions to conduct espionage and financial crime. Read more.Analysis of time-to-exploit trends from 2021-2022: Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022, and found that the number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit is decreasing. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

Ask us anything, 2023: Where did the “3 a.m.” cloud security test come from? What’s your security “secret origin”? Hosts Anton Chuvakin and Tim Peacock get personal in this year’s podcast AMA. Listen here.Coast to Coast, 2015 to 2023: Cloud security ch-ch-changes: From an east versus west cloud CISO mentality to how cloud security has changed since the formative year of 2015, Anton and Tim look for clues to the future of cloud security in its deep dark past, with Jeremiah Kung, global head of information security, AppLovin. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.