Cloud

According to a recent Accenture report, large businesses deploy an average of 500 different applications. This trend shows no signs of slowing down, with the majority of respondents signaling plans to acquire even more applications. No surprise, all these applications present a number of integration challenges, which the impending wave of generative AI in software development only promises to further intensify.

Two years ago, we introduced Apigee Integration as an add-on capability to Apigee API Management. From conversations with customers, it’s become clear that you want to access these capabilities directly from the Google Cloud console. Today, we’re announcing the general availability of Application Integration, a standalone Integration Platform as a Service (IPaaS) designed to help you connect your applications visually, with no code. Best of all, you can now get started with Application Integration with no upfront financial commitment, even if you’re not an existing Apigee customer. 

What is Application Integration?

As a cloud-native product, Application Integration helps you automate business processes by connecting any application — both home-grown and third-party SaaS — with simple point-and-click configurations, so you can quickly and easily construct, maintain, and scale your integrations. Application Integration offers the following features:

Visual integration designer: An Intuitive drag-and-drop interface allows anyone to build workflows with no complex coding or manual processes. With the visual integration designer, anyone can simply drag-and-drop individual control elements (such as edges, forks, and joins) to build custom integration patterns of any complexity.

Plug-and-play connectors: A library of 75+ pre-built connectors makes it easy to connect to a number of Google Cloud services (e.g., BigQuery, Pub/Sub) and many third-party applications, including Salesforce, MongoDB, and NetSuite. 

Automated triggers and transformations: With built-in triggers, you can execute integrations on an API call, Cloud Pub/Sub event, Salesforce events, or using Cloud Scheduler. An intuitive data mapping editor and comprehensive mapping functions enable you to address complex data transformation requirements in no time.

Unified platform: Whether you’re building APIs in Apigee, ingesting data using Pub/Sub, receiving events from Cloud Storage using EventArc, or something else, Application Integration works seamlessly with other integration services to provide comprehensive capabilities for your use case. 

Customer praise for Application Integration

In the enterprise, different teams adopt applications to support a task in their business processes. However, the need for information exchange among these teams can spawn complex integrations that require a lot of arduous planning.

Application Integration abstracts these development complexities, so customers  can focus on building value. OVO Energy uses Application Integration to automate communications in their critical business processes. “We were looking for an integration solution that was very low-code yet configurable, robust, and scalable,” said Chris Parker, Product Manager at OVO Energy. “We needed a simple solution that allowed us to get data from multiple parts of the company, supplement an existing data point with relevant information and funnel it to the Salesforce Marketing Cloud,” added Graham Vosper, Technology lead at OVO Energy.

But changes in business processes are inevitable, forcing continuous shifts to existing integrations – sometimes even rendering them obsolete. “Using Application Integration was very simple. With just a couple of clicks, our team quickly adapted to this new product and became productive,” said Graham.

A growing library of connectors in Application Integration makes it easy to connect to new applications and ensures any changes in connecting to the end application is automatically supported. OVO Energy has taken notice. “Configurability and traceability in Application Integration allows our developers to build and maintain our integrations without in-depth skills. We now have much better visibility into our information flow and failure rates,” said Graham. 

Get started today

Today’s integration problems require a comprehensive approach that spans applications, systems, and data. Application Integration is part of Google Cloud’s Integration Services portfolio, designed to address your end-to-end integration needs. The portfolio covers a wide range of use cases like data integration, API Management, and event-driven architectures. You can get started with Application Integration with no financial commitment by using the free tier. Learn more, explore a sample e-commerce integration, or jumpstart your development with quickstart tutorials.

Welcome to the first Cloud CISO Perspectives for July 2023. Today, I’ll be asking my colleague Royal Hansen, vice president of Privacy, Safety, and Security Engineering at Google, about AI, security, and risk topics.

This year has been a banner year for artificial intelligence (AI), and especially for AI and security. There’s been a huge surge of interest in AI and how it can be applied to many fields, including security. However, in the pursuit of progress within these new frontiers of innovation, there need to be clear industry security standards for building and deploying this technology in a responsible manner. 

I dive into Google’s progress in this area with Royal, who is exploring these topics at the Aspen Security Forum this week. I hope you all will find Royal’s answers to my questions informative.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

The promise and perils of AI and security

Phil Venables: Let’s start by talking about our AI Red Team, which we feature in our new paper released yesterday at the Aspen Security Forum. Why does AI need a red team?  

Royal Hansen: I’m really excited about this. At Google, we believe that red teaming — friendly hackers tasked with looking for security weaknesses in technology — will play a decisive role in preparing every organization for attacks on AI systems. Google has been an AI-first company for many years now, and this paper shows how red teaming is a core component of securing AI technologies. 

It focuses on three important areas: 1) what red teaming in the context of AI systems is and why it is important; 2) what types of attacks AI red teams simulate; and 3) lessons we have learned that we can share with others.

PV: Our team has a singular mission, to simulate threat actors targeting AI deployments. What kinds of attacks is the red team simulating? 

RH: The AI Red Team is focusing squarely on attacks on AI systems. We detail in the report six tactics, techniques, and procedures (TTP) that attackers are likely to use against AI: prompt attacks, extraction of training data, backdooring the AI model, adversarial examples to trick the model, data poisoning, and exfiltration. 

Since AI systems often exist as part of a larger whole, we do stress that AI Red Team TTPs should be used along with traditional red team exercises. A good example of this is how our AI Red Team has worked with our Trust and Safety team to help prevent content abuse.

PV: Can you talk about what we learned from the report? 

RH: Sure. I’ll start with some tactical lessons.

SAIF is designed to help mitigate risks specific to AI systems like stealing the model, poisoning the training data, injecting malicious inputs through prompt injection, and extracting confidential information in the training data. 

So, while there’s a lot of discussion about generative AI in cybersecurity – and beyond – right now, we’ve been using and learning from AI more broadly in our day-to-day work for years. 

PV: How can we ensure a higher quality of online information, particularly in critical situations such as moments of crisis and war, or elections? How are you thinking about security and protections in these moments that matter, particularly in the age of AI? 

RH: Technology can create new threats, but it can also help us fight them. AI can often help counter the issues created by AI. It could even give security defenders the upper hand over attackers for the first time since the creation of the internet. 

For example, Gmail uses AI right now to automatically block more than 99.9% of malware, phishing, and spam, and protects more than 1.5 billion inboxes. AI can help identify and track misinformation, disinformation, and manipulated media. One notable example of that happened last year, when Mandiant discovered and sounded the alarm about the AI-generated “deepfake” video impersonating Ukrainian President Volodymyr Zelensky surrendering to Russia.

We already use machine learning to identify toxic comments and problematic videos. More technical AI innovations we’re working on include watermarking AI-generated images, and creating tools to evaluate online information — like the upcoming “About this Image” feature in Google Search. We’ve also joined the Partnership on AI’s Responsible Practices for Synthetic Media, which promotes responsible practices in the development, creation, and sharing of media created with generative AI.

Looking ahead, our challenge is to put appropriate controls in place to prevent malicious use of AI and to work collectively to address bad actors, while maximizing the potential benefits of AI to stay at the front of the global competitiveness race. 

PV: What work is Google doing to manage risks we might face from AI?

RH: We think about AI and security primarily through two lenses. First, using AI to enhance safety and security, and second, securing AI from attack.

While frontier AI models offer tremendous promise to improve the world, governments and industry agree that appropriate guardrails are required on the policy level, on the business level, and on the technology level. 

Their development and deployment will require significant care — including potential new regulatory requirements. We’ve already seen important contributions to these efforts by the U.S. and U.K. governments, the European Union, the G7 through the Hiroshima AI Process, and others. To build on these efforts, further work is needed on safety standards and evaluations to ensure advanced AI systems are developed and deployed responsibly.

With the stakes so high, we’re calling on governments, the private sector, academia, and civil society to work together on a responsible AI policy agenda. And to enable progress in AI, we must focus on three key areas: opportunity, responsibility, and security.

PV: How have you seen Google’s approach to monitoring and responding to cyberattacks change? Where do we stand now? How has user protection evolved?

RH: Keeping users safe online is more complex and urgent than ever before. We’re seeing an increasing number of new malware families, financially motivated attacks such as ransomware, supply chain attacks as well as rising cyber attacks from nation-state-backed actors against critical infrastructure. This has brought a decades-long problem into focus for policymakers and enterprise leadership as it has disrupted our way of life and made the stakes higher than ever.

We need to expand our thinking about the threat landscape to secure users, governments, and enterprises holistically from ever-changing future attacks.

PV: How has your experience been at the Aspen Security Forum this week? What were some of the key takeaways? 

RH: Events like this are a great way to hear from some of the best minds in security. I came eager to listen, learn, and return to Google with lessons that will make us a better partner in privacy, safety, and security. It was a jam-packed week connecting with new and old colleagues across the private and public sector. 

I’m struck by the many different dimensions of AI and security here. The lines are blurring between safety and security in ways that require us to collaborate across cyber and trust and safety, across consumer and enterprise, across public and private sector, national and international. The SAIF framework has been a great way to help organizations begin building this approach into their AI plans.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month: 

Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 has sold out, but you can still register for the conference. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Check out our scheduled security sessions, and register now.

Boards should bring on experts to help raise their cybersecurity IQ: In our second Perspectives on Security for the Board report, learn more on how boards of directors who give a seat to security can better influence their organizations’ migration to the cloud, respond to the latest threats, and use AI responsibly. Read more.

How Safe Browsing helped pave the way to our passwordless future: Launched in 2005 as an anti-phishing plugin for Firefox, today Google Safe Browsing protects more than 5 billion devices across the world.  It’s also a quintessential demonstration of how tech companies can use their insight-at-scale to improve security. Read more.

How Google Cloud NAT helped strengthen Macy’s security: Macy’s is well known for its high-end fashion worldwide. It’s less known for the strong measures it takes to ensure its customers’ data security. When Macy’s decided to move its infrastructure from on-premises to Google Cloud, it required the move be done without sacrificing security or degrading the user experience. Read more.

Google Workspace earns Dutch government approval: The Dutch Ministry of Education affirmed to the Dutch Parliament that Google has delivered on the commitments it made as part of the data protection impact assessment, conducted by the Dutch government and education sector representatives. Public sector entities and educational institutions in the Netherlands can continue to use Google Workspace and Google Workspace for Education with renewed confidence. Read more.

How to configure Workload Identity Federation for GitHub and Terraform Cloud: Workload Identity Federation can be integrated with external providers, such as Gitlab, GitHub actions, and Terraform Cloud. We show how tokens issued by external providers can be mapped to various attributes, and how they can be used to evaluate conditions to restrict which identities can authenticate. Read more.

Google Cloud, CyberGRX partner to help scale, accelerate assessments: CyberGRX provides a comprehensive and objective view of Google Cloud’s security posture based on a number of local compliance regime requirements and the MITRE ATT&CK framework. Our collaboration can help scale and accelerate risk assessments and due diligence services. Read more.

News from Mandiant

The GRU’s disruptive playbook: Mandiant has been tracking how Russian military intelligence (GRU) uses a standard five-phase playbook in its disruptive operations against Ukraine, with the likely goal of deliberately increasing the speed, scale, and intensity at which the GRU can conduct offensive cyber operations while also minimizing the odds of detection. Read more.

Threat actors nurse their nostalgia for USB drives in new attacks: In the first half of 2023, Mandiant Managed Defense observed a threefold increase in the number of attacks using infected USB drives to steal secrets. In this blog post, we detail two USB-based cyber espionage campaigns from this year. Read more.

Defend against latest Active Directory Certificate Services threats: In this hardening guide, Mandiant explains how organizations can better defend against cyberattacks that target their Active Directory Certificate Services. Read more.

Escalating privileges via third-party Windows installers: Learn how Mandiant’s Red Team researches and exploits zero-day vulnerabilities in third-party Windows installers and what software developers should do to reduce the risk of exploitation. We also introduce a new tool to simplify enumeration of cached Microsoft Software Installer files. Read more.

Google Cloud Security podcasts

We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:

Are you really using the cloud securely? “The cloud is secure, you’re just not using it securely” is a common aphorism among the cloud security set. How much truth is there behind the words? From the practical meaning of using the cloud securely to the growing interest in SaaS, we deflate myths and debate cloud security realities with Steve Riley, field chief technology officer at Netskope. Listen here.

How CISO cloud dreams and realities collide: What are the realistic cloud risks today for an organization using the public cloud? And does the cloud really make security “easier”? We discuss the chasm between the cloud realities and cloud myths with Rick Doten, vice president of Information Security at Centene Corporation and CISO of Carolina Complete Health. Listen here.

Just the facts on building enterprise threat intelligence capability: If threat intelligence was easy, more organizations would be doing it — yet the fact is that many organizations struggle to operationalize threat intelligence. So we tracked down John Doyle, principle intelligence enablement consultant on our Mandiant team, to explain how businesses can better use threat intel, and explore the new intelligence class he created that’s focused on building enterprise threat intelligence capabilities. Listen here.

Mandiant podcasts

Threat Trends: A requirements-driven approach to cyber threat intelligence: Dr. Jamie Collier, senior threat intelligence advisor at Mandiant, joins host Luke McNamara to discuss the recent white paper from Mandiant on developing a requirements-driven approach to intelligence, challenges that organizations face in this area, and the importance of recurring stakeholder feedback to a well-functioning cyber threat intelligence team. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.

Starting today, Firestore is adding database triggering support for Firestore in Datastore Mode. This functionality builds upon the recently launched Firestore and Eventarc trigger integration, which was previously available only to Firestore in Native Mode customers. 

Firestore’s Eventarc trigger integration enables the set up of a change data capture system, which is commonly utilized to replicate Firestore document changes to other platform services such as BigQuery, send push or email notifications to end-users based on specific Firestore data changes, and archive deleted Firestore documents in a different storage system. Firestore’s Eventarc triggering integration supports a wide set of destinations including Cloud Run, Google Kubernetes Engine (GKE), and Cloud Functions (2nd gen). The integration also uses the open and portable CloudEvents format.

Example walkthrough

Let’s say that you need to replicate your Firestore operational data to BigQuery to perform data analytics. In this example, we’ll start with the following Firestore in Datastore Mode data model:

To set up a data replication trigger, navigate to the Eventarc section of the Cloud Console. You will need to create a new trigger for Firestore using the associated event types for Datastore Mode. Firestore in Datastore Mode event types start with the prefix google.cloud.datastore.entity.v1.*. Here, we’ll want to capture newly written entities, so we’ll subscribe to google.cloud.datastore.entity.v1.written events:

Next, you can specify additional filters, which ensures only desirable events from a specified database and kind of entities are delivered. In this case, we filter for events from the (default) database, and for entities of the kind Reports.

On the same screen, you will also need to specify a destination. Triggering events can be delivered to any number of supported Eventarc destinations, like Cloud Run, Cloud Functions (2nd gen), and Google Kubernetes Engine. Let’s say we have a Cloud Run service named analysis that exposes an HTTP endpoint to receive the events. You can configure your trigger as follows:

That’s it! When any write operation is applied to your (default) database with the kind Reports, a CloudEvent will be delivered to the configured Cloud Run service analysis almost immediately. Your new Cloud Run service can now process newly written entities, and write them to BigQuery using BigQuery’s Storage APIs.

Next steps

For more information on how to set up and configure Firestore triggers, check out our documentation.

Thanks to both Minh Nguyen, Senior Product Manager Lead for Firestore and Juan Lara, Senior Technical Writer for Firestore, for their contributions to this blog post.

Geospatial data is transforming how municipalities, farmers, energy companies, and many other organizations operate. This data contains information about the earth over a certain period of time, which means organizations can better understand change. This increasingly fuels efficiency and effectiveness programs across a variety of industries. This data is extremely valuable, but organizations have long been constrained by few options to access and make the most of it.

UP42, a Google Cloud – Ready Sustainability Partner, works to make geospatial data more accessible and useful for more organizations through its developer platform. The company works with satellite operators and other geospatial providers to gather data and deliver it in ready-to-use format to companies that rely on these insights to enhance and evolve their operations. 

For example, German company CarbonStack uses UP42 to help its clients reduce emissions by analyzing imagery of Europe to see which areas could be afforested and track carbon offsets after planting trees.

“We’re on a mission to democratize the benefits of geospatial technology for organizations of all sizes,” says Barry Nagel, Chief Technology Officer at UP42. “UP42 works toward this goal by gathering and processing Earth observation data to make it readily available for businesses and municipalities that can make good use of it.”

The UP42 team is running its platform on Google Cloud to manage the enormous challenges of handling disparate data sources and formats, as well as processing workloads, enabling customers to build fully integrated solutions for their end users..

A virtual universe of data formats

“Given the nature of our business, we needed scalable and flexible infrastructure to ensure our platform’s reliability and performance as we grow,” says Barry. “Google Kubernetes Engine (GKE) has been the perfect fit. Our greatest challenges, though, relate to the endless variety of formats, packages, and descriptions of geospatial data that exist across providers. Operating at scale on GKE solved these challenges for our customers.”

UP42 uses GKE to manage its complex networking and cluster management demands and scale alongside its customers’ needs. GKE also powers UP42 platform’s metadata extraction and data delivery models, all while ensuring only the necessary amount of compute runs at any given time to keep costs low.

From there, BigQuery powers UP42’s internal data analytics capabilities, where information from a range of sources and in virtually any format can be normalized, standardized, and processed for internal and external use. Looker acts as the business intelligence (BI) interface to visually present insights from data after it passes through BigQuery.

“We fundamentally believe in the power of geospatial data and being able to process it to make data-driven decisions that will improve people’s lives, whether for urban planning, agriculture, climate change, or any other of the important use cases that we’ve seen from our customers,” says Barry. “With BigQuery and Looker, everyone in UP42 can build their own dashboards and view their own metrics. This combination makes it easy to work with our vast amount of data.”

UP42 also uses Google Cloud Storage for archival data, significantly accelerating the pace with which customers can gather historical data while alleviating the traditionally arduous process of re-ordering sets from providers. All of this equates to a platform rich with data in a standardized format, accessible for any type of business.

Partnering for a more sustainable future

The UP42 platform manages all of the heavy lifting and integrations so that customers enjoy a self-service experience when trying to work with geospatial data. UP42 makes it easy to access data from multiple providers through a single touchpoint. This includes having a single set of ordering parameters across all data providers, instead of having to adjust to different provider specifications. 

“Our customers do some truly incredible things with our platform,” says Barry. “One use case that really stands out is a startup company in Africa that leveraged satellite imagery to track agricultural health and forecast yields for farmers across the continent. They used our data analytics platform to generate useful insights for farmers from historical and current data.”

Another example comes from German company KfW, which used satellite data through UP42 to monitor irrigation infrastructure along the Niger River that is key to food security across the region. KfW’s use of UP42 ultimately helped facilitate the creation of wetlands that tripled the number of rice fields and improved living conditions for 80,000 in Niger.

“There is truly no limit to the use cases our customers can embrace with the UP42 platform,” says Barry. “Google Cloud helps us to further democratize geospatial data and enable improvements across some of the world’s most important industries — agriculture, transportation, municipal infrastructure management, and energy.”

Given the immense potential of UP42 to drive sustainability-related initiatives, the company chose to partner with Google Cloud through its sustainability program to unlock greater opportunities for its customers. UP42 will also be available through the Google Cloud Marketplace to streamline access among customers who also use Google Cloud technologies.

To learn more about Google Cloud’s sustainability programs and efforts, visit theGoogle Sustainability page.