As Director of Security, Trust, and Privacy for Google Apps Engineering, Suzanne Frey knows these topics well. In her 10 years at Google, Frey has championed strategic engineering decisions and programs across the company from infrastructure, to products and policies. Here, Frey shares what she thinks CISOs should expect from cloud service providers and how they can address CISOs’ concerns over data protection and more. In a nutshell, choosing the right cloud service provider is not only about bulletproof data security, it’s also very much about secure innovation.
Q: How does Google approach security?
Information security is job #1 for Google. We've spent our entire lifetime building secure infrastructure, services and applications that other cloud providers seek to offer. With a significant portion of our engineering talent directed toward security, it's no surprise that discerning businesses around the world are adopting Google Apps because they can trust we will protect their data. Period.
Google has another unique strength: our ability to innovate. We've scaled to support innovation at a go-to-market speed, quality, value and trust level that's unparalleled in the industry.
Security and innovation seem to many like strange bedfellows; too often, businesses opt for one without the other. We've made it our goal to ensure that your business does both well. That is, your business will not only be secure from the stance of cyber threats and data protection, it will also be secure by leveraging our world-class product innovations with low time-to-market release cycles.
With Google, security comes in two forms—your data is protected from threats and your business will be protected from technological stagnation. And both come in an uncommon package that no other provider can come close to offering.
Q: Why did you join Google?
I joined Google because of its mission. I am passionate about empowering people with knowledge, time and happiness—which is my own personal interpretation of what we’re about here. At Google for Work we take Google’s mission—and its incredible information-serving infrastructure—to organizations of all sizes around the world. Let’s face it, information is the currency by which businesses thrive or dive; having secure, affordable, fast, reliable access to Google’s services is, by itself, a huge benefit. We go above and beyond by bringing the latest technological and productivity innovations to production on a super low-latency basis. When a customer “goes Google” they’re not only securing their data—they’re securing their own future as an innovative, responsive and agile business as well.
Q: What’s the coolest thing you’ve done in your 10 years at Google?
The coolest thing I’ve done was also the hardest and the most rewarding to date. Alongside a number of other key contributors, I delivered a solution to price and to distribute internal resources more fairly and predictably across our various product areas. This is a really hard problem because resource consumption and growth rates vary greatly across our products (like Google Search, Ads, Apps, YouTube, Cloud and Maps). For example, Search is a very compute-intensive product, whereas YouTube is a network and storage-intensive product. External markets and supply chain constraints for most of our infrastructure resources are also highly dynamic, which only compounds the challenge of providing strong and reliable availability signals to our product areas as well.
Q: What’s the best part of your job?
The people are truly the best part. Our diverse teams bring an incredible number of ideas to bear in an effort to change the way people work and use time effectively. I support a team of hardcore security and data protection engineers, regulatory and compliance experts, and incident management gurus from all over the world. My team is always challenging the status quo to make sure we’re developing the best products and services from the best ideas possible.
I also love our culture at Google. Traditional companies have a leader who prescribes their path and actions. I believe that’s a myopic way to run a business, as the chances that a single person chooses the best path for a large organization or even a small team are slim. At Google, we take a bottom-up approach where the best ideas emerge from everyone contributing great ideas. It’s the leader’s responsibility to make sure the best ideas see the light of day and get the support they need to be realized. We believe the best ideas are crowdsourced and crowd-criticized.
Q: How would you define the current security landscape?
The vast majority of enterprise data is not yet in the cloud. However, businesses everywhere are quickly realizing that their own on-premise solution is far less secure than the cloud. They’re also realizing that their business is far less agile because, technically, they’re at the mercy of countless interdependent release cycles across multiple third-party vendors. As a result, they can’t move fast as a business—nor can they even manage security at the scale or reliability that we do.
Here are some thoughts: First, independent and secure management of ingress/egress traffic and service availability is no small feat. Then there’s the hardware—routers, servers, hubs—, on-premise solutions require you to work with an extensive amount of third-party vendors, each with their own release cycles and vulnerabilities. And then there’s a number of heterogenous systems to manage—each of which requires frequent patches and often complete upgrades to work. Product releases from even major vendors today still come on cycles that are counted in quarters or years—and those releases are often burdened with a number of flaws—the fixes for which also take a lot of time given the on-premise implementation model. So this all takes us back to the interesting fact that the Google cloud provides security in two forms: strategic commercial security as well as the best cyberdata protection out there.
Google has an edge being born in the cloud. Given that we index the public web, we can also detect threats before others. This gives us—and our customers—a tremendous security advantage.
Our products enable our customers to be future-ready, today.
Q: What’s an example of a feature or product that addresses the privacy and innovation aspects of security?
Some of my favorite examples are security keys and data loss prevention for Gmail. Google also invests in understanding how we can fix vulnerabilities by paying more than $4 million in rewards to security researchers since 2010. Lastly, we were industry leaders with respect to encryption in the cloud. We encrypt all user data at rest—and in-transit. And we announced a great new feature to help everyone who uses Gmail understand if their own email was sent unencrypted.
Q: You mentioned “strategic security” above. Can you give us an example of this?
As recently published, Google is making tremendous strides in machine learning. This work is not limited to playing games like Go (although what we’ve done with Go is monumental). Our latest product that uses machine learning is Smart Reply, Gmail’s new auto response feature. Our team evaluated customer needs and realized people spend too much time scheduling meetings and lunches. Let’s face it—all that time coordinating calendars and writing replies adds up—as does the time we spend waiting to hear back from people who we’ve asked to schedule. By applying machine intelligence to Gmail and Google Calendar, we’re giving people more time to do things they love, while we handle data protection and security without a blip.
Progressively more and more customers are looking to Google to provide them this edge: to bring great “machine-learned” intelligent features to their business quickly while remaining compliant and not disrupting trust, security or privacy. This is our charter—and it’s the wonderful mission I wake up every day to fulfill.
Q: Machine learning might seem scary to people who are concerned about privacy. How do you address this?
More than 2 million businesses pay to use Google Apps for Work for its reliability, security and strict terms of privacy. One of my big missions is to help our Apps for Work customers understand better what we do with their data—and that we don’t use customer data for anything except to provide the core services to which they subscribe. We don’t use enterprise customer data to serve ads, for example. I also want to improve how we educate more people on how machines and cryptographic protocols—not humans—are handling their data. I think more transparency here will go a long way.
At Google, security and privacy work side-by-side
Q: What’s one of the biggest challenges that CISOs face?
CISOs are often more concerned about choosing a partner that provides a strong stable fortress rather than considering a cloud provider’s ability to innovate quickly and securely, too. While no business wants voluminous inbound innovation every day, the lack of product advancements in many cloud providers’ products over time weakens your business’s ability to grow and compete. CISOs who choose the seemingly stable and static path will quickly learn that this is not the best path for their business. We need to become better educators around trusted innovation capabilities so that CISOs can understand why Google leads cloud security in far more ways than one.
Suzanne Frey, Director of Security, Trust, and Privacy for Google Apps Engineering
Google Apps, Security