Operation Aurora and the Path to Google's Zero Trust Model

Way back in 2010, Google disclosed that it had been the target of a highly sophisticated and targeted cyber attack, which later became known as Operation Aurora. The attacks were, in part, aimed at accessing the Gmail accounts of Chinese human rights activists, but the hackers were able to access some of Google’s intellectual property as well.

While the full details of how the attackers gained entry have not been made public, it’s believed they exploited vulnerabilities in Internet Explorer 6 to gain a foothold at Google and establish remote access. From there, they were able to acquire admin credentials and access sensitive systems containing Google’s source code.

For Google, Operation Aurora was a wake-up call about the limitations of traditional castle-and-moat security models. Even though Google had world-class perimeter defenses, the attackers were still able to gain deep access into their environment. In the aftermath of the attack, Google was motivated to completely re-architect their cloud security around the Zero Trust model, which doesn’t trust anything inside or outside the network, and is constantly verifying everything.

Up until last week, my understanding was that Google’s Zero Trust security transformation had been inspired by industry principles like the Jericho Forum commandments and John Kindervag's seminal paper, "No More Chewy Centers.” However, after chatting with Zach Walker from ATX Defense, I learned that the Aurora exploit served as a primary motivator for Google’s adoption of Zero Trust, which is now core to its entire public cloud infrastructure.

Enabling Cloud Compliance Through Zero Trust

Today, despite operating public cloud infrastructure, Google is capable of offering equivalent controls, at a fraction of the cost, as those offered by Microsoft’s GCC High, which is a physically separate cloud reserved for government customers and private companies operating in the defense industrial base seeking to comply with data security regulations like CMMC.

How did Google get here with a public cloud offering? They made substantial engineering investments tailored to support controlled government workloads across its public infrastructure. This includes building custom hardware security modules (HSMs), access controls, encryption models, network isolation mechanisms, and other privacy-enhancing technologies specifically designed for this purpose.

Additionally, Google obtained rigorous independent attestations of its security provisions for sensitive data, including FedRAMP authorization and IL4 authorization from the Department of Defense. These review processes validate that Google's people, processes, policies and technologies satisfy government security and compliance benchmarks for multi-tenant public cloud environments.

CMMC and ITAR Compliance in Google’s Public Cloud

Compliance is where the rubber meets the road: Does Google Cloud support CMMC 2.0, ITAR, and other strict compliance regulations? The answer is yes: With the right advanced security measures, like applying client-side, end-to-end encryption to sensitive data — and managing encryption keys separately from that data — federal government organizations and defense contractors are able to meet and exceed the strict compliance regulations required by CMMC and ITAR.

We’re hearing it time and time again from Virtru’s customers, who use Virtru for Google Workspace and the Virtru Private Keystore to ensure total confidentiality of their data stored and shared in Google Cloud. From federal organizations like the Air Force Research Laboratory to defense industrial base organizations like ATX Defense and Rise8, the need for fast, seamless (and, critically, compliant) collaboration is paramount, which is where Google and Virtru really shine.

What’s Next for Defense Contractors?

By leveraging Zero Trust security principles, compartmentalizing customer data via strong logical isolation, and subjecting its cloud platforms to in-depth third party security assessments, Google Public Cloud can provide equivalent and affordable controls when compared to expensive, government-only, clouds like Microsoft GCC High. As a result, government agencies and defense contractors doing business with the government, can benefit from Google's innovative and cost effective commercial cloud services while ensuring their sensitive workloads remain protected according to government specific rules.

TLDR: don’t believe everything you hear from Microsoft when it comes to GCC High and compliance with CMMC and ITAR. If you take the time to do the homework for yourself, you’ll find affordable and compliance-friendly cloud computing options available from Google and Virtru.

And on January 30th, I’ll be joining Zach Walker from ATX Defense and Trevor Foskett from Virtru for a live webinar, CUI in Context: Clarifying CMMC and ITAR Confusion for Defense Contractors. Zach works on the front lines of data security and compliance in the defense sector, and he offers a refreshingly clear and pragmatic voice on these topics.  Trevor also works on the front lines and has deep experience implementing privacy enhanced cloud computing in the Google Cloud and helping customers comply with CMMC and ITAR regulations. Register now, and bring your questions: We’re going to have a dynamic discussion and audience Q&A.