Google Cloud’s Sullivan Opens Up on Open Source, FedRAMP High, and Security
Director of Federal
Bringing Google Innovation And Expertise To Federal Government
Cloud computing has come a long way in just a few short years. Not long ago, government leaders wrung their hands over the risk of putting agency data in the cloud. Now, many can’t move to the cloud fast enough – they realize the many benefits of working with commercial cloud providers, including better security vs. patchwork legacy systems, and more flexible remote data storage services vs. monolithic data centers. Most critically, agencies today are moving to the cloud to gain access to advanced analytics, artificial intelligence and machine-learning capabilities to help solve their most complex problems and fundamentally improve how they deliver services.
Google Cloud is proud to partner with federal customers to bring best-in-class technology capabilities at every stage of their journeys to the cloud.
“What Google Cloud brings to the game are critical differentiators for our customers in the federal government,” says Shannon Sullivan, director of federal at Google Cloud. “We protect systems, data and users with best-in-class security on one of the largest private networks in the world, with data encryption by default. We have machine learning and artificial intelligence that’s really generations ahead. And with tools like AutoML and BigQuery, government organizations with varying mission sizes and objectives can more easily incorporate intelligence and analytics into the work they’re doing.”
Google recently teamed up with researchers from NASA-FDL to help identify life beyond earth with machine learning capabilities. Last year, Google Cloud became the first commercial cloud provider to join the National Institute of Health’s Science and Technology Research Infrastructure for Discovery Experimentation and Sustainability (STRIDES) Initiative, an enterprise agreement supporting all 27 of NIH’s institutes to help researchers accelerate biomedical discoveries in the cloud. And Google is also helping to modernize the Air Force’s modeling and simulation training infrastructure to enable full-spectrum readiness in the field.
We protect systems, data and users with best-in-class security on one of the largest private networks in the world, with data encryption by default.
We have machine learning and artificial intelligence that’s really generations ahead. And with tools like AutoML and BigQuery, government organizations with varying mission sizes and objectives can more easily incorporate intelligence and analytics into the work they’re doing.
With Anthos, users can run an application anywhere—on existing on-prem hardware, in Google Cloud, on third-party public cloud platforms, including Amazon Web Services (AWS) and Microsoft Azure.
Who can predict where they’re going to be in five or 10 years in this industry? The way Google has been successful is by creating open platforms that everybody can use, that enable best-of-breed technology and the ability to connect, not by narrowing to a single solution.
Providing Customers With Scale And Choice
Something else the federal government seeks is scale. And while Sullivan acknowledges scale is the price of entry in the cloud market, Google measures scale like no one else can: through several high-profile cloud services, each with more than a billion users (Search, Maps, Play, etc.). That scale means Google can bring unparalleled control to not only delivering seamless services, but also defending against security risks. “Our scale means that we see a huge volume of security threats from around the world, and this is knowledge we use to design preventative strategies to help protect consumer and enterprise customers,” Sullivan says. It also helps that Google has made massive investments in its own infrastructure, supporting an extensive private network that helps protect enterprise customers’ traffic from the risks they might face on the public internet. Google owns fiber between its data centers, lays its own undersea cables and, where it shares fiber, “we actually own the wavelength” on which the data flows. “That means we can better control our network,” Sullivan explains. “We get improved performance and security.”
Perhaps most importantly, Google’s commitment to open source software means less risk and more flexibility. Open source development means more eyes on code to spot potential vulnerabilities, improving security.
“If you don’t have a commitment to open source, then you’re buying into a proprietary solution,” Sullivan says. “At Google, we see it as in our best interest to be open and as a way of delivering the best solutions to meet customers’ real-world needs.”
That approach makes Google nimble. While choosing a single vendor, solution or approach may seem today like a better choice to ensure security, doing so commits the customer to a solution that may not flex to unforeseen developments in the future. “That’s a flawed strategy,” Sullivan argues. “You never want to lose best-of-breed capability. You never want to close the door on competition. Rather, you want to ensure that you have the ability to connect to whatever the best-of-breed solution is when you need it. You want to avoid the risk of lock-in.”
Google’s commitment to open source software and partnerships is a core part of the company’s strategy. Early-market entrants define their solutions and build walls to protect their investment and market share. The next wave to enter a market approaches things differently, knowing they have to offer solutions that connect easily to what’s already there. Google’s partnerships with open source-centric leaders in data management and analytics, including Confluent, DataStax, Elastic, InfluxData, MongoDB, Neo4j and Redis Labs, drive that point home.
“This is all about easing the journey to hybrid and multi-cloud adoption for government customers,” Sullivan explains. “That’s the reality of what’s happening in the world right now: Many organizations are looking for hybrid, because they have to leverage their existing investments.”
To that end, earlier this year Google announced Anthos, a multi-cloud platform designed to make transitioning to hybrid, in a seamless and easy way. With Anthos, users can run an application anywhere—on existing on-prem hardware, in Google Cloud, on third-party public cloud platforms, including Amazon Web Services (AWS) and Microsoft Azure. Anthos gives users the freedom to deploy, run and manage applications, without requiring administrators and developers to learn different environments and APIs.
“With Anthos, customers can now choose to deploy and manage their applications where it makes the most sense, whether that be on-premises or across multiple clouds,” says Sullivan.
In a multi-cloud world, giving our customers the flexibility to choose where they run their applications is critical to their long-term success.
“Who can predict where they’re going to be in five or 10 years in this industry?” Sullivan asks. “The way Google has been successful is by creating open platforms that everybody can use, that enable best-of-breed technology and the ability to connect, not by narrowing to a single solution.”
Indeed, Google has become successful in numerous markets not by being first, but by being open: Gmail, Android, and YouTube weren’t first to market. “But the reason they’ve been successful is because they were open platforms that everybody could use,” Sullivan says. “They can interoperate with the competition, and they interoperate with newcomers. That’s the key to Google’s success as a global platform: openness. And we’re bringing that same philosophy to the cloud.”
In almost every technology market, the world has two choices, one proprietary and the other open. There is Microsoft Windows and open-source Linux. Android and Apple’s iOS. Will the same thing happen in the cloud space? Google and Sullivan think so. “There will be a proprietary solution, and then there’s going to be an open-source solution, and that’s where you’re going to find Google,” he says.
Achieving Fedramp High Security
Google has also taken a unique approach to Federal Risk and Authorization Management Program compliance. Many G-Suite and Google Cloud Platform (GCP) products are certified FedRAMP Moderate, and GCP recently received certification at FedRAMP High for 17 products.
“We have ‘FedRAMPed’ our global commercial infrastructure at the Moderate baseline,” Sullivan says. “So, our full infrastructure – 64 services, 17 cloud regions, compliance with FIPS 140-2, the entire global infrastructure – is certified for FedRAMP.”
FedRAMP High is the highest watermark for civilian agency workloads. Because of these stringent requirements, few have attempted authorization of their commercial cloud, often opting for more limited “gov cloud” offerings that come with higher costs and lagging service offerings. “We are proud to announce that Google has authorized 17 commercial cloud services at FedRAMP High, making them available to our most sensitive government customers. We look forward to adding more services to our FedRAMP High portfolio in the future.”
FedRAMP compliance is beneficial to more than just federal customers, of course. Google has clients in numerous regulated industries, like financial services, banking and healthcare, and they recognize FedRAMP certification as a best-practice stamp of approval. State and local governments managing federal data also rely on FedRAMP standards.
“‘FedRAMPing’ our commercial infrastructure is important for a number of reasons,” Sullivan says. “First of all, you don’t have two divergent offerings to maintain, monitor and patch. Second, you eliminate many of the trade-offs that customers must consider when choosing their cloud service providers, like compliance capability, cost, and functionality. Because we aren’t maintaining divergent infrastructure, we aren’t passing extra costs back to our FedRAMP customers for the innovative features that are available to commercial consumers, even at FedRAMP High. Lastly, authorizing 17 commercial cloud services at FedRAMP High brings much needed choice to the FedRAMP Marketplace. Government customers now have more options when choosing commercial cloud services for their High impact workloads.”
Of course, data residency and protection is always a concern for government agencies. With Google Cloud, if an agency chooses, it can limit where data on Google Cloud Platform is housed, and even specify which data centers it wishes to use.
Google uses several layers of encryption to ensure its authenticity, integrity, and privacy, both in transit and at rest. Google encrypts and authenticates data in transit when data moves outside Google’s physical boundaries and additional protections, such as IPsec tunnels, managed SSL certificates and Istio, can be implemented if customers require.
For data at rest, Google Cloud Platform encrypts customer data by default. Data is split into “chunks,” and each then is encrypted separately with a unique data encryption key, then “wrapped” with additional encryption keys, which are managed inside Google’s redundant and globally distributed central Key Management Service. Google’s commitment to encryption goes beyond current products to include investments in developing and improving encryption technology, including innovations in Key Transparency and post-quantum cryptography.
We have ‘FedRAMPed’ our global commercial infrastructure at the Moderate baseline. So, our full infrastructure – 64 services, 17 cloud regions, compliance with FIPS 140-2, the entire global infrastructure – is certified for FedRAMP.
We are proud to announce that Google has authorized 17 commercial cloud services at FedRAMP High, making them available to our most sensitive government customers. We look forward to adding more services to our FedRAMP High portfolio in the future.
What does the future hold for government agencies in the cloud? No one vendor will have a lock on anything, while the most flexible, agile vendors will continue to hone their expertise. Scale will matter, as will the ability to connect and transfer data securely and easily across platforms. Agencies and commercial customers will continue to drive the market away from proprietary solutions to ever more flexible ways to share and work with data. Open systems, like Google Cloud’s Anthos, will be the rule. And Google will be in the middle of it all.