 From San Francisco, it's theCUBE, covering Google Cloud Next 19. Brought to you by Google Cloud and its ecosystem partners. Hey, welcome back everyone. We're here live coverage with theCUBE here in San Francisco for Google Cloud Next 2019. I'm John Furrier, my co-student and man. Got two great guests here from Google. Goomi Kim, who's a group product manager for Google, Google security and access and Christian Brand, product manager at Google. Talking about the security key, phone is your security key and security in general. Thanks for joining us. Thanks for having us. Thanks for coming on. So obviously security is the hottest topic in cloud in any world these days, but you guys have innovation and news. So first, let's get the news out of the way. All over Gizmodo, the Verge, all the blogs that picked it up. Security key, Titan, Telos. Okay, sure. Hi folks, I'm Christian. So last year right next, we introduced the Titan security key, which is the strongest form of multi-factor authentication we offer at Google. This little kind of gizmo protects you against most of the common phishing threats online. We think that's the number one problem these days. About 81% of account breaches last year was as a result of phishing or bad passwords. So passwords really becoming a problem. This augments that, making sure that not only do you enter your password, you also need to present this little thing at the point in time when you're logging in. But it does something more. This also makes sure that you're interacting with the legitimate website at the point in time when you're trying to log in. Easy for users to fall victim to phishing because the site looks legitimate. You enter your username, your password, bad guy gets all of it. Security key, make sure that you're interacting with the legitimate website and it will not give away, it's so to say, secrets without that assurance that you're not interacting with a phishing website. News this week though is saying that these things are really cool and we recommend users use them, especially if you're like a high-risk individual or maybe an enterprise user access to you like sensitive data. Let's think Google Cloud admin. But what we're really doing this week is we're saying, okay, this is cool but the convenience aspect has been a little bit lacking, right? I have to carry this with me if I want to sign in. This week we're saying this mobile phone now also does the exact same thing as the security key. Gives you that level of assurance, making sure you're not interacting with the phishing website and the way we do that is by establishing a local Bluetooth link between the device you are signing in on and the mobile phone. It works on any Android N, so Android 7 and later devices this week and essentially all you need is a Google account and a device with Bluetooth capability to make that work. All right, so, Gumi, we come to a show like this and a lot of people, we geek out as like, okay, what are the security pieces that we're going to put in the cloud and all of these environments? I love, we're actually going to talk about something that I think most people understand is okay, I don't care what policies and software they put in place, but the actual person actually needs to be responsible and they need to think about things, explain a little bit what you do and the security pieces that individuals need to be thinking about and how you help them and recommend for them that they can be more secure. In general, yeah. I think one of the things that we've seen from talking to real users and customers is that people tend to underestimate the risk that they're under and so we've talked to people like people in the admin space or even people who are in the political space and other customers of Google Cloud and they're like, why do I even need to protect my account? And like, we've actually had to go and do a lot of education to actually show them that they're actually in much higher risk than they think they are. One of the things that we've seen over time is phishing obviously is one of the most effective ways that people's accounts get compromised and you have over 70% of organizations saying that they've been victims of phishing in the last year and then the question is how do we actually then reduce the phishing that's happening because at the end of the day, the humans that are in your organization are going to be your weakest link and over time I think that the phishers do recognize that and they'll employ very sophisticated techniques and to try to do that and so what we try to do on our end is what can we do from an algorithmic and automatic and machine side to actually catch things that human eye can catch and security key is definitely one of those things also employed with a bunch of other like anti phishing, anti spear phishing techniques that we will do as well. This is important because one of the big cloud at admin problems has been human misconfiguration. I mean you've seen that a lot on Amazon S3 buckets and they've now best practices for that but this has become just a human problem. Talk about what you guys are doing to help solve that because if I've got root server access, I can't, I don't want to be sharing passwords. That's kind of a best practice but what other tech can I put in place? What are you guys offering? Give me some confidence if I'm going to use Google Cloud. Yeah, well I think one of the things is as much as you can educate your workforce to do the right things like do they recognize phishing emails? Do they recognize that this email that's coming from somebody who claims as the CEO isn't and some of these other techniques people are using? Again, like there's human fallacy. There's also things that are just impossible for humans to detect but fortunately especially with our cloud services we have very advanced techniques that administrators can actually turn on and enforce for all of the users and this includes everything from advanced malware and phishing detection techniques to things like enforcing security keys across your organization and so we're giving the administrators that power to actually say it's not actually up to individual users. I'm actually going to put on these much stronger controls and make it available to everybody. And you guys see a lot of data so you have a lot of collective intelligence across a lot of signals. I mean spear phishing is the worst. I mean this is like phishing is hard to solve. If you think about we have a demo over here just a couple of steps due to the right here where we take users through kind of what phishing looks like we say that over 99.9% of kind of those types of attacks will never even make it through, right? The problem here is spear phishing as you said when someone is targeting a specific individual at one company at that point we might not have seen those signals before that's really where something like a security key kind of comes in at that very lost line of defense and that's basically what we're targeting here. That 0.1% of use. Spear phishing is the most effective because it's highly targeted, it's no pattern recognition. So Christian one of the things I like about where you're talking about here is we need to make it easy for users to stay secure. You see too often it's like okay we have all these policies of place and use the VPN and it's like forget it I'm going to use my second phone or login over here bypass it or let me take my files over here and work on it over here and like oh my gosh I've just bypassed all of the policy we put in place because you know so how do you just fundamentally think about the product needs to be simple and it needs to be what the user needs not just the corporate security mandate. Yeah I mean that's a great question. At Google we've actually pioneered a completely different way of like kind of ingress access to organizational networks like for example Google kind of deprecated the VPN right so for our employees if I want to access data on the company network we don't use VPNs anymore we have something called kind of BeyondCorp where it's like more of a kind of overarching like principle than a specific technology although we see a lot of companies even at the show this year doing kind of technology and products based on that principle of zero trust or BeyondCorp. That makes it really easy for users to kind of interact with services wherever they are and it's all based on trust in the endpoint rather than trust in the network right. What we've been seeing is data breaches and things happen you know malicious software crawls into a network and from that vantage point it has access to all of the crown jewels. What we're trying to say is like nowhere does you know being at a privileged point in the network give you any elevated access. The elevated access is in the context that your device has the fact that it has a screen lock the fact that it's maybe issued by your corporation the fact that it's approved I don't know the fact that it has drive encryption turned on you know it's coming from a certain you know location those are all kind of contextual signals that we use to make up this you know our instantiation of BeyondCorp. Just being offered to customers today security skis again plays a vital part in all of that you know there's trust in the endpoint but there's also trust in authentication and if the user really who they say they are and this kind of gives us that elevated level of trust. I think it's a modern approach I think it's worth highlighting because the old days when we had a perimeter access methods were simple you know access servers authenticate in, you're in but you nailed I think the key point which is if you can if you don't trust anything and you just say everything's not trustworthy you need multi-factor authentication now this is a big topic in the industry because architecture you got to be set up for it culturally you got to buy into it so kind of two dimensions of complexity plus you going down a whole new road so you guys must do a lot more than just two factor three factor you got to embed it into the into the phone it could be facial recognition it could be your pattern so talk about what MFA multi-factor authentication how it's evolving how fast MFA evolving I think the point that you brought up earlier that it actually has to be usable and when I look at usability it has to work for both your end users as well as the IT administrators who are putting these on for the systems and we look at both so that's actually why we're very excited about things like you know the the phone the built-in security key that's on your phone that we've launched because it actually is that step to saying how can you take the phone that you already have that users are already familiar using and then put it into this technology that's like super secure and that most users weren't familiar with before and so it's concepts like that where we try to marry that being said we've also developed other kind of second factors specific for enterprises in the last year like for example we're looking at things like your employee ID like how can organizations actually use that where an outside attacker actually doesn't have access to that kind of information and it helps to keep you secure so we're constantly looking at especially for enterprises like how do we actually do more and more things that are tailored for usability for both support costs for the IT organization as well as the end users themselves and maybe just to add to that I think you know the technology security keys even in the way that it's being configured today which is built into your phone I mean that's going in the right direction it's making things easier but I think we still think that there's a lot that can be done to really bring this technology to the end consumer at some point so we kind of have our own internal roadmap we're working towards in making it even easier so hopefully by the time we sit here next year we can share some more innovations on how this has just become part of everyday life for most users without them really even realizing it more wearables, brainwaves, whatever all sorts of things, yep, yep, yep one of the things that really I think struck a chord with a lot of people in the keynotes was Google Cloud's policy on privacy talked about you know you own your data you know we don't you know some of us look and say well I'm familiar with some of the consumer ads and search and things like that and if I think about the discussion to security as a corporate employee it's like oh my gosh they're going to track everything I'm doing and monitoring everything I need to have my privacy but I still want to be secure how do you strike that balance in the product and working with customers to make sure that they're not living in some authoritarian state where you know every second they're monitored that's a good question I don't give me if you want to take that one I'm happy to do go ahead all right so I mean that is a great question and I think this year we've really tried to emphasize that point and hit it home right Google has a big advertising business as everyone knows we're trying to make the point this year to say that these two things are separate right if you bring your data to Google Cloud it's your data you put that in there the only way that that data will kind of be I guess used is with the terms of service that you signed up for and those terms of service says it's your data it'll be accessed the way that you want it to be accessed and we went one step further with access transparency this year right we've announced something where we said well even if a Google user or a Google or like a Google employee needs access to that data on your behalf let's say you have a problem with storage buckets right something is corrupted you call up to support and say hey please help me fix this there will be a near real-time log that you can look at which will tell you every single access and basically this is the technologies we've had in production for quite some time internally at Google if someone needs to look at some data right exactly right if I need to look at some you know customers data because they file the ticket and there's some problem these things are stringently logged access is extremely audited it's not that someone can just go in and look at data of anywhere right and the same thing applies to cloud it has always applied to cloud but this year we're exposing that to the user in these kind of transparency reports making sure that a user is absolutely aware of who's accessing their data and for which reason. And that's a trust issue as well it's not just using the check and giving them a benefit utility but it's basically giving them a trust equation saying look there'll be no God handle access right right right exactly there's other stories around the web yes and that's huge for you guys I mean internally just you guys are hardcore on this right right here this all the time yeah and separate building some of it no not so building but you know and act so I've worked in privacy as well for a number of years and I'm actually very proud like as a company I feel like we actually have pushed the forefront on how privacy principles actually should be applied to the technology and you know for example we've been working very collaboratively with regulators around the world to be like because their interest is in protecting the businesses and the citizens kind of for their various countries and we definitely have a commitment to make sure that you know whether it's organizations or individuals like their privacy actually is protected the data is secure and certainly the whole process of how we develop products at Google like there's definitely like privacy checkpoints in place so that we're doing the right thing with that data. Yeah I can say I've been following Google for a long time you guys sometimes you get a bad rap because it's easy to attack Google and you guys do a great job with privacy you pay attention to it and you get the technology you don't just kind of talk about it you actually implement it and you dog food it as or you eat your own drink your own champagne I mean that's how Borg became started became Kubernetes you know in Spanner was internal first and it became out here so this is the trend that Google is it the same trend that you guys are doing with the phones are you testing it out internally first if it works absolutely right so security keys they'll start there like we Krebs published an article asked here just before the event saying that you know we've had zero incidents of password phishing with Googlers since deploying the technology so we've had this inside of Google for a long time and it kind of was born out of necessity right we knew that there was password phishing was a problem even Googlers fall for this kind of thing right it's impossible to train your users not to fall for those types of scabs it just is right we can do education all we want but in the end like we need technology to better protect the user even your employees so that's where we started deployed this technology then we said we want to go one step further we want to kind of implement this on the mobile phone so we've been testing this technology internally for quite a few months kind of making sure that you know things are shaken out we've released this to beta this week so it's not a GA product quite yet you know as you know there's Bluetooth there's Chrome there's Android there's quite a few things involved Android ecosystem is kind of a little bit fragmented right there's many OEMs we want to make this technology available to everyone right everyone who has a Android phone so we're kind of working on the last little things but we think that technology is in a pretty good place after doing this it's got to be bulletproof so it's got to be bulletproof so now on the current news just get back to the current news the phone, Android phone as a security key is available or is it in beta it's available and on the cloud side the way that we normally launch products there is we do an alpha which is kind of a closed like selection the moment that we move into beta beta is open anyone can deploy it but it has certain like terms of service limitations and other things which says hey don't rely on this as your sole way of accessing an account for example if you happen to try and sign in on a device that doesn't have Bluetooth this technology clearly will not work so we're saying please make sure you have a backup please keep a physical security key around for the time being but start using this technology we think on most popular platforms it should be well shaken out but beta is more of a designation that we kind of reserve for saying we're starting setting expectations but also one thing I want to clarify is because it's in beta it doesn't mean it's less secure the worst thing that will happen is that you can be locked out of your account because you know the Bluetooth could fail to communicate or other things like that so I want to assure people even though it's beta like you can use it your account is secure yeah Google has that beta kind of nomenclature which basically means either take it out to a select group of people or set expectations on terms of service just to kind of keep an eye on it but just to clarify which phones again are available for the Android? We wanted to make sure that we cover as large a population as possible so we had to kind of look at the trade-offs you know at which point in time like we make this available going forward we wanted to make sure that we cover more than 50% of the Android devices out there today that level that we wanted to reach kind of coincided with the Android 7 Android Nougat is kind of the line that we've drawn anything Android 7 and above it doesn't have to be a Pixel phone it doesn't have to be a Nexus phone it doesn't have to be a Samsung phone any phone 7 and up should work with the technology and then there is a little special treat for folks that have a Pixel 3 as you alluded to earlier we have the Titan M chip that we announced last year in Pixel there we actually make use of this cryptographic chip but on other devices you have the same technology and you have the same assurance Well certainly an exciting area both from the device standpoint everyone loves to geek out on the new phones as Google IOs coming up I'm sure it'll be a fun time to talk about that but overall on cloud security is number one access human errors fixing those, automating in very important area so we're going to keep track of what's going on thanks for coming on and sharing your insight appreciate it LiveCube coverage here in San Francisco more after this short break here day three of three days of wall to wall coverage I'm John Furrier, Stu Miniman stay with us we'll be back after this short break