>> Live from San Francisco. It's the Cube. Covering Google Cloud Next '19. Brought to you by Google Cloud and its ecosystem partners. >> Hey welcome back, everyone, we're your live coverage with the Cube here in San Francisco for Google Cloud Next 2019. I'm John Furrier, my co-host Stu Miniman. I've got two great guests here from Google. Guemmy Kim, who's a group product manager for Google, Google Security Access and Christiaan Brand, Product Manager at Google. Talking about the security key, fallen as your security key and security in general. Thanks for joining us. >> Of course, thanks for having us. >> So, actually security's the hottest topic in Cloud and any world these days, but you guys have innovation and news, so first let's get the news out of the way. All the work, giz, mottos, all of the blogs have picked it up. >> [Christiaan Brand] Right. >> Security key, titan, tell us. >> [Christiaan Brand] Okay, sure. Uh, high votes on Christiaan. So uh, last year and next we introduced the Titan Security Key which is the strongest form of multifactor certification we offer at Google. Uh, this little kind of gizmo protects you against most of the common phishing threats online. We think that's the number one problem these days. About 81% of account breaches was as a result of phishing or bad passwords. So passwords are really becoming a problem. This old man stat uh making sure that not only do you enter your password, you also need to present this little thing at the point in time when you're logging in. But it does something more, this also makes sure that you're interacting with a legitimate website at the point in time when you're trying to log in. Easy for users to fool victim to phishing, because the site looks legitimate, you enter your username and password, bad guy gets all of it. Security key makes sure that you're interacting with a legitimate website and it will not give away it's secrets, without that assurance that you're not interacting with a phishing website. >> [Christiaan Brand] News this week though is saying that these things are really cool and we recommend users use them. Uh, especially if you're like a high-risk individual or maybe an enterprise user or acts sensitive data you know Google call admin. But what we're really doing this week is we are saying "okay this is cool" but the convenience aspect has been a bit lacking right? Uh, I have to carry this with me if I want to sign in. This week we are saying this mobile phone, now also does the exact same thing as the Security Key. Gives you that level of assurance, making sure you're not interacting with the phishing website and the way we do that is by establishing a local Bluetooth link between the device you're signing in on and the mobile phone. It works on any Android N so Android 7 and later devices this week. Uh and essentially all you need is a Google account and a device with Bluetooth capability to make that work. >> Alright, so, we come to a show like this and a lot of people we geek out as like okay what are the security places that we are going to button, the cloud, and all of these environments. We are actually going to talk about something that I think most people understand is okay I don't care what policies and software you put in place, but the actual person actually needs to be responsible and did you think about things? Explain a little bit what you do, and the security pieces that you know individuals need to be thinking about and how you help them and recommend for them that they can be more secure. >> In general, yeah, I think one of the things that we see from talking to real users and customers is that people tend to underestimate the risks that they are under. And so, we've talked to people like people in the admin space or people who are in the political space and other customers of Google cloud. And they are like, why do I even need to protect my account? And like, we actually had to go and do a lot of education to actually show them that they're actually in much higher risk than they think they are. One of the things that we've seen over time, is phishing obviously is one of the most effective ways that people's accounts get compromised and you have over 70% of organizations saying that they have been victims of phishing in the last year. Then the question is, how do we actually then reduce the phishing that's happening? Because at the end of the day, the humans that are in your organization are going to be your weakest link. And over time, I think that the phishers do recognize that and they'll employ very sophisticated techniques and to try to do that. And so what we tried to do on our end is what can we do on from an algorithmic and automatic and machine side to actually catch things that human eye can't catch and Security Key is definitely one of those things. Also employed with a bunch of other like anti-phishing, anti-spear phishing type things that we will do as well. >> This is important because one of the big cloud admin problems has been human misconfiguration. >> Yeah. >> And we've seen that a lot on Amazon S3 Buckets, and they now passed practices for that but this has become just a human problem. Talk about what you guys are doing to help solve that because if I got router, server access I can't, I don't want to be sharing passwords, that's kind of of a past practices but what other tech can I put in place? What are you guys offering to give me some confidence if I'm going to be using Google cloud. >> Yeah well, I think one of the things is that as much as you can educate your workforce to do the right things like do they recognize phishing emails? Do they recognize that uh, you know this email that is coming from somebody who claims is the CEO, isn't and some of these other techniques people are using. Uh again, like there's human fallacy, there's also things that are just impossible for humans to detect. But fortunately, especially with our Cloud Services, we have very advanced techniques that administrators can actually turn on and enforce for all of the users. And this includes everything from advanced, you know malware and phishing detection techniques to things like enforcing security keys across your organization. And so we're giving administrators that power to actually say, it's not actually up to individual users, I'm actually going to put on these much stronger controls and make it available to everybody at my organization. >> And you guys see a lot of data so you have a lot of collective intelligence across a lot of signals. I mean spear phishing is the worst, it's like phishing is hard to solve. >> [Christiaan Brand] If you think about we have a demo over here just a couple of steps to the right here uh, where we take users through kind of what phishing looks like. Uh, we say that over 99.99% of kind of those types of attack will never even make it through right? The problem is spear phishing as you said, when someone is targeting a specific individual at one company. At that point, we might have not seen those signals before uh that's really where something like a Security Key kind of comes in. >> That's totally right. >> [Christiaan Brand] At that very last line of defense and that's basically what we are targeting here that .1% of users. >> Spear phishing is the most effective because it's highly targeted, no patter recognition. >> Yeah >> So question, one of the things I like we are talking about here is we need to make it easier for users to stay secure. You see, too often, it's like we have all these policies in place and use the VPN and it's like uh forget it, I'm going to use my second phone or log in over here or let me take my files over here and work on them over here and oh my gosh I've just bypassed all of the policy we put in place because you know, how do you just fundamentally think about the product needs to be simple, and it needs to be what the user needs not just the corporate security mandate? >> Yeah, I mean that's a great question. At Google we actually try a nearly completely different way of like kind of access to organizational networks. Like, for example Google kind of deprecated the VPN. Right? So for our employees if we want to access data uh on the company network, we don't use VPNs anymore we have something called kind of BeyondCorp that's like more of a kind of overarching principle than a specific technology. Although we see a lot of companies, even at the show this year that doing kind of technology and product based on that principle of zero trust or BeyondCorp. That makes it really easy for users to interact with services wherever they are and it's all based on trust on the endpoint rather than trust on the network, right? What we've seen is data breaches and things happen you know? Malicious software crawls into a network and from that point it has access to all of the crown jewels. What we are trying to say is like nowhere in being at a privilege point in the network gives you any elevated access. The elevated access is in the context that your device has, the fact that is has a screen lock, the fact that it's maybe issued by your corporation, the fact that it's approved, I don't know, the fact that is has drive instruction turned on, uh you know it's coming from a certain you know location. Those are all kind of contextual signals that we use to make up this uh, you know, our installation of BeyondCorp. This is being offered to customers today, Security Keys again, plays a vital part in all of that. Uh, you know there's trust in the end point, but there's also trust in authentication. If the user is really who they say they are, uh and this kind of gives us that elevated level of trust. >> I think this is a modern approach, that I think is worth highlighting because the old days we had a parameter, access methods were simply, you know, access servers authenticated in and you're in. But you nailed, I think the key point which is: If you don't trust anything and you just say everything is not trustworthy, you need multi-factor authentication. Now, this is the big topic in the industry because architecturally you have to be set up for it, culturally you got to buy into it. So kind of two dimensions of complexity, plus you're going down a whole new road. So you guys must do a lot more than just two factor, three factor, you got to imbed it into the phone. It could be facial recognition, it could be your patterns. So talk about what MFA, Multi-factor Authentication, how's it evolving and how fast is MFA evolving? >> Well, I think the point that you brought up earlier, that it actually has to be usable. And when I look at usability, it has to work for both your end users as well as the idea administrators who are uh putting these on for the systems and we look at both. Uh, so that's actually why we are very excited about things like the built in security key that's on your phone that we launched because it actually is that step to saying how can you take the phone that you already have that users are already familiar using, and then put it into this technology that's like super secure and that most users weren't familiar with before. And so it's concepts like that were we try to merry. Uh, that being said, we've also developed other kind of second factors specific for enterprises in the last year. For example, we are looking at things like your employee ID, like how can an organization actually use that were an outside attacker doesn't have access to that kind of information and it helps to keep you secure. So we are constantly looking at, especially for enterprises, like how do we actually do more and more things that are tailored for usability for both support cause, for the IT organization, as well as the end users themselves. >> Maybe just to add to that, I think the technology, security keys, even in the way that it's being configured today which is built into your phone, that's going into the right direction, it's making things easier. But, I think we still think there's a lot that can be done uh to really bring this technology to the end consumer at some point. So, we kind of have our own interval roadmap, we are working towards in making it even easier. So hopefully, by the time we sit here next year, we can share some more innovations on how this has just become part of everyday life for most users, without them really realizing it. >> More aware of all brain waves, whatever. >> Full story. Yup, yup, yup. >> One of the things that really I think struck a cord with a lot of people in the Keynote was Google Cloud's policy on privacy. Talk about, you on your data, we don't uh you know, some might look and say well uh I'm familiar with some of the consumer you know, ads and search and things like that. And if I think about the discussion of security as a corporate employee is oh my gosh they're going to track everything I am doing, and monitoring everything I need to have my privacy but I still want to be secure. How do you strike that balance and product and working with customers to make sure that they're not living in some authoritarian state, where every second they're monitored? >> That's a good question. Kim if you want to take that, if not I'm happy to do. >> Go ahead. >> Alright, so that is a great question. And I think this year we've really try to emphasize that point and take it home. Google has a big advertising business as everyone knows. We are trying to make the point this year, to say that these two things are separate. If you bring your data to Google Cloud, it's your data, you put that in there. The only way that data would kind of be I guess used is with the terms of service that you signed up for. And those terms of service states: it's your data, it'll be access the way that you want it to be access. And we are going one step further with access transparency this year alright. We have known something where we say well even if a Google user or Googler or Google employee needs access to that data on your behalf, lets say you have a problem with storage buckets, right, something is corrupted. You call uh support and say hey please help me fix this. There will be a near real time log that you can look at which will tell you every single access and basically this is the technology uh we've had in production for quite some time internally at Google. If someone needs to look... >> Look at the data. >> Right, exactly right if I need to look at some you know customers data, because they followed the ticket and there's some problem. These things are stringently long, access is extremely oriented, it's not that someone can just go in and look at data anywhere and the same thing applies to Cloud. It has always applied to Cloud but this year we are exposing that to the user in these kind of transparency reports making sure that the user is absolutely aware of who's accessing their data and for which reason. >> And that's a trust issue as well, it's not just using the check and giving them the benefit... >> [Christiaan Brand] Absolutely. >> But it's basically giving them a trust equation saying look they'll be no God handle access... >> Right, right, exactly. >> You heard with Uber and these other stories that are on the web, and that's huge for you guys. I mean internally just you guys are hardcore on this and you hear this all the time. >> Yeah uh >> Separate building, Sunnyvale... >> No, not separate building. But you know uh, so I've worked in privacy as well for a number of years and I'm actually very proud like as a company I feel like we actually have pushed the floor front on how privacy principles actually should be applied to the technology uh and for examples we have been working very collaboratively with regulators around the world, cause their interest is in protecting the businesses and the citizens kind of for their various countries. And uh we definitely have a commitment to make sure that you know, whether it's organization's or individuals like their privacy actually is protected, the data is secure, and certainly the whole process of how we develop products at Google like there's definitely privacy checkpoints in place so that we're doing the right thing with that data. >> Yeah, I can say I've been following Google for a long time. You guys sometimes got a bad rep because it's easy to attack Google and you guys to a great job with privacy. You pay attention to it and you have the technology, you don't just kind of talk about it. You actually implement it and you dog food it as to or you eat and drink your own champagne. I mean that's how bore became, started became Kubernetes you know? And Spanner was internal first and then became out here. This is the trend that Google, the same trend that you guys are doing with the phones, testing it out internally to see if it works. >> Yeah, yeah. >> Absolutely right, so Security Keys will start there like we uh Krebs published an article last year, just before the event saying we had zero incidents of possible phishers with Googlers since they deploying the technology. We had this inside Google for a long time, and it was kind of born out of necessity, right. We knew there was positive phishing was a problem, even Googlers fall for this kind of thing. It's impossible to train your users not to fall for this type of scam, it just is right. We can view any location all we want, but in the end like we need technology to better protect the user, even your employees. So that's were we started deploying this technology, then we said we want to go one step further. We want to kind of implement this on the mobile phone, so we've been testing this technology internally uh for quite a few months. Uh, kind of making sure that things are shaping out. We released this new beta this week uh so it's not a J product quite yet. Uh, you know as you know there is Bluetooth, there is Chrome, there is Android, there's quite a few things involved. Android Ecosystem is kind of a little bit fragmented, right, there is many OEMs. We want to make this technology available to everyone, everyone who has an Android phone, so we are kind of working on the last little things but we think the technology is in a pretty good place after doing this "drinking of champagne." >> So it's got to be bulletproof. So now, on the current news just to get back to the current news, the phone, the Android phone that has a security key is available or is it data that is available? >> [Christiaan Brand] So it's interesting. In on the Cloud side, the way that we normally launch products there is we do an alpha, which is kind of like a closed liked selection. The moment that we move and do beta, beta is open, anyone can deploy it but it has certain like terms of service limitation and other things. Which says hey don't rely on this as your sole way of accessing an account. For example, if you happening to try and sign in on a device that doesn't have Bluetooth the technology clearly will not work. So we're saying please make sure you have a backup, please keep a physical security key for the time being. But start using this technology, we think for the most popular platforms it should be well shaken out. But beta is more of a designation that we kind of reserve for saying we're starting... >> You're setting expectations. >> But also, one thing I want to clarify that just because it's in beta it doesn't mean it less secure. The worst thing that will happen is that you can be locked out of your account because you know, the Bluetooth could fail to communicate or other things like that. So I want to assure people, even though it's beta you can use it, your account is secure. >> Google has the beta kind of uh which means you either take it out to a select group of people or set expectations on terms of service. >> Right. >> Just to kind of keep an eye on it. But just to clarify, which phones again are available for the Android? >> [Christiaan Brand] Uh, we wanted to make sure that we cover as large a population as possible, so we kind of have to look at the trade offs, you know at which point in time we make this available going forward. Uh, we wanted to make sure that we cover more than 50% of the Android devices out there today. That level that we wanted to reach, kind of coincided with the Android 7, Android Nougat, is kind of the line that we've drawn. Anything Android 7 and above, it doesn't have to be a Pixel phone, it doesn't have to a Nexus phone, it doesn't have to a Samsung phone, any phone 7 and up should work with the technology. Uh and there's a little special treat for folks that have a Pixel 3 as you alluded to earlier we have the Titan M chip that we announced last year in Pixel. There we actually make use of this cryptographic chip but on other devices you have the same technology and you have the same assurance. >> Well certainly an exciting area both on from a device standpoint, everybody loves to geek out on the new phones as Google I know is coming up I'm sure it'll be a fun time to talk about that. But overall, on Cloud security is number one, access, human, errors, fixing those, automating, a very important area. So we're going to be keeping track of what's going on, thanks for coming on. >> Thanks. >> And sharing your insight, I appreciate it. >> Of course, thanks for having us. >> Okay, live Cube coverage here in San Francisco. More after this short break. Here Day 3 of 3 days of wall-to-wall coverage. I'm John Furrier and Stu Miniman, stay with us, we'll be back after this short break. (energetic music)