Collaborate without Compromise - Introducing Isolator Open Source

In today's data-driven world, securely collaborating on sensitive information is more crucial (and challenging) than ever. How can organizations unlock the power of collaborative partnerships and their insights while a rigorous privacy, security, and compliance posture is met?

The Need for Secure Collaboration

The Challenges of Data Collaboration

Collaborating on sensitive data, such as Personally Identifiable Information (PII), Protected Health Information (PHI), or financial data, requires a robust security posture.

Organizations face increasing pressure to unlock insights from their data while adhering to strict privacy regulations (e.g., HIPAA, GDPR, CCPA).  When two or more organizations identify a need to work together, sharing data to unlock new insights, knowing how to secure these collaborations becomes tricky.  One organization essentially must trust the other organization to respect and secure each other's data.  

Trust like this can be so hard to earn that we find many organizations don’t even try - missing out on opportunities to serve their customers better.  

Organizations that do get over the hump often adopt architectures that simply aren’t up to par security-wise and risk catastrophic data loss, legal issues and consequences, or other outcomes that will inevitably drive their customers away after these collaborations inevitably end badly.

Traditional methods of data collaboration often involve complex security configurations, manual processes, and limited visibility, increasing the risk of data breaches and compliance violations.

There is an inherent tension between innovation and compliance when sensitive data is involved. Organizations need ways to collaborate safely to avoid stifling innovation. 

Introducing Isolator, now available via Google Cloud Platform Open Source!

The Purpose Built, Secure Collaboration Solution on Google Cloud

Isolator is a purpose-built, secure collaboration tool, built with Chrome Enterprise Premium, Cloud Identity and a Terraform blueprint - which together, enable organizations to work with sensitive data in a controlled environment within Google Cloud. 

Isolator helps solve the problem of needing to give your cloud engineers, researchers, product teams, and anyone involved in a multi-party collaboration access to restricted data and tools when they are building solutions that involve sensitive information.  

The tool facilitates the design and implementation of customized controls that fit regulated customer's organizational and data security needs. Isolator was built to work in conjunction with our Confidential Computing services, designed to align with our Trust and Transparency principles, and implements a Zero Trust approach throughout.

Google's Professional Services Organization and it's Office of the CISO launched Isolator at Next ‘24 and use it today to secure engagements with customers in many industries, including healthcare, financial services, and public sector.  Google Cloud customers also use Isolator to secure their collaborations with others. We’re open sourcing Isolator today to help everyone work more collaboratively together, whatever arrangement they may find themselves in.

How Isolator Works

Setup and Maintenance: When you open the home folder in the /Isolator project, you will see folders numbered 00-07.  Each numbered folder contains code and instructions for how to set up a critical component of an Isolator environment and serves as the pipeline for how changes to those elements can be committed into the environment over the Isolator’s lifetime. To keep things simple, making changes to Isolator must be done via code managed in a git repository and deployed through a pipeline. We designed it this way so that anything that could impact the integrity of an Isolator environment can be known, tracked, and managed - no one can push changes without the other organization(s) reviewing and approving the changes.

Key Security Features: Isolator is loaded with cloud-first security controls that keep data safe and where you want it. It works just as well in hostile environments as it would in a highly secured cloud organization. Controls include a resource hierarchy that isolates Isolator itself as well as security and data projects from other projects in your organization, VPC Services Controls to constrict network access and prevent data exfiltration, Organization Policies that establish and prevent controls from being overridden, logging all activities to separate logs sinks and away from users, and integration into Cloud Identity and Chrome Enterprise Premium so data protection and activity logging controls are extended down to the devices being used to access the Isolator project. Built in alerting sends notifications to administrators in your organization if critical controls change and automation has been provided to change things back (if you want). 

Working in Isolator: Organizations simply identify what data they want to collaborate on and move it into a storage service (e.g., Cloud Storage, BigQuery, or something else) located ‘inside’ the main Isolator folder.  Other services available on Google Cloud platform, like Vertex AI, Google Kubernetes Engine, DataFlow, Cloud SQL, Cloud Run and others, can also be enabled and added to the Isolator project.  At the same time, the host organization can set up their Cloud Identity, Chrome Enterprise Premium, IAM, Identity Aware Proxy and Access Context Manager to define strict rules for which users and devices will get access. All of these and any other activities involving services or data ‘inside’ the Isolator folder are logged as work goes on.  Compliance, Audit, and Security teams can keep track of the work by monitored logs and consuming notifications that alert them to specific behavior they may be looking for. 

Here’s an outline of the various components of Isolator and how they work together.

Infrastructure used for one time collaborations, like those commonly found in healthcare, involve in buying infrastructure with useful lives much longer than the collaboration is expected to last. The hidden costs of keeping this infrastructure up, running and secure post collaboration can be significant. Customers tell us they want this class of infrastructure to 'go away' once the work is over - reducing their footprint to save time, cost, and reduce the security burden maintaining it carries. With Isolator, turn down this type of infrastructure quickly - simply delete the project, stop being billed and get excited - all future costs are now $0. No more long-lived infrastructure you don't need.

Call to Action

Healthcare organizations, like hospitals and pharmaceutical companies, no longer need to buy expensive infrastructure and security products to conduct research or collaborative work.  Security teams now have an instant clean room to conduct forensic analysis of artifacts alongside their customers and other stakeholders. Banks or consultancies doing sensitive, pre-deal due diligence on a business acquisition or investigation can securely access and share information with full accountability turned on, all the time (for all parties, including the cloud service provider!). Anyone handling or needing to share sensitive information with other parties can do so with confidence they will know exactly what happened and reduce their concern their most sensitive assets - data - goes for a walk.

You've journeyed with us through the ins and outs of Isolator, and hopefully, the wheels are turning. Hopefully you are picturing all the super-secure collaborations you're about to unleash. Go ahead, dream big! But seriously, don't just dream—do. Head over to github.com, clone the Isolator repository, deploy the code, and start isolating. If you create something amazing, or learn something cool - share it with the community! We're all in this together, building a safer, more collaborative cloud, one isolated project at a time.