Optimize GCP's Security Architecture for Maximum Protection (Cloud Next '19)

Optimize GCP's Security Architecture for Maximum Protection (Cloud Next '19)

Show Video

Welcome. Today. We're going to talk about optimizing, GCP, security architecture. For maximum, protection I. Just. Want to share with you the agenda we're going to cover the next 50 minutes we're. Gonna talk about key risks and threats from an enterprise perspective just, to give you a perspective of, what we feel is, facing, our clients today, we're. Going to share with you I view, on what we think is a Google. Cloud Korea, architecture, model and we'll share with you three, dimensions, to that and. Then we thought would be interesting to have a fireside chat we've, invited, someone from Google to join my, colleague and I to go through a Pfizer tried to try and guess. The questions, that are in your head today and. Then we're gonna end on a key, takeaway slide some of the key lessons that we want to bring to today's session so. With. That today's presenters, my name is Scheid Latif I'm. A partner, in, PwC's cloud, security practice, focused on Google, with. Me today will be joining Gokul. And. Rob from from Google. Fun. Fat by me I've, done an 80-mile backpack, in New Mexico, carrying. 50 pounds over ten days very. Tough and costs, three, large mountains, and. Really. Tested my stamina, enjoyed. It a lot but, why do you introduce yourself, good. Afternoon everyone I'm Googler Grameen I'm a director in our PwC, is advisory, group focused, on cloud transformation, and cloud security. So. Fun fact, I. Always wanted to skydive but, never really had the guts to do it so I thought why don't I do it in a safe environment and, I picked this one it. Turned out really fun I really wanted to go back again but that's something that I wanted to do. So. Let's talk about key risks, and threats to the cloud. We, thought we'd start with a little bit of a privacy and regulatory field to it and, what. We've done at PwC, is we've analyzed, the market we've, we've, looked at almost, every single country in the world and, we've identified a number of drivers environmental. Drivers, international. Law US. Law regulations, enforcement. And case law and self, regulation and standards and you can see some of the examples, on here and there's many, more what, we find with our clients when we talk to them they really don't have enough insights, because. Of the global nature of them complexity, of regulation, and sometimes. It's important to understand, them so we've, developed a point of view in almost, all these countries and have it in a repository at our fingertips we don't need to spend hours, and weeks researching it we, have it at our fingertips and then we think that's an important attribute, to, begin the cloud journey to, really understand that especially when you talk about data localization and where data make physical reside.

So. What's, the value though of understanding, all that regulation. What is, there what's, the impact if you do if you have non-compliance, within this four broad, areas of non-compliance. Risks. The, first is regulatory fines and penalties which, I'm sure most of you are aware of but, you might be subject to an FTC order there's, been a number of consumer breach breaches. Have occurred that have, resulted in in decade Long's are multiple, decades of orders. Where you have to do audits, for the next, 20. Years in some cases. Some. Business operations, might be limited so it could have a big impact from a regulatory perspective. Financial. Risk you could have loss of revenue you could have litigation, cost which is often the case in some breaches civil. And criminal and, penalties for data breaches as well, there's. Also an reputation. Already and that's a big discussion so many breach isn't it today that have occurred some, people have been numb to it share prices don't really get impacted much but. Does, your reputation get, impacted in some cases they could especially if you're, a heavier line on an online presence, or heavily depend on technology where, security is really paramount. You. Might lose loss of confidence in your employees and start to get turnover and then finally operational, risk restricting. Operations. Having. The the ability in transferring. Data in an appropriate way or, having, an instant response program, having. Sort, of remediation, or obligations, to the interest response program that didn't meet them so, these are some of the non-compliance. Regs. That you have to be careful, of. Want. To turn quickly to some key considerations. We try to summarize this in a page which is very difficult but, we think these are like the main themes. That we keep seeing over Nagar over again at our clients, governance. And keeping pace, often. Cybersecurity is not always as a seat at the table, when it comes to architectural, discussions, IT. May be at the front our business might be at the front really. Do I see sometimes cybers at the seat of the table and with, Google Cloud adoption you have to be, collaborating. On that solution, together to make to enhance enablement. Of agility, through. A dev up environment and we'll talk later about some thoughts around secure, development it's, really important to bring that mentality that cyber is an equal partner in the discussion, and. In modernizing. The employee skill sets time. And time again we go to our clients we find there's not enough resources that know this subject and. We get called upon to either augment. The team I'll, bring our specialized skill sets to the table I don't. Need the access management you. Probably have tended some of the sessions over the last two days around this topic but. When, you in a multi cloud environment, is quite complex to deal with and throw. On top of that legacy applications. As well so, centralizing, the addenda identity, both the user and device, using. MFA, and Pam at three. Really important topics to address, data. Protection and compliance, I mentioned. Earlier all the regulations, it's out there especially. Here since we're all here in California, today the, CCP Act is having a big impact and a lot of my clients especially, those with a lot of consumer data they're, having to understand that where is data whose.

Access To it and how do they use it and if I have to delete it how can I delete it so it's really important to have an effective, program around them, legacy. Services, what's. The password data migration, from legacy apps to a workload, that's going into the cloud how. Do you deal with data in transit how do you encrypt it the right way and then. Preservation, response do. You understand, the roles and responsibilities, of the cloud provider you, might know that up front during early discussions, but, as you get into month three months, six months the. Second year are, you really clear and what happens if there's a breach who's, responsible, for what what. Are the SLA is around that is really important to know. Want. To quickly, top now jump into something we've created at PwC. There's based on three basic, principles we. We looked hard and we have a concept called strategy, through execution when we deliver our solutions to a client so, when it came to Google cloud we said we want to approach it in three dimensions, a technical. Architecture, which. Is probably. A lot of what you saw it in in this conference but, we also feel it strongly on a process architecture, and it, controls architecture. All three, have to come together and have to be linked and that's. What, our view is around bringing it all together into one place so I'm going to share with you the next few slides how. We've approached this topic. The. First ones controls was relatively, easy we've. Adopted NIST, 853. We think that's the most comprehensive framework out there especially in the u.s. it's. The the most stringent, baseline, to go after we've, coupled it obviously with CSC, is version. 7 because, there's a lot of the technical hardening standards, that you would have we, mapped them both together, created. Specific, controls, for GCP and. We've identified which ones are really critical, and non-critical and. We also related, which ones are really technically. Automated. Possible, through automation which. Animals really process, or workflow orientated, and which, will rely on people, to follow we. Also took it one step further and we worked out which ones are really native, to within GCP and which ones are not often, our clients want to maximize, as much as possible from google cloud and what, we've done is try to identify that early up so. Having this framework we have a baseline, of which to measure our adoption, against so we think this is one, important, attribute to have a defined and you, can see the categories below I will, go through them all you can see them and present in front of you but this illustrates, the. Dimensions, of controls. That you need to address. It's. Been a few Mis on this slide because this is our technical architecture, underneath, this we have, content. That talks about what, does good like from an architectural. Perspective. We. Don't want to change too much of what's already in there on premise walls but, where we've done it translated what does it mean to being in the cloud. So. Let me walk you through how we would dress to this 10 o'clock Kotecha first. We use the NIST CSF, domains. Through, identify, protect, detach responder, maneuver we, feel that most of our clients especially the board level understand, that terminology, so, we use that lens to translate, an executive, level here. The different campaigns and programs we're trying to do using, those domains how do we measure success we, measure success with through that lens we. Also want to take in the count the this technology stack, of the cloud environment, so there's compute, network, storage logging monitoring, I am we, look at it from that lens and making sure we address those components, at. The top we, also want to be aware of the security risks these are inputs to each of our technical requirements, that we defined. Visibility. Business, awareness, compliance. Data. Security, threat. Protection cloud. I am incident, response vendor, landscape, cloud dev ops vendor. Managed applied API security, and infrastructure security, we. Think it's important that our model fully, addresses, those risks.

And They're, embedded in our technical architecture, so. I'll walk you through them, and then I'm going to ask Gokul to share some client experiences, so. For example I TS imagine, at a high level everyone. Knows that inventory, is important how do you do that in a cloud when, assets don't last more than maybe, a few hours or a few weeks how. Do I get around that and if I have to go back and investigate how do I deal with that, threat. And rendering bally management. Clients. Are struggling sometimes in space how do you how, do you do a penetration, test in GCP and how. Do you do this on a regular basis, what, tools are available for you to allow for that data. Protection how. Do we make sure that the. Data that's there in the, cloud is protected, according to your policies. Logging. And monitoring. It's. Really important to define it so, most of my clients have a multiclad environment, what's, the single source of truth when it comes to the repository how do we create a data lake that, will give us the visibility, that we need and in, a real-time fashion. Instant. Response so. If you, ever do have a breach of whatever nature how do you respond quickly, business. Continuing disaster recovery how. Do we make sure that, you can recover quickly we. Ourselves, are actually, in the middle of researching, some new ways of looking at resiliency, so, we're looking at new, actually leverage some of Google tech right, how do we quickly. Assess the dependencies, on different, assets there in the cloud. Governance. And compliance. Important. Part of our governance is who owns cloud, architecture, who, approves, cloud architecture, when. It comes to service level approvals, where, do you get that defined and, now you get a blurring between operations. Security. And development how, do you bring all that together in a defined way that, doesn't bring down your your. Levels of security controls security. Development lifecycle. I'm, you. May be surprised, to hear the. Companies, are struggling with adopting, in SDLC, there's, applicable to, a cloud like environment. Risk. Assurance imagine, how, do you assure your. Customers, your third parties that, you go to a safe, environment, I am. Identity, and access management I've, talked about already but central. Theme how. You control. Access into the cloud awareness. And training and finally network security so, I just wanted to spend a little bit time walking through each one but I'm gonna ask Gokul. Now just just to share some examples of some of our client experiences, as we've used this this framework sure, sure absolutely so, I'm, going to take a couple of domains. Here and then talk about specific, customer examples, where.

We've Been asked to come in and help and that's resulted in our developing, this kind of a framework to help out and future engagement so. One. Of the first things that we typically look at is what, does the customer have, in their cloud environment, we recently were brought in for. A client who wanted to do a very quick assessment. On their environment, and look at their readiness of their environment, right the first thing that we ask them is okay what, are you running on the cloud what, are your assets what are your resources a lot, of our clients have a little have, an inventory available, which they can use but a lot of the times that's not accurate right and in the cloud with. The scalability, and the elasticity to it there are resources up and going up and down all the time so how do you how are you going to have a framework and, a, process, in place to be able to measure, and track that or a consistent, period of time right so I think. The. Key on the Google side is GCP has already provided some native, abilities like labeling, they have the, security. Command center that's now integrated, with their asset lifecycle, that you can leverage to. Enable. Tagging. On your resources identifying. What resources and, you. Build a very simple schematic, model. Which says here. Is my resource, here is what it's used who's the owner what, is the environment what is the purpose of that and you have some level of data classification associated. To that so once you have established that model, that then becomes, your baseline, and you. Start slowly building automation on top of that right so once, you have that automation it's very easy to start building. Policies, on top of that and you start enforcing those policies, so the. First thing that we typically ask customer. Is. What. Is your asset inventory and I would recommend you know looking. At your policies. And your resource. Management lifecycle to set, up those labeling, policies, in place. Another. Example that we commonly, run into when we walk into a customer, is. Traditionally. You have these engineering teams the security, team then you have the app development, team doing, separate, roles right as you go into the cloud with all the automation and place those, lines have started blurring, all the more now right so you need a proper. Methodology. And a process in place to be able to say how am I going to automate my infrastructure, how am I going to provision my infrastructure, how, do I embed, security, as part of my development, lifecycle right so somebody is running containers. Or, somebody else's having, traditional workloads. How do I ensure a consistent process, that is baked in as part of my build and release pipeline right so that's. Another thing that we. Commonly notice, and we. Recommend coming, up with a proper process in place that works, not only on your on-prem environment, as well as on your cloud, environment, and typically once you have established the process that, can be tailored. Very quickly to any of the cloud providers that you have so that's a couple of examples that I had in mind. So. At, this point of time I would like to invite Rob. From Google to join us for a quick fireside. Chat. Thanks. Copeland's thanks ahead. So, my name is Rob Sadowski I work in the product. Marketing organization, here at Google cloud on security, and Trust and my team really develops, a lot of the initial. Message when we engage with customers around security, helping, to educate them about what, are the capabilities that are inherent in our platforms, what. Are the different, control, objectives, that we can help them beat how. Can we help them with key security processes, like security, monitoring, like I am like. You know those the core disciplines, of any security, program, I guess in the spirit of sharing fun facts one of the things that I like to do is I see, live music see, concerts the concert was great last night hopefully everyone got to got to catch some of that seeing. A number of my favorite bands hundreds of times so that's what I like to do if I'm not doing security, so cool. So. I think that Rob but what we'll do is turn to a fireside chat we try to think. About questions people in the audience might be thinking of so, why don't you start and see. Where we go yeah I mean, I think the interesting thing is that you have gone through these implementations. With many different types of clients and so early, on in, those engagements. Just when they're considering cloud whether, they're considering, GCP I mean you talked about technology, you talked about controls, you talked about process.

Where. Are the where, the biggest challenges, early, on in the in, the engagement or early on in the process for people who may be either, starting, that journey or who are very early on in. You know considering, this is. Actually, an interesting question because, often. We get the inside look before even Google gets to the door some, of my largest, clients we get asked all the time is, this. The right product, is this the right solution, so, before even a cloud provider gets to the table we're. Asked does it meet the security requirements, and often, the, ROI is quickly addressed, that's not an issue because why we're at the table is. This the right transformation, process absolutely. But. The fundamental, question that's always the biggest layer is it, meeting my security policies and often, what we find is that client, security, policies, are written in a way that doesn't translate to. A google-like environment. And so, we're having to translate their requirements, and then what they're trying to do to what the platform is going to bring them and some cases yes them might quite be there but, nine, times out of ten there's a translation, required and. So what we have been asked to do more often not is go in and try and understand that complexity, and bring, simplicity, because that's the other side to equation bring, the simplicity and and, understand, what the risks and the vulnerabilities, but more important the strengths that it brings as well I mean. You, talked about basing. Your work on frameworks. Like. The NIST framework whether it's CSF, for some of the control matrices I mean do you see people basing. Their. Own policies, around some around, domains like that or do, they tend to be they. Tend to be looser so. It has, varied, so I, can give you a story of a client fortune. 15, so. I keep, it within top 15 khawater which one I. Showed up three years ago at this client they. Created. Their policies, on. Input. From legal, input, from operations, but. Proprietary, bill which. Built up their own thinking they. Asked me to come in and evaluate not that, but more their posture overall and we concluded what the most important thing was to do is to actually base it on a recognized framework there we use NIST CSF, and. More often not we're finding NIST being the most common framework to be used I so still relevant especially, from, the global side but the NIST is the most relevant one yeah and I think that's one of the reasons why at, you know at. Google cloud we try to do or. We commit to getting certifications. Among the most popular international, frameworks.

And So if someone is basing, you know their set of controls, and how they how they meet policy, obligations, based on something like ISO 27001. Or and, then how that how that gets translated through there's, often a direct mapping that they can use to help them understand. You. Know within the confines of a shared responsibility model, what we're going to be doing what they're going to be doing and then we can also map out to, two. Other controls, there two of the things that when I mentioned there are the challenges with our clients and the early adoption is do I have the right technical competency, to it, again. A big, percentage of our clients at building those resources out but there they want to retool their current staff to do it which, means they need a leader and a change agent within the ranks to be able to pull it through and more. Often not sometimes they rely on a third party to fill, in that gap sometimes, not. Always but sometimes, but, eventually, they have to find that that director, that leader whoever. It is to really drive it to completion do. You find that that as organizations. Look, to look to do some of this that they are looking to actually, bring. Existing. Control like what you know they have a control objective, what are they trying to bring existing, controls or are they re, looking at what is offered you know in the cloud I think we're gonna talk about some, of this to. Say okay we can replace this. Existing, control that. We have in place you know it, may be based on a particular product of how they meet that obligation with. Something cloud native I think. It's mentioned throughout this conference transformation. They want to automate automation. Is like the key to their success they. Don't want a compliance. Order they don't want controls, they, want to automate which is a lot what we're going to talk about later they, want to automate, the. Process that's involved in managing the environment they. Don't want to have hands on they, don't want people involved they want to have, machines really do for them and some, of the companies we're dealing with the size they do they have do they have a choice of the scale and the manager they have to deal with now, it, sounds good is that possible today I think, it is is it is it done right now no everyone's, trying to get to that level right. Okay. So, maybe, I can ask you a question Bob just in return we've heard a lot of exciting. Announcements, throughout the week I've taught about some of the challenges but what, are the some of the things that have taken your fancy, from what you've seen this week there really will help clients out there today well that's. A it's a great segue shade because I think you know you talked about transformation. And modernization. Of security. Controls and capabilities, I mean obviously what we announced. With Antos where there's a lot of security capability. That is built in there whether it's. A its functionality, like What's, in is do you, know so you can, create. And monitor. Micro. Services that you can ensure that you have, encryption. Between those different services that you can automate. Configurations. And you know that was a capability. Like configuration management, where, you, are able to define. Certain. Policies, instantiate. Those policies and make sure those are pushed out at scale and make sure things don't deviate it's, it's critically, I think, important, as.

Part, Of especially, as organizations, begin to scale to make sure that they're adhering to policies, that, they're following good governance and so forth so I think that was one I think the second you know go cool you you mentioned, cloud, security command, center and I think that visibility. Into risk is something. That many organizations, really. Really. Have been focused on as they move into the cloud how do I really understand. The. Risk, profile, of the assets that are there so the fact that now. In this service you, get a full organization. Wide view of all your assets and then can begin to look at the risk profile, of each of those different assets. And kind of what the some of the other capabilities where. We brought on something. Like. Security. Health analytics where we can say for. Those assets are they configured, in such a way that is creating, inordinate. Level of risk like do we have storage. Buckets, with you, know broad permissions, that may be open to the internet do we have overly permissive firewall, rules do we have things that again would put me in a situation where, I would not be able to meet. The objective, of the given policy and I think back to the automation point, you know something we talked about in terms of event threat detection how can we help automate, or at least provide some of the labor in the detection process so, taking, being able to take the logs and I think we're going to talk about logging in and monitoring, here in a minute being able to take that and actually, use. Intelligence. That we've gathered, to give you a sense, of are there particular. Malicious. Events or signs of compromise, that you need to look for and I think the the. The. Final or you know a couple, others I think around identity, you know I think that in terms of good governance and implementing, policies identity, is still one, of the biggest control, points that we have in, cloud, that where we may not be able to implement. Some of the controls, that we want we have wanted them to in, terms of the network because services, are moving up the stack that we're looking you know less and less at layer 3 four and more and more at layer seven that how can we. How. Can really you, know get those get, that level of control in the environment, and knowing. Who's in the environment, being, able to manage that access appropriately, throughout its lifecycle, and. Right at the beginning of that it's authentication so, the fact that we introduced, the kind of Android.

Being Able to use the Android phone as a security key. Establishing. That route that, route trusted identity, at the at the beginning I think is really. Really important, so those those are a few that stood out especially within the context, of what we are what, we're doing here in terms of, being. Able to implement strong. Controls, and strong governance across the, platform and really see how effective those are and, one thing that stood out to me in addition to what you've just said it's a training aspect I'm glad, to see there's a security certification, now eventually out because, I think that's absolutely needed, out there yeah I mean if folks. Didn't see that basically, the, week before we talked to we introduced, a specific. Security certification. For GCP and there's a set of course work that you can go and get that specialization. And so I think, and. A lot of that is driven by. Demands. That we have had you know we we want to have more education about, the different security capabilities. And how they might be applied and so that's a really strong I think, start. As you, begin to delve more deeply into these issues, great. So. Going. Back to you shed and and, Gokul you know when. When. You know you've gotten to the part of advisory. Where people have decided to, get into cloud and they are saying okay we have this workload we have this type, of data what. Are that what are they actually looking to get you know in terms of payoff right is it security I mean there's, this there's, this belief I think that has evolved, over time that moving, to the cloud can, actually make you more, potentially. Increase your security posture or allow, you to implement. Stronger or better governance, is that, part of it or is it is it still something else so, there are a number of drivers and I think it varies according to industry you're in a quote and also the type of company you are in terms of your style of management but, more often not ROI, is one, of the first drivers, out there and. Often it's a data center rationalization, issue some, of my clients have recognized, maintain, your data center today is really expensive not, to mention I got to make it secure so, that drives them to a conclusion, I got, to move more things into the cloud and then the question becomes what workloads, connect but they're over. The years it's been very, slow but I see now I worked. With a FinTech client just recently they, move the entire production and, all the entire platform, into Google Cloud and and. Went live and so, those. Things are changing, but I still there's some still, a bigger majority of clients than of yet not yet adopted cloud so. I think there's huge growth potential still so. Absolutely. Ry but the, other thing is transformation, they're they're eager to leverage, some of the MI and the artificial, intelligence capability. Within compute, to, really honnest business transformation, that, even more than agility, is driving some of the adoption and those use cases are driving, the transformation, that which driving, our business as well yeah so let. Me push on that on, that point a little bit I mean do you see clients. Who, feel. That moving to the cloud either you. Know enhances, their security, posture, or allows, them to have stronger, more, effective governance, a personal, view rather than a firm view just because I don't want to say too much on the firm half but I personally. Believe that from. My experience and I've been in in security, consulting over 30 years that, going. To a, reputable. Cloud, solution. Such, as Google is actually. More, beneficial than, trying to build it yourself and. When. You think about the complexities, of an emerging tech that's about to hit us you, need to be with a provider that can give this you that capability. So. Rob, how does Google, initially, at the beginning when you're adopting, cloud Google. Cloud how, do you help in those initial stages in creating, those business cases and how do you help to meet their internal choirs especially on the first few months when, they're getting off the ground yeah I mean, I think that that's a nice segue right because one of the things that we that we try to do, is is show, that level. Of security enhancement, or security, benefit so tip, you. Know typically what would happen very early on we understand, what, are the different types of sir what, is the workload or what is the what is the application, and from there we understand a little bit more about the business process we understand a little bit more about the type of data and then, what we want to do back to kind of what you were saying and why I was asking about that is understand.

What Are the security policies, that, are around that data and where it gets challenging in some cases that if the policy isn't particularly well defined right or if there aren't stated, control objectives, because what we like to then do is be, able to give. An overview or give a sense of okay here's how you can, use the features in the platform to. Protect this right here's how you can meet your obligations from. An internal policy or also, from potentially. An external and regulatory perspective or in the ways that we can help right and that's where we. Talk about the relevant certifications. Or the relevant documentation, we have around. Some, of those different things another, so we really like to have the security conversation, up front because we know that, it becomes, harder and harder to drive change if there are questions about risk, there if there are questions about you. Know being able to meet obligations. And, guidance and so forth so I think that that's a that's a big part of it another things, that we like to do early on in the in. The, engagement. Is to. Even. Go far as to do workshops and that may be you know with with partners, like yourselves or internally. With our folks where again we look at internal. Policies, we interview, stakeholders, we understand. Security. Objectives, we. Do some assessment, of existing, controls because sometimes you. Know the the Aza's, environment, doesn't match the desired future state and so we can do a little bit of solutioning. And designing ahead, of time and then kind. Of come up with a roadmap as to, some of the things that are must implements and then and then phase for, other pieces so that's. What we try to do early on but clearly security. Has to be an integrated part of that. Of that design decision, I mean just like the the philosophy of you know when we are doing CI CD of shifting, security left-right, it's it's it's shifting. Security left in the engagement, itself so we are we are planning and not saying oh now. We have this workload weight, you know how are we gonna meet the meet. The obligations, that we have do, you find who is most engaged in party when you go to a client, which function, security, IT business. That you feel most. Closest, I talk it. Has to be all the above but I I mean I think that what, we see the most is, the, the the, security function, is seen as the, as the the team or the the. Center that is gonna sign off on a lot of what happens so that's where a lot of the gravity is but again in doing, interviews and understanding, that we have to understand from the business side and from other parts who, have influence, over it because everyone, needs to be bought in I don't. Know how familiar you are with the three-day discovery, programs I just recently found out bet that you actually, spend three days with a client, and actually do workshops and educate, the minds creator if you want to talk a little bit about that yeah, I mean again it's a it's a kind of work shopping process where we can do some education about the controls and contextualize, it in.

Terms, Of the existing, business okay. So. Again. Getting more to the specific, controls. And to end technologies. What. Are the what are the biggest challenge in terms of the technical, side you know what is specific. Security, controls. Or pieces of functionality are, they looking to implement and are they challenged, to implement, so. DLP, was. One and that just recently got embedded into the roadmap within there but again, when my clients was challenged it wasn't available at the time but now it is but, DLP's, was one challenge and that's really important when you deal with privacy matters. Sim, and you BA um. So, with. Insider, threat M for detection newbie is really important use B of analytics, and how do you use an existing sim platform, using, stat driver or the security command center had I use that with their existing platform that might have, container. Security, and obviously anthos is a great example of bringing a multi cloud feature to it but, managing, your operations, around the new technology, that brings will be interesting, an. Endpoint. Detection, and response. That's. A challenge for most clients even on on-premise how, do you do it in the virtual environment and how do you get real-time indications. Of what's going on in that space, firewall. Real processes. Changes. Made to firewalls, when you're in a developer environment are made very quickly but may not be done right one. Of my other clients that I work with they changed their firewalls really quickly to the point where I created problems because. They're in a dev environment making, quickly, so how do you create, controls around changes, which sounds obvious but I'm, talking about a live example that that wasn't, the case and. Then configuration, management that's, the other one with so many configurations. The, ability to make so many changes how, do you manage, that can that be scripted, can we control that yeah. I mean I think that I think they clearly the, the. The. Rapidity which, you, know the ease of making changes, allows, it you know which is great because it allows you to be responsive, but it also can. Cause configuration. Drift and other things like that so we try to and. That's a technology side thing and it's also a process side thing but it's certainly not something to, be underestimated, and I think we we see that as well so maybe what. Are the native, solutions. Within GCP that you think can address some of the things I just brought up yeah I mean I mean clearly we have a lot of controls that can address many of those different types of things you talk about behavioral. Analysis. And things like that one, of the things we talked, about this week was, our. Policy intelligence. Tool that, that we're bringing out and so one of the things that we're doing there is looking, at the, set of iam roles that have been defined and then looking at access that's happening, and being able to say is there a mismatch even if a role is defined correctly we can say these, you this group of users have not accessed this resource should, we remove this permission so you know getting to more. Effective, governance based on user behavior and looking. At that over time I think you you know as you mentioned container, security, there are a number of capabilities we talked about we talked this. Week about what. We are doing around container, registry vulnerability. Scanning so being able to scan for. Vulnerabilities, in the development, process and provide. At, a stations, of whether particular, components, or, other underlying things. Have vulnerabilities in them and then very much related to that is a. Tool that is now GA called binary authorization. So in that process making, sure that. Code. Is signed and checked through based, on a variety of criteria before, it actually goes to the Lucas to the deploy state so this whole idea of. Giving. You tooling, to. Control and. Get oversight, over your, software supply chain is critically, important, as organizations, gonna transform.

And Modernize, some, of these dev processes, and those those are two you know capabilities, that are that. Are kind of built in there so. Let's take a pause from it because Gokul has been quiet on the end and want to bring him in so, I. Want a deep dive a little bit more into identity access management because, I think it's a core capability. That needs to be really thought through maybe, Gokul I'm gonna share. A slide that you can maybe illustrate. Tell, us a little bit more about what, you need to have to have an effective I am an initiative. So. So. I am as one of the core tenets of when, we go into a customer, in site. And they want to build out their cloud transformation, program I am is one of the core foundational, capabilities that, we start with right so if. If you don't get the I am in the resource hierarchy, right then it causes a bigger challenge as you start scaling up your business so. Some. Of the basic tenants as we look at I am as how. Do you organize your resources in Google what, are the different, capability, services that are available out of the box, what, considerations you need to be thinking about when you as you organize your projects, and your, folder. Structure in your resource structure, in your Google environment is the first thing that we look at so what do I mean by that. Google. Has a resource, hierarchy, which, starts with organization. Resource, and then there's folders, and then there's projects, and then there's, resource. Underlying resources compute. Your network all those resources so. So, typically, when we go. In and at, the root level organization. Is the node that customers. Typically, start with right and if you are a G suite up if. You have a G suite account or on a cloud identity account, that organization, resources. Available to you the. Advantage, of that resources, you can now start tying, your policies, and. Your controls. At the organizational. Level right you don't in. Some cases is actually beneficial you don't have to duplicate, them across multiple projects, so that's the root level that you get and and, typically, if if you once you start that organization, level any projects. That you create or then, automatically. Associated, to that domain and then as part of that associated, to your organization, so, if somebody leaves your organization you. Already have that associated, to your organization, it follows the organization, and not the individual. Who's actually leaving the organization. Right, so from an administrator, perspective its. Centralized, management it allows, you to manage your resources. And, your controls. And the policies, in a centralized, manner so that's why having, that organizational. Resource, helps you set the precedence so. Then we have this concept. Of folders, resources. Right so a. Lot. Of times our customers, want. To segregate. Their. Projects. By functional, units by departments. By environment, so that's where the, concept of folders, is very helpful so I'm. Gonna have a marketing, department I might have another legal. Department, I don't I want specific, policies, associated to that I'm on projects, which, have specific controls. I am policies. Related, only for that particular department right so that's where I use the concept of folders, to group similar, functional, units or similar. Functions. Together as part of the folder structure then. You have the actual project, which. Which derives from the folder right and folder is an optional level you don't have to need I have that folder structure but, we typically recommend that if you want to bunch or group together similar. Functional units at. The project, level that's where the, real, work actually happens, that's when you stand, up your resources you, spin up your applications, that's where you deploy everything right so the project is the primary control that you have.

Now. Once. You have set up this organizational. Structure, in place typically, our customers, say so know what, is a recommended, project. Structure that, I need to have do I need to have, it by environment. Do I need to have it by Department, again, typical answer is it depends right, so if you are an organization. Unless. You have very. Specific requirements. That. Say one. So, let's say I have an, organization. And there is another organization. Which. Has, completely, different, set of policies, and functions, and I want complete isolation that's, when you'll really need two separate organizations otherwise. One, organization, is the way to go one is the way to go and. Then from a project level that's where you start segregating. Projects, so. I could. Have projects, created for dev environment for, my QA. Or my production, environment or I could also slice it in different ways say I need, my project, structure to be set up by my functional units by marketing, you have a certain set of project, hierarchy you have certain users, roles, policies. Assigned by that functional unit so that's the way that we typically look at so once you get that right then. You start thinking about the, concept. Of identity, and, roles. Right. So, really there is two kinds of identity in GCP one is the user end in D and then there is the service account, identity, right so users are pretty, much all your users. The individual. Users, who are going to be using the environment so that's straightforward these. Service accounts are slightly tricky so they are typically used if you, want to, perform. An operation on, behalf, of another. User, on behalf of an application that's when service accounts are typically used. You. Can use it as an identity as well as a resource, right so what I mean by that is so, let's say I want to have some kind of a notification, or an automated job that is one of I wanna be running in the background I don't want to be running it as an individual user that's, when the concept of service account actually applies, so.

It It's. Very critical at a high level when you before, you start moving, all your workloads to the cloud or before you set up your workloads on the cloud to, ensure that you have the iam, structure, built our do you have your users roles, and policies, that are clearly mapped out and then, you start you know migrating, your data and set, up your projects in place. So. Rob. Anything specific, from an identity perspective. That Google, is working on any of the well. I think that I think you give a good overview here I think one thing that I talked about in terms of policy, intelligence, I talked a little bit about. Making. Recommendations, there's also a. Complimentary. Piece called access troubleshooter, that so as you set up roles and as you set up permissions if something. Isn't able to be accessed troubleshooter, can help you walk through and figure out exactly why so, you don't wind up saying just you, know grant, all privileges, right so you can continue to adhere, to those particular to. Those particular things and then we made a number, of other announcements, around our. Own cloud identity where a lot of times we set up those accounts or the, ability to use Active. Directory and use that as a managed service so those were a couple of couple, of things but I think especially in, terms of what we're doing around policy intelligence, helping, you get those, permissions, and helping you make sure that you are continuing, to enforce things, like lease privilege. Effectively. Across multiple, things. Users. Already set up but a lot of times they're, not even using those roles so the, idea is to have fine-grained. Roles and, policies. Associated to that we, typically a lot, of our clients start, with the traditional. Primitive. Roles which are no longer recommended, right so then you have the predefined, roles which are which gives you those bunching, of those policies, which is good but, really the custom roles is where you get the full power of Google, right you will be able to automate, what, exactly. What permissions, set a particular user is required to use right with this new. Implementation. That Google has come out with you already have a weight that Google is going to tell you hey you have this user you. Have assigned. These permissions, but it's not required you're not using them so start, taking it back right so that's very helpful so. Yeah. I mean I think, the other analog, shed is so now we understand. You know and, are trying to gain, control over those users but we also have to audit that activity, and so monitoring and logging is, something you, know you referred. To at the beginning what, are your kind of best practices, or thinking around, that as you work with clients around monitoring, logging, and, being able to provide that that, documentation. Absolutely. So. Traditionally. All of our customers, have some kind of a logging and monitoring solution, on Prem rides and so they they want to leverage the same solution, as they go to the cloud as well and a lot of times that will work right, but by by, default Google already provides, you capabilities, like stackdriver which will let you. Look. At the logs the logs, are automatically enabled they are automatically stored and stackdriver and, you have a way to collect it X faltered and then, do some analytics on top of it right so at the base infrastructure, layer level you already have tools like stackdriver which will let you do that then, you'll need to start looking at what kind of application, level logs and monitoring that I'll have to manage and then finally, you'll look at from a business transparency. Perspective, what are the business metrics and the logs that I need to be starting to collect right so those are the three levels that I would typically start looking at the the other good, thing in Google is and, I know you can talk a little bit about the access transparency, but, really. When we go to a customer and it goes back to how we structure, our projects, so typically we would have a security.

SEC Ops engineering, team which, is focused, on primarily. Looking at the audit events looking at the security events that are happening so the way that you structure. Your projects, again, is very critical so you would have your engineering, teams focus, on a separate project structure all, your security logging, in all those logs will be managed, in a separate project and only, your security engineering team gets access to that right so there is clear separation, of duties you, have a way to monitor, who gets access to the logs and. You can report it on if you know as if there is unauthorized access to the logs, again. Some. Of the things that we have seen as best practices go. With fine-grained rules give, absolutely, minimum permissions, start with the editor. Role because editor, is required in a lot of cases for you to be able to manage the logs and do. Some kind of an instrumentation, from the logs so start, there and then you. Know expand, from those capabilities. By. Default, also another question that comes up as our customers, ask I store. All these logs or these, logs encrypted. Are they stored in a safe, manner by default, when they are stored, in your cloud storage buckets, they are all encrypted by default you, have a way to actually, use, your secret, management, capabilities, to, manage, access to, those logs so, those are some of the high-level, best. Practices, that we recommend, as we look at logging and monitoring as we work, with our clients do. You want to talk a little bit about. Yeah. I mean I think that just, one thing you talked about separation. Of logs by project and being able to get that granularity I think everyone is if you're not aware they're actually when we think about cloud audit logging 3 just set of logs there are Advent activity logs which allow you see what administrators, are doing there's, kind of a system, event logs which you know if you're starting something on compute engine what are the different things like if a live migration happens when, did that happen for, example there, are also data access, logs so you can see not. Only from an administrative, perspective but also from a user perspective people who have roles and permissions when. That data is it has been accessed so that night there's a nice real separation between. Those so depending, on what you're looking for, and what you are going to have to provide documentation, on the different types of logs can support that and then we, also augment, that and you know that's for your own users and your own administrators, but we augment, that with access. Transparency, logs so this is an optional, feature, that you can turn on which allows you to see if Google, support, engineers, or administrators, are accessing, any of your data so that you know helps with the, overall understanding of, what's.

Happening In my environment you know being able to provide a full, log of our, new full log of access of that and so that kind of complements. That piece and another thing we talked about you know that many organizations. Have, existing. Log management systems, and capabilities, things. Like like a Splunk or other systems like that in cloud security command, center we've actually Allah, put, added. Capabilities, in the in the ga release to, support, direct connection, to that with this what this plumb connector so that's where you're doing some, of the reporting and auditing you can get events, from. There so yeah. I mean clearly an area that we've focused so maybe to, wrap this up you know are, there specific, tools or, frameworks. Or other things that you use specifically. With, with. Your clients, in driving. Through some of these issues, sure I've just summarized them here quickly on the slide to speed up our discussion, so as. I mentioned before and, we gave a very highly representation. The earlier slides but we created a architectural. Blueprint, we've, actually worked with clients where they've asked us tell us what good looks like from an architectural, perspective so, we already have pre-designed. Templates, around what architecture, should look like we then tailor that to the needs of the client and that's been, a huge success for us in trying to accelerate the program and that, again process. Controls, and technology we look at all three elements we. Also make sure that the controls that we I distinguish. Between what's available in Google and what's not and. That's really important to know because we've also developed a, understanding. Of the vendor ecosystem, a lot of our clients say where is the best tool to use what's the, right thing to use here we developed a point of view on that we've developed a selection. Of criteria against different functions. And then, a hobby ball analysis, around that and developed a portfolio, it's, hard to keep up because there's a lot of new to third party products on the market but, we've got that as well at our disposal, the, other thing we have is we've developed a tool because, often, we. Can put a tool that's already available but it takes time to put, that there so we developed some scripts of our own based again on benchmarks, that are available in the industry C is family and we run our scripts and quickly find out whether things are hardened right way in the VM level and then. Finally best practices, we've, created a live because we've been to a few clients now we've, captured best practices, so, we'd have to repeat the best practices, it's, hard to keep up with all the changes that going on with Google but as we do we keep updating for that as well so.

We're. Almost done here you know Google or or shed you know if, you had to make you know a couple of key takeaways. Or recommendations. Around, around, this and architecting about what what would they be I think it's these. Four or five basic things understand. Your regulatory environment, and then, send it well what does that really mean for you assess the key risks I didn't, touch about threat modeling but, frame modeling is essential, to understand what the new tack services, that the cloud can bring to you once. You understand those things you've got the base lines of understanding, start. To implement the right architecture use. Pre-tested. Architectural. Blueprints don't make it up and then, identify, the third-party, solutions to augment your security go. Cloud does provide a lot but doesn't provide everything so, make sure you have that and fight and then have monitor, and audit directly. Addressed if you dress these you're walling away to a secure cloud all, right great, well thank you all for for, coming and listening and our dialogue and thank our panelists, and have. A good rest of next not too much left.

2019-04-20 22:22

Show Video

Other news