Secure Your Google Cloud Deployments Using Leading Security Partner Solutions (Cloud Next '19)
So. I think first thing that will be useful for the audience I think would. Be kind, of a quick round of introductions so, they understand and. Know what your roles are so, mark if you could start start, with you your your role and what do you do at your company, my. Name is Mark I'm involved, with information security at la block companies limited we're a company based out of Canada we're. Involved, with one. Of the larger the leaders. For pharmacy, and retail in Canada we've, about 200,000, employees across. Canada both full-time and part-time my. Role specifically, around. Assessing. Security, solutions, that are going to be used in our different, platforms and how we address. Our very, specific, threat landscape. Sure. Hello. My name is shahara I'm CIO for exhibit. Exuma. Means making a next-generation seam, making. A you, know our advanced, analytics, technology available, for you, know companies to make to get more out of the regime and I've been with xmin for about a year as CIO previously, I've been with Imperva, you know heading both infrastructure, in. C. So for Imperva, and, it. Exhibits. You know kind of cio leading. The IT and, the InfoSec operations, as well as in charge of building a cloud product, in, our cloud seam offering which we recently announced at RSA. And. Hi guys my name is Jason, Lau I'm the vice, president of information security, for core logic core. Logic is another one of those companies that you don't know but you really, touch all the time if you guys have done a mortgage. Loan you've. Probably on the backend that probably, involved core logic anywhere. From 10 to 20 different times from the credit check process, to. The home appraiser to the, mortgage. Risk data that. We provide to the mortgage lending companies so, my job is to protect. Data we've, been moving we've, been very aggressive in moving all, of our applications, sensitive. Data or otherwise to Google cloud so. My focus is really cloud security and cloud automation. My, name is Derek Mauro I work, for eBay and most, you probably know what eBay is we. Are not just a large marketplace, but we also have many, other brands that sit under eBay so we, have StubHub and a bunch of other classifieds. Groups that help, users. Around. The world find services. Goods and services in their local communities. So my, main, responsibility, is kind. Of helping. To, plan. And research. And develop what our next-gen services, platform looks like so whether it, is an extension of a hybrid cloud environment, where we may, have, data that exists in a public cloud environment or, or. How we further you know enhance, our existing security program to protect against next-gen threats. My. Name is John Jenga and I work for the Home Depot I stopped. A security engineer and. My. Role at the company is focused. On. Looking. For tools that provide, us with. Risk. Assessment, our enhances. Our ability to do research assessment, across the enterprise both. In the cloud space and on-premise. And, with. Everything, shifting, to you, know cloud workloads, you know we. Are looking at different tools we look at different tools validate. That. They can provide the same visibility, that. We require, so. That we can provide our leadership, with the, required, risk, assessment, profiling. For all of, the workloads, whether they in the cloud or they, are on their own premise, space. Perfect. Thank you John I think one, thing that will be useful for the audience would be to understand you know what kind of workloads you're running on GCP and you, know how you use GCP so so. John if you start from your side other. Ways at this time. Anything. That you can share and that people can relate to in the audience so. We, have different work levels that actually run obviously. We have different, business processes. Some. That are. Customer. Facing workloads. Some. That are you know used, internally. We, run. Hybrid. Cloud. On-premise environment. It's, a large environment, so we have different tool sets we, have different requirements and sometimes. With. You. Know what the cloud provides with auto scaling it's. You, know very obvious, that we. Also have to from, a security perspective be. Able to. Assess. What's, happening, within those. Environments, in. The same way we do it on their own premise. Perfect. I. Can't, really talk about a lot of what we run, in and cool cloud and it probably a lot of people in the audience can relate to that but what. We, are doing is what. My responsibility, is planning for how, some of our brands are planning, you. Know what that looks like so a lot, of it has been how do we replicate, what.
We Currently have on-premise, within a cloud environment so you, know our approach has been you, know taking, it from the host or the application, you know to egress, or if not in the reverse so part. Of what. I'm actually talking about tomorrow is in further detail is our our test use case of how we were able to test. Goals. You know perimeter defense mechanisms. With cloud armor in integrated. With a partner solution called relays and. That was like pretty much our use case for how we were able to to. Protect you, know our potentially, protect our workloads in Google cloud. Super. CoreLogic were, relatively, new to Google cloud we started, about a year ago. We. Were now at about maybe. 750. Projects. And about, 7,000. Servers I think altogether. It's. Been it's been really interesting because I think one of the things we see from from. The security side is that our the. Amount, of real estate that we have to protect is really. Expanding really fast we've got the on-prem datacenters, we've got data centers from mergers and acquisitions. We. Had an existing footprint, of AWS, we're moving those into GCP, so, there's a lot of things in motion and so there's a lot of things we kind of have to keep our eyes on especially. From the M&A, side will acquire anywhere. From two to three companies a year and I, think now it's more common to acquire companies that actually have their own cloud presence, so, it's for us it's really about how, can we unify and centralize them and how quickly can we get them out of their cloud environment, into our kind, of managed, GCP. Environment, okay, and, and Jason, just to kind of add on your G sweetie I think you have a unique kind of use case on leveraging. Pieces of G suite so if you could share, some thoughts around G, suite as well how do you use it yeah certainly so I think you know we like, most company started out with with. The office, 365 as. We moved closer to G to, G, see gcp we, found that we were just kind of getting better value out of the G suite product line but. That came with its own challenges right, I think that when we looked at traditional content, filtering that. Kind of gave us this very binary approach, to you, can allow traffic or you can block traffic, and. We needed to bring in partners, and solutions like like netskope Caspi to, kind of really open up those connections, to say well you know we want to do more finesse things like maybe we want to have, our users access, our G suite instance, but not let them access their personal G suite instance, or we, want to kind of pop open the session and really see what people are putting into s3 buckets. And. So without kind of more modern solutions like like netskope, we, we really didn't have that the ability to address. Things from that granularity so today, we're. Not only thinking about what they're accessing but we're also thinking about the activities, that they're doing and, it gives us the ability to kind of have more finesse rules like allow people to download from different environments but, we're more focused about preventing what they upload to non-sanctioned, environments, perfect, thank you and char you have a unique, kind. Of role in position, of a security. Company running. A service, on GCP, where, your reputation and, protecting that service, is critical to the business so in that role you know you. Know share a little bit about you know what you're running on GCP. And. What was the key challenges that you've seen yeah, absolutely so when, we came to design, in, our SAS offering, and we were looking at kind of what's most important, to us and and obviously security a lot of companies, say that security is a top priority but, it's really not and. And, you, know I kind of you, know feel that, you, know we really try to do it, exactly. And put it at the top of mind because. This is what we do like we're a security, software company. And if if our customers cannot trust us then and you know we would not have business, and. So that's why we put it as a top priority and. And as we design, the. Product, and keep on making progress this is something, that we always take care of and and, even if it's sometimes slow us down and, I think that you know most people here would recognize. That sometimes it's you have to slow down to, get this done right this. Is what we're trying to do and we feel that you know the Google. Clouds provide us with with, a good platform. To do that and and maybe one more comment about you know partners, offerings, I I kind of feel that three years ago this wasn't the case right you you, would sit in such a session, and and there, are maybe a few names are on you, know on the slideshow and not all of them you know have you know good solutions, and that has change I think that you know for those of you who are considering, a move now, you know the tools are there you know kind of connect with your vendors, and and.
You Know ask them what's available and you might be surprised that most of them do have now tools that will work in these environments, perfect. Not. Really sure I can follow that out but. So. I somewhat. Like Derek can't speak to specifically, what we have in in, GCP. But I can't say Loblaws we're a hybrid and poly call environment we have a couple different clouds and we're using a hybrid, of on-premise and cloud infrastructure. We're, looking to migrate. Many, of our on-prem. Apps or legacy apps to the cloud we're. Also looking. For, for. Cloud for. Some. Of our web, facing applications, that, we used for customer, facing as. Well as some of our data analytics, platforms, perfect. In, mark starting with you for. The next round when. You have we're designing the security, architecture for. Google cloud you know how did you think about partner, solutions what roles they would play any. Any, partners, you want to mention that played a key role and for. The benefit of the audience you know what function did they perform and, when, folks, are thinking about building a security architecture. Which, are the different pieces they should be thinking about yeah for sure so going back to your first slide that some. Of you may have seen it was you. Have to take. A couple of steps back Google. Has. Responsibility. For the cloud but. That isn't to be you. Shouldn't confuse that with they're responsible, for everything and some people have looked at cloud as a mechanism, to defer all of the risk or all of your security problems, to to Google and then you don't have to worry about anything the, customers responsible, for security for, what you put in the cloud so your workloads, your data your, your, source codes you have to make sure that you implement, solutions or, architecture. Solution, to, address that that, starts with building your threat model and understanding, what.
Specific. Threats are actually can potentially exist with with that migration. So. Some of the the steps are some, of the things that we've looked at is is network, traffic and looking at a next-generation firewall. For for, insight, into what. Traffic, is actually happening and what's going on on your on, your cloud project is it's very important also, with. Many companies, being, fairly immature and understanding, how the clouds, can figure out what you can potentially do looking. At solutions that that, monitor. The configuration. And all the different switches that you can potentially configure, or is very important, as well and then, finally with many, organizations. Looking. To move to containerized, applications. And moving. Off of traditional, infrastructure, you want to make sure that your those containers are actually being secured and then you're, doing everything that you can and leveraging, the learnings of some of your partners to. Make sure that you're, doing the right thing for security for those migrations, perfect. Thank you and, char from from your perspective, and feel, free to share you know as much detail you feel comfortable sharing you. Know from, a security company perspective, you've, seen all the products you know all the players when, you had to design your security you know what were the different components, and pieces you were thinking about how did partner products help you provide. That comprehensive answer, yeah, so mark. You talked about a few but I wanted you know take a slide with different angle I think that when you start it that's when you when. You're new to, cloud environment, you, know look at you know what is your hygiene, what's your height the IT hygiene, what's your environment, hygiene, where, you store your stuff because you can buy all these products, but if there is you know password so txt, on your desktop, there's. No product in the world is going to help you overcome that so so, I think that one, of our first priority, was to have, our environment clean, and hygiene, and everything you know get automated, you know through you, know we use some part of products, like Hoshi, corporate, good product, for. Cloud. As well as we use a cloud Waffen DDoS mitigation service. And. Because these are things we felt that you know we would be able to leverage a partner but, I you know for those who are just starting their journey you, know kinda I think number one priority should be you know get your environment, clean and then use the part of products to cover other aspects. That you know that that hygiene doesn't solve. Perfect. Jason. So. I think there's really kind of two components. When we think about partner, products that there's the product but then there's the partner side of it as well and and I feel like yes. They have good solutions but I think that there's a lot to be leveraged from working with good partners as well I, would I think five years ago I was I was more the security guy that would go work with a partner and say here's a blueprint build this exact thing for me, and. Now I think I'm more of the security professional that says here's. Some problems that I'm trying to solve can you help me with it and I think so. Yes we're looking at the solution but I think as we look at the partners we're kind of looking for their expertise, in the space especially what, is their expertise, with, Google, cloud is. It something that they support. Kind of ancillary, maybe they mostly support AWS, and they have a me to approach to Google, cloud or are they truly a Google partner and they've, really thought through their approach of implementing, their solution, in, Google cloud but. To me it's, it's twofold value, it's ideally, we yes we want a good solution but, we really want a good partner who can kind of understand, our context, who, can kind of grow with us and we, can kind of leverage a lot of the expertise, that they built up over the years.
So, For, from me specifically, it was it was feature parity and and, I don't necessarily mean feature parity from the perspective of like hey we're looking for exactly, what we run on Prem but. Also looking at potentially, deficiencies, that you have you. Know if you have this exercise where you can actually build something from scratch and build something new then, what you're looking for is potentially. Looking for maybe there's, something you didn't look at or maybe there is a new feature that is now available, that. Your partner might be dealing with and so then you go through that build versus buy mentality, well of course we could all probably build it and spend the cycles actually doing that but, it's something if somebody's out there doing it better and, doing it well and has, a bit of maturity and longevity in the services they've built then, you've kind of been able to instill. A bit of confidence in that vendor and be able to realize that you know you can partner with them and see, how you can work together to to, kind of you know you know build the service build this product, so. What. I'd say is don't be afraid of, finding. Things that might be not, running properly or, not might not be working properly but if anything you might be able to find that in in the partner that you they. And. Just double. Clicking on the, torch that you mentioned about, using. Cloud armor how to think about applications, secure difficult year share your thoughts you have done a lot of groundbreaking. Work there yes, so should companies think about application, security generally, yeah so you. Know we deal with a lot of bots and bots both being good in both in both being bad and so we were looking at ways, of being able to have, you know this this portability, aspect of being able to deploy something no matter where at. The same time also, understanding. That you. Know potentially there were some things that might we might not have been catching so being able to get, take advantage of a lot of the behavioral, aspects. Of traffic. That. You, know a lot, of companies are kind of looking into the space and then partnering, up with replays, and seeing how they've been able to kind of, excel. At a lot of the visibility that we we might not have been able to see is something that that, we found pretty intriguing and led. Us to kind of go through this test scenario perfect. Thank you. Just. To follow up with the. Comments, from, my panelists, there, are, there. Are when. You look at especially. Hybrid, environments, where you you're. Going from traditionally. On premise, environments. And trying to secure workloads, in the cloud space. Most. Of most, of the time we tend to approach them with, the mentality, of what. We knew about in, the on-premise. Space. However. Because. The infrastructure, and the visibility, doesn't. Always exist in the same way in the cloud space, you. Have to. Be, very focused on at. Least, working. With vendor products that provide. You some sense of visibility, for, the different workloads that you have if you're primarily say.
Compute. Engine, heavy. Then you want to look at products that give you visibility from both the. Network layers and, then from the, compute engine and how. The. Cloud. As a space. And. All the services are running in it are interconnected, because that's the only way you have a. Really. Good way of trying, to make sure that your policies. Your, baseline. Policies. From. A cad perspective, from a DLP perspective, from, vulnerability. Management perspective are, covered, by, the tool sets that you decide to put in place we work with different. Vendor products some of them were actually listed, on, the slide previously. Quality. Is one of them plus. A couple others we. Are also looking at. The. Ability. To. Have. Visibility across, the, cloud space to. See all of the services. Connectivity. And how, that is laid out, then. Create and come. Up with strategies around. Securing. All of that in. The, cloud once base. Mark. Yes I think I just one comment back that kind of listening to all the responses, is that. It. If, you're. Migrating to the cloud you might not have an app that that's perfect, or you might have a word might not have a workload that's that's really secure really clean you've, kind of think about what how the risk. And the threats are changing, from moving from an on-premise environment into, the cloud and this. Also gives you the unique opportunity, to look at what's working what's not working if you're, using a partner solution. Right now that. Maybe isn't going to migrate to the cloud that well you, have the opportunity, to say well maybe this isn't going to work out for me and I need to change that and that's, one of the the I'd say the journey is that we had a Loblaws, we, had a few partners that maybe just didn't work out so well in, the cloud and we had to say well we have to pivot we have to make sure the working 10%. Successful and having that loyalty to one specific partner, maybe, isn't the right thing to do. There. Are a few you. Know people in the audience who are working for security vendors what are you expecting your security vendors to do you know in order for these companies to be successful, with you and have a true partnership. With. You, that's. A really tough question and. So. Specifically. About being like cloud native and really having that like. Taking a number of steps back and saying well we have to do things differently in the cloud it's not about, traditional, infrastructure, anymore so, what's, what's. Different the cloud how we make sure that what, we're building is going to be is. Going to take into the principles, that were looking to doing the philosophy, of cloud and DevOps and how, are we building it for that I think. This is a great question anybody in the audience wants to chime in that what would be the, right security partner. As folks. Are evaluating, different companies they want to partner with for security, what are the key things that, do. You think are important. In. Addition to what Mark said right if you're thinking about a partner what would be the right characteristics of that partner so a lot of that at least from my, perspective is just the portability so whether it's something that you can run on prime as well as running an in cloud and make it that very seamless, if anything, I think that's where. You. Know some vendors might not have focused, on one area as opposed to the other but, it's that portability, factor that makes it easy to be able transition, you know we got really good at being able to migrate, workloads, but we you know if we're not able to migrate at appliance or migrate a product, and then.
We Essentially kind of pigeon-holed ourselves, into, backhauling. Traffic. Back to a data center in order to be able to have that same level protection. And. I think yeah. So kind of to echo on that I think, we look for partners who can. Help us. In multi cloud environments, I think, our our, desire and an intent, is everything in GCP but our reality, is always going to be there's, going to be some laggard application, that's built specifically. To AWS, it's going to take us a long time to get out of so, we do need consistent, coverage across multiple cloud. Environments. And. Then I think the other thing is is that today when we look at any solution, I we, just won't take any solution, unless, it has a restful, api interface, because. If that vendor cannot. Let, us integrate. And orchestrate, with. Other solutions. Yeah. We're, not even interested, in looking at that solution at that point perfect. Thank you any. Other comments on this. What. He just stated especially, when you have multi, cloud environments, you, want to have. That. Integration. Especially. At the API level so that your. Provision. Of say the reporting, or. Even integration, with existing security. Tool sets you know be they on-premise or be they in, the cloud space is seamless, and appears, the same because. When, you have people go into different tools you know, then, you end up with the same traditional, risks, that we have in on-premise, environments. You know multiple, tool sets different, data sets and not. Perfect. So. I think other thing that'll be I think useful for the audience will be to understand what were the key lessons, learned as you went, on your journey to Google Cloud or, any other public cloud in general and I was thinking more in terms of not just the technical lessons, learned but, organizationally. How security. Should be done in the cloud where this how, organization, should be set up how the role should be defined if there any key nuggets that you guys want to share that that will be useful for the audience mark if you could start video, I think what really helped helped. Us out when we started our journey was having a team that we dedicated, to to, cloud migration and adopting, cloud principles. Like. Forget, about tack and forget about partners. And and the workloads the. First thing you, need to consider when you want to adopt, the. Cloud is. Philosophy. And what. You act like really, adopting, those cloud principles adopting DevOps principles, and making, sure everybody is on the same page with what you're looking to achieve what's, going to the cloud what are the actual, benefits. That your organization, is going to be getting from the cloud and how you how are you going to implement, those so, having. That core team that really. Were. The bleeding edge of understanding. What those principles were was. Very advantageous, for, making it successful right off the bat. And. What. Mark said you know I think that you. Know my learning is that you know sure cloud a load of are easier in cloud but there are no shortcuts like you know you, know you have to have processes you, have to have planning, in place and, and that. Is my you know my key takeaway, from from, cloud migration, and in my, first advice to people who are kind of starting their journey. Yeah. So when. I first wrote my first cloud, security reference, model I totally. Had it wrong. So, I, basically. Had the statement that said I want to make cloud just, as secure as on Prem and and. The the fallacy, was in that statement was that I was I was aiming for parity, when. Really if we think about it we go to cloud not, not to co-locate but we go to cloud to transform, we transform, our applications, we. Move to infrastructure, as code. Blue-green. Environments, we have to do the same thing from a security perspective and, we, really have to transform, what we're doing but more importantly I think, that we we can never set our goals too high from a cloud security perspective, we always have to define what. Is my best-case scenario, and and. Even if you have to temporarily take a take reality, and put it to the side to, say I want an environment that is always.
Doing, Compliance, auditing 24 by 7 in real time I want, scans to be happening as things are spun up, we. Have to hold those as the ideals, and I think that just, as we're seeing cloud. Transform, and security transform I think what you're hearing here is that, I think as security professionals, we're, also transforming, our approach and we are moving more towards, automation more. Towards bot driven triggers, because. We know that in these cloud environments, they're so ephemeral and they move so fast that's, the only real way we're going to keep up. Some. My take away is don't be afraid to break things. You. Know I you, know and you know what come out they first start with what, Mark alluded to was like don't be afraid to break culture you know a lot of times it's a mentality of that you know you can only do things a certain way and, you know by breaking that you can actually technically do things a little better but, don't be afraid to actually break your environments, you know we were in a fortunate situation where you, know we reached out to our customer engineer and said hey we, want a DDoS goggle and. You. Know probably. Within three seconds he said yeah. Let's do it let's be great you know he was really really sited and you know when, you realize that you, have partners that want to see you break things you want to see these kind of failures because that's the only we learn you. Know these environments, as ephemeral as they are they're great learning experience, especially to our first you know migrating to uh you, know it's a public cloud for the first time but, the same time to you're also going to find deficiencies possibly, in your in, your automation process, or or, in your build process you will find failures. That you'll learn from and you will learn how to you know make your environments, you know more resilient, and better. In. Our environment. One of the issues, that we run into is. Orchestration. Because we have different business units and. Some. Of them have you know even though we are the same company we have different approaches, to. Based. On what, the. Business. Value, the. Team is. Adding. And how. They approach. So. There has to be in, the cloud space there has to be. Some. Kind of strategy created. Even, for diversity, of different, business teams so. That you. End up with. The, same mindset. In terms of how you approach moving. Your workloads, into the cloud space and also, securing, them. Orchestration. Has been a big deal. Like. Jason, just stated. Having. Those. Two sets that allow you to automate. Would. Actually, enhance, your. Migration, in, a very secure way and also. Be able to monitor what's. Happening from, a security. Perspective in, that cloud space. Perfect. So, I think it's the last question I wanted to cover was more kind of forward. Thinking so clouds, are evolving very quickly security. Paradigms are evolving quickly as, kind of security experts in the field where do you see this headed in six months or twelve months and with. The goal of folks. Who are building their solution now how, can the future proof or they're building so any thoughts you guys want to share on that you, know containers. Or you know service measures or anything that you guys think is where we are headed and what. Impact it would have on security, and how that, should be baked into the design that's being built, so.
You Know just from you, know being from some partner sessions and some council, sessions I it's. It's. Funny how we are, you. Know how we're changing the way we monitor. Things and how we do you, know previously we would log something it would actually go somewhere and then we would be analyzing, it you know post event yeah, now we're getting more into like streamline processing, you know or inline processing, we're actually able to you, know leverage, things like cloud functions you know over a door slam dos or whatever in order to be able to do processing. In line so we actually gather more intelligence before, you. Know before the event, gets logged so we're actually our response, times we're gonna eventually, become a lot quicker and I. Think what we're gonna do is we're going to get away from the traditional aspects of having these huge dashboards. Where we're constantly looking for something to happen and more, or less become more more. Aware of what, actually happened and gather more intelligence from that perfect. Anybody. Else from the panel I I, can, take this, one too so I think that you know the, cloud enables, all of us to move faster, and that includes, you know both the heavy users and/or some panelists here and as well, as the vendor to evolve stairs to evolve, their solutions, over time so. That's kind of you know the next six months are going to be always exciting. That's because everybody can move faster, so, I'm you know really looking forward to see what what, you know the vendor is introduced, into this space and. Kind of you know what kind of new ideas they bring to the market. So. I think the one thing I'll add those, are both great points is. Security. Right now is. Even. With moving to the cloud it's still there's, still certain gates that you look at you're going to code tests and you're going to do a QA process. With. Cloud and and and doing development in the cloud moving so fast now it. Can't be about gates anymore security. Solutions have to just have to be aligned and running along with. With. Development. And and workload, development, and tearing up and tearing. Or putting, up and tearing down workloads, so. We've. Stuff to make sure that as we build our security solutions and as we build our platforms, that we make, sure that Security's Security's aligned and moving. Alongside with. Development. Perfect. Yeah. So architectural, II from. A security doctor architecture, perspective I always I always like to think about things in layers and. You. Know the the solutions, is never the security program right our security program is never a bucket of vendor, solutions that we buy it's. Really about what our strategy is but then, architectural. E at the very bottom of that strategy are going to be core, things about how, we do security incident, management and you know whether you in in-house your sock or whether you outsource, it we outsource ours to secure works because. That gives us the human analog and the runbook processes, because every. Solution that we buy is. Going to generate an event and then we always have to say what are you gonna do with it right so it's. Great to buy a lot of things to generate events but if you don't have the work force to actually deal with it that's a problem so, at, the very core foundation, we focused on security, incident response with, secure works we, focused on, security. Orchestration, with, ServiceNow and then, event collection with Splunk and then every solution that we we, built kind, of interplays, with all three of those at, the bottom tier so it's really about you, know what, is the foundation architecture, that you're going to build that will eventually support all the security controls that you're going to use.