After hearing the NEXT’22 presentation about validating an organization’s security posture, I was intrigued to find out more, specifically about the trends contributing to the growing complexity and real-world examples of solutions to these challenges.
This C2C 2Chat grew out of this interest to find out more about this growing complexity, especially in multicloud environments, and to uncover how Anthos has helped in real-life instances.
Google Cloud Innovator Champions and Fellows Jason Quek and Vincent Ledan joined from Sweden and France respectively to elaborate on this topic. Both are Anthos Fellows and as such are passionate about evangelizing about Google Cloud and Anthos and how the latter can help with security problems, including cloud-native security and platform engineering.
This event was a master class in Anthos and security, exploring factors adding complexity to the security landscape and to the very real concerns of organizations worldwide, including:
- How do I keep my applications running in a highly available manner and protect them against attacks?
- How do I secure environments that span multiple clouds and also live on prem?
- How can I most effectively secure clusters at scale? It’s easy to secure one or two clusters, but with so many options available for configuration, how do I do so most effectively?
Together with my colleague Dimitris connecting from Greece, and our members from Asia Pacific, we were privileged to hear about real-life examples and solutions from our expert panelists from Scandinavia and Central Europe.
I am thrilled to have hosted this chat from my home in Sydney Australia and am in awe of the power of a truly global community like C2C, to bring members together to learn, but also to drive change that ultimately benefits customers (refer to the example and commentary on the final question).
- 0:00 - 06:45 | Welcome and Introductions
- 07:30 - 12:30 | Challenges modern organizations face contributing to security landscape complexity: Organizations are looking to prevent malicious software supply chains, e.g. rogue containers running in a cluster; ensuring that all development teams use the same level of security; how to create network segregation given a cluster and network policy. We discussed Google’s controls (e.g. binary utilization) that allow management of containers in clusters, without creating bottlenecks in development teams. Platform Engineering teams are focussed on security at scale across multiple clouds, beyond DevSecOps or even DevOps.
- 12.45 - 14:45 | How is the Anthos ecosystem responding to the challenges: Defense in Depth - creating multiple layers of defense; Critical functionality that exists within the Anthos ecosystem, like the Anthos Policy Controller based on the OPA Open Policy Agent ensuring that clusters are always pulling the latest security policies available via a controlled, auditable, and central repository that’s always up to date. On the Application side, there’s Anthos Service Mesh, ensuring the right microservices are talking to each other across multi-tenant workspaces. In this sense, a Defense-in-Depth approach with Anthos spans multiple layers of defense, including binary authorization, OPA gateways, and across Service Mesh.
- 14:45 - 17:45 | Common mistakes: Without these security mechanisms, organizations create opportunities for exposure, configuration mistakes, and developer mistakes in a cluster that might lead to leakage of private data, or the ability to retrieve logs of common shared nodes. It becomes important for developers and not just Kuberneters administrators to understand eviction logic, scheduling logic, and mitigation strategies.
- 18:00 - 30:00 | Actionable Tips and Examples, Validate security posture:
- When dealing with a multicloud mesh of clusters, a proven tip is to incorporate, as part of the cluster creation step, pulling out the security policies from a GIT repository.
- Create landing zones for each of the environments to provide coverage for the intricacies of each cloud. Once these landing zones are set up, Anthos does the rest, resulting in a Kubernetes compliant cluster.
- Use Anthos service mesh.
- Engage support and problem-solving. Support paths for Google-supported products.
- Consider the implications of an incubating fast-moving open-source software product like Istio for support and the ability to respond quickly.
- Reduce complexity and leverage the tools available, e.g. IAM security.
- Consider security early on. In this particular example, implementing network security after a few deployments proved very difficult (and costly)
- Greater investment and focus are needed to effectively stress test and pen test clusters.
- 31:00 - 33:00 | Examples of container-aware load balancing and traffic encryption between services.
- 33:00 - 35:00 | Wrap up by Erika
- 35:00 - 44:00 | Q&A
- Question from Ben from Brisbane Australia regarding Gatekeeper policies and book: Answer made reference to a book titled Google Anthos in Action, including a very practical chapter on Security and Policies and real-world use cases. Google Anthos in Action was written by a team of twenty-three Googlers involved with Anthos development and Anthos fellows assisting customers in the field, including our very own speaker Jason Quek, and also Scott Surovich, Google Cloud Fellow and Global Container Engineering Lead at HSBC. Here is the link to look inside the book.
- Discussion regarding much-needed standardization across public cloud providers: Answer made reference to https://www.pulumi.com/ as an example. Thoughts on how to kick off standardization conversations: we need large customers to band together and push for constructive dialogue across the cloud providers seeking a unified interface. There is a real-world precedent that this approach works. For example, in Germany, a number of banks banded together and negotiated with Google to deliver something specific that involved exposing specific processes that wouldn’t have been possible on a 1:1 negotiation.
- 43:00 - 44:30 | Closing and thank you
Watch a full recording of the event here: