Browse articles, resources, and the latest product updates.
In April, C2C hosted its first 2Gather event in the Atlanta, Georgia area, a unique installment of the Let’s Talk Tech series, cohosted with Google Cloud and featuring Google Principal Developer Advocate Kelsey Hightower. Kelsey joined a roster of distinguished speakers including Alex Barnes, Head of Infrastructure at Calendly, Russ Ayres, Senior Vice President of Security Architecture and Engineering at Equifax, and Rae Williams, Director of Customer Engineering at Google, for a full program of conversations tackling some of the biggest issues facing the cloud technology space today. Read on below for a roundup of some of the terms, products, and themes the conversations covered. Open source: Any software whose source code is freely available to all users for collaborative review. Russ and Alex are both sympathizers with open source philosophy, and Kelsey is a veteran of the open source community. In his words, “When you go out into the open-source world, you get to define technology for the world.”Serverless: A cloud computing model allowing customers to access resources allocated by providers on demand without having to interact with a server, which Kelsey called “The final chapter of a mature compute pattern.”Platform engineering: Streamlining infrastructure to make tools and services immediately available to teams for operation and use. According to Alex, platform engineering allows an organization to “present all capabilities as things you can consume programmatically to unlock velocity.”Configuration management: The process for ensuring that products and systems maintain the same design and perform the same way. Russ contrasted configuration management from policy with the mantra, “If it was appropriately written it would be following the policy.” KubernetesGoogle’s open-source containerization solution for software deployment and scaling has been setting standards and unlocking potential in the cloud space for nearly a decade. Kelsey’s history with Kubernetes is well known, and Rae made sure to capitalize on the opportunity to press him for his comments in front of a live audience. For context, Kelsey compared Kubernetes to contemporary projects in DevOps, insisting that DevOps engineers too often miss the forest for the trees. “What Kubernetes represents is a ten-year-old pattern for assigning software to servers,” he said. “It’s the system you would build if you had the big picture.” CalendlyCalendly is a business communication platform offering unique scheduling solutions for organizations looking to maximize efficiency. Head of Infrastructure Alex Barnes joined Aiven Vice President of Product Marketing Amy Krishnamohan (@amy.km) for a fireside chat about the company’s journey on Google Cloud. Calendly was initially built on Ruby on Rails, but later wanted to invest in Kubernetes. Google was an obvious choice for a hosting solution, especially since calendar management is so essential to the company’s offerings. “Google Calendar is a massive part of what we interact with,” Alex explained. “How better to build on that relationship than to build on their platform?”Alex expanded on these comments via email after event. “The partnership with Aiven and Google Cloud has allowed us to build a robust cloud data infrastructure that can handle the demands of our users,” he told C2C. “And it has given us the flexibility to scale up quickly, without having to worry about managing the underlying infrastructure.” AIPredictably, many members of the audience were excited to ask questions about recent developments in AI. Kelsey was quick to dispel any notions that AI is going to make tech professionals irrelevant or push them out of the market. Instead, he said, AI is providing a new baseline for innovation. When looking at generative AI solutions like ChatGPT, Kelsey said, users and developers should ask, “What is the dataset, and where is that dataset created?” Tech practitioners can still develop new solutions beyond the limits of the datasets used to train these products. “If ChatGPT can generate the code,” Kelsey told the audience, “It means we need a different interface.” SecuritySecurity was the main focus of Russ’s comments during the customer panel with Alex and Kelsey. As Senior Vice President of Security Architecture and Engineering at Equifax, Russ is responsible for securing highly sensitive personal data at one of the leading financial services organizations. However, Russ originally came to security as a developer. Coming from that background, Russ believes that “Good security is good engineering,” and vice versa. “Most security solutions try to be everything to everyone,” he added. From his point of view, though, teams should aim to build with purpose on the front end so that solutions are designed to run efficiently and at scale with minimal risk. Hear from more industry leaders on these topics and join the conversation in person at our upcoming 2Gather event in Los Angeles: 2Gather Los Angeles: The Future is Now, Security and AI
A company becomes the victim of ransomware every 11 seconds. Despite billions of dollars spent to thwart ransomware attacks, an astonishing 66% of companies fell victim to these attacks in 2021, according to Sophos's State of Ransomware 2022 report. Organizations must take precautions to stop attacks before they happen, because recovering from ransomware takes a minimum of 30 days.Ransomware numbers are rising everywhere—by attack volume, ransom demands, and average ransom payments. And as threat sophistication increases, virtually every industry is experiencing growing incident rates. No organization is immune. Although attacks may seem inevitable, defensive measures should always be in place, and they're most effective when paired with a strong ransomware recovery plan.Google, NetApp, and Workspot are working together to help customers create a ransomware recovery plan. By using a proven storage platform, innovative clean cloud, and global cloud PCs, they're able to restore productivity for thousands of users around the globe within minutes. At a recent 2Chat event, speakers from these companies discussed the impact of ransomware on organizations and how you can improve your storage options by: Creating an isolated project Preparing regions for capacity Provisioning cloud PCs globally Connecting to NetApp CVS for secure access to files and data Watch a full recording of the conversation here:
As a result of a partnership between Google and Canonical, the launch of Ubuntu Pro provides critical integration options for Google Cloud. Customers now have access to expanded security coverage, patching, and compliance features for public clouds using open-source software.The C2C team was pleased to be able to invite Hugo Huang, Product Manager at Canonical and Ubuntu, to give a presentation on Ubuntu Pro and Google Cloud integration options and sit down afterward for a chat with our community. This session introduced the full product portfolio, including segments on:Using the latest Ubuntu features to secure the Open Source software supply chain A hands-on tutorial for an in-place upgrade from Ubuntu LTS to Ubuntu Pro A demo to create Ubuntu 22.04 on Google CloudWatch the full recording here:
On June 14, C2C hosted an event in Google’s Cambridge office. We believe in-person connections are invaluable to everyone in our community, especially when our members are able to immediately converse with amazing speakers who are sharing their journeys and business outcomes.The stories from this event—presented on stage from Google Cloud customers, partners, and employees—can all be reviewed below. Introduction from Google Yee-chen Tjie (@yeetjie), Google Cloud Life Sciences Head of Customer Engineering, kicked off the program at C2C Connect Live: Cambridge with a few words about how Google is using 10x thinking to make major unique and substantial investments in Healthcare and Life Sciences technology. Tjie made a point of mentioning Google’s record of solving problems using AI and ML, particularly with AlphaFold 2, the focus of the presentation Luke Ge of Intel gave later in the afternoon.After his opening remarks, Tjie hosted a round of Google trivia, inviting everyone in the audience to stand and then sit down every time they answered one of his true-or-false questions incorrectly. After guessing whether Google Suite was initially offered on CD in 2006 (false), the first Google Doodle was about Coachella because the founders were going (false––they were going to Burning Man), and the English translation of Kubernetes is “cargo ship” (false––it’s “pilot”), Tjie handed the lucky winner a free Google hub device. CISO Healthcare and Life Sciences Reflections Before beginning his presentation, Taylor Lehmann (@taylorlehmann1), Director of the Office of the CISO at Google Cloud, thanked the hosts for the opportunity to join and speak, noting that he had just had his “mind blown” talking to fellow presenter Jonathan Sheffi before the event. Lehmann went on to discuss some of the core principles of invisible security, and his office’s mission to “get to this vision where security is unavoidable.” A big part of this project, he explained, is eliminating the shared responsibility model in favor of what Google calls “shared fate.” Under this model, Google provides blueprints, solutions, and curated patterns to enable customers to manage their own security infrastructures. “If you have a bad day on Google Cloud, it’s a bad day for us too,” he summarized. “If you win on Google Cloud, you win too.” The History and Future of Human Genomics Jonathan Sheffi (@sheffi) formerly a Director of Product Strategy at Veeva Systems and Google Cloud, began his presentation by prodding the audience with an enthusiastic “How’s everyone doing?” and then added “First rule of public speaking, make sure the audience is awake.” The focus of Sheffi’s presentation, the history and future of human genomics, took the audience back to the year 1990, when, in Sheffi’s words, “Nirvana’s Nevermind is a year from coming out, it’s a very exciting time.”Sheffi went on to cover the advents of next-gen sequencing and of public cloud computing, government and pharmaceutical adoption of genomic sequencing, and recent cost-cutting advancements in genomics. When he opened things up to the audience for questions, Michael Preston of Healthcare Triangle shared his own experience seeking treatment for melanoma to ask how genomic sequencing can be used to predict patient reactions to prescribed medications. Sheffi took the question to heart, and acknowledged the need for sequencing and screening processes that take into account data on patient-reported side effects. End-to-End Optimization of AlphaFold2 on Intel Architecture Luke Ge (@Liangwei77ge) an AI Solution Specialist at Intel, opened his presentation by saying, “Yesterday I spent 6 hours on a plane to come to this beautiful city,” prompting a round of applause form the audience. Then he asked “How many of you are using Alphafold 2?” A few hands went up. He followed up with, “How many of you have heard of Alphafold 2?” Many more hands raised.Ge’s presentation explored how analyzing human tissue from DNA to protein structure requires using AI for processing huge sequence data. The Google product that handles this processing is AlphaFold 2. Ge explained how Intel’s computing hardware supports Alphafold 2, including by providing a deep Learning model inference and removing memory bottlenecks in AlphaFold 2’s attention and evoformer modules. At the end of his presentation, Ge demonstrated a model generated using non-optimized versus optimized Alphafold 2 code. The difference was clear. Panel Discussion Tjie moderated the panel discussion with Sheffi and Ge by asking each whether he is a Celtics fan or a Warriors fan. Immediately, the tension in the room rose: Sheffi and Ge are from opposite coasts, making Sheffi a Celtics fan and Ge a Warriors fan. The tension was short-lived, however. When Tjie asked Ge what he considers the best way to choose a compute instance, Sheffi followed up to ask Ge if it’s possible to run multiple sequences on a single instance and maintain performance. Ge said yes.When Tjie opened questions to the audience, several guests rose to ask Sheffi questions about genomic sequencing, more than one of them focusing on use cases for genomic research for patients and caregivers. After several of these questions in a row, Tjie turned to the crowd and said, “I warned Luke that if he picked the Warriors then he would get less questions from the audience.” After the laughs in the room died down, Tjie asked Ge where he sees HCLS problems being solved with AI. Ge did not have to think long before citing computer vision as a solution for detecting cancerous cells. Winding Down Following the presentations, all in attendance broke away to connect during a networking reception. To read more about it, check out the exclusive onsite report linked below in the Extra Credit section. Extra Credit
On April 12, 2022, C2C France Team Leads Antoine Castex (@antoine.castex) and Guillaume Blaquiere (@guillaume blaquiere) were excited to welcome Policy Intelligence Product Manager Vandhana Ramadurai to join a powerful session for the Google Cloud space in France and beyond. These sessions intend to bring together a community of cloud experts and customers to connect, learn, and shape the future of cloud. The following points summarize the key takeaways from Ramadurai’s presentation: Policy Intelligence is a suite of 4 major tools which simplify security and IAM (identity and access management) at the project, folder, and organization levels. IAM Recommender analyses, understands, and proposes new roles after an observation period of 90 days. The feature uses AI to increase recommendation accuracy. The least privilege principle is important, but can be complex to enforce at project, folder, and organization level. IAM Recommender helps in that respect, and users can easily enforce or roll back the recommendation with a simple click (or API call). IAM Simulator is a solution for users or organizations who may not trust AI to enforce recommendations. Users can manage IAM policy changes and simulate their potential impact. User accounts or service accounts may not have the permissions required to execute certain actions. IAM Troubleshooter understands mission roles and permissions and grants those required, without breaking the least privilege principle. IAM Analyser, the final tool in the Policy Intelligence suite, lists the permissions granted a user to access a certain resource, the account assigned a specific permission or role, or a combination of both. This tool is particularly useful for auditing granted permissions. The Policy Intelligence tools continue to evolve to include all the developing features in the IAM space (denied policy, for example). In the future, the flagship product, IAM recommender, will include more ability to customize the duration of the observation period. Despite its 60-minute time limit, this conversation didn’t stop. Policy Intelligence is a hot topic, and it certainly kept everyone’s attention. The group spent time discussing asset inventory, AI and ML modeling, and various topics in IAM including security, least privilege, and trust. Ramadurai also fielded questions from attendees, including Damien Morellet (@dmorellet) of SFEIR, who wanted to know if Policy Intelligence includes a dry run feature (it does!). Watch the full video of the event below to learn more about this suite of tools and the many features and use cases of each one: Preview What's Next These upcoming C2C events will cover other major topics of interest that didn’t make it to the discussion floor this time around: Extra Credit Looking for more Google Cloud products, news, and resources? We got you. The following links were shared with attendees and are now available to you! https://youtu.be/IAhJs3-0RoY IAM Recommander IAM Simulator IAM Troubleshooter IAM Analyser
Information Week recently invited C2C Global President Josh Berman (@josh.berman) to contribute an article about the shared roles of businesses and cloud service providers in ensuring cloud security. For broader perspective on this critical topic, Berman spoke with Paul Lewis, CTO of Pythian, a C2C Foundational Platinum Partner and Google Cloud Premier Partner, about the nuanced distinction between “Security of the Cloud” and “Security in the Cloud.”In the article, Berman identifies a series of emerging cybersecurity threats and enumerates a core set of best practices for preventing them—shared responsibility, identity and access management control, security by design, active monitoring, and data protection—ending with a reminder: “Do not stand still.” The considerations Berman offers are many, but all speak to one common essential value: accountability. In Berman’s words, “Cloud security is only effective if businesses and their cloud providers fundamentally agree and share responsibility. They must work in tandem.” Read the full text of the article at Information Week. Extra Credit:
Personal development and professional development are among the hottest topics within our community. At C2C, we’re passionate about helping Google Cloud users grow in their careers. This article is part of a larger collection of Google Cloud certification path resources.The Google Cloud Professional Security Engineer works to verify all controls related to security operations, network security, and compliance within a company’s cloud infrastructure. Exam takers should be prepared to design, develop, configure, and manage secure workloads and data access.The skills a security professional brings to any team help to protect a business’s assets from malicious attacks by identifying threats and applying security best practices. In a fully secure environment, these configurations also shield the business from misstepping in areas of high legal risk. Worldwide, privacy and data protection is trending in national legislative measures, with approximately two thirds of all countries having passed laws and about a dozen more with drafts prepared. And while GDPR-like laws regulate all sectors, cloud security professionals are especially in demand for the financial services, ecommerce, tech, healthcare, and life sciences industries.These laws are turning consumer privacy into a hot topic, but consumer privacy is not the only security concern businesses need to keep in check. In the United States, for example, an executive order was passed earlier this year to improve the nation’s cybersecurity measures. Given the ever-evolving landscape of cybersecurity regulations and the continually expanding arsenal of security technologies, security skills are some of the most in-demand skills in cloud technology professions. However, cybersecurity certifications aren’t limited to security engineers. Across the board, these are the most popular cross-certifications among the respondents to Global Knowledge’s IT Skills and Salary Report. Whether your goal is to specialize in a security role or to boost your credentials and close skill gaps on security-related issues in another cloud technology role, we have answers to the following:What experience should I have before taking this exam? What roles and job titles does Google Cloud Professional Security Engineer certification best prepare me for? Which topics do I need to brush up on before taking the exam? Where can I find resources and study guides for Google Cloud Professional Data Engineer certification? Where can I connect with fellow community members to get my questions answered? View image as a full-scale PDF here. Extra CreditGoogle Cloud’s certification page: Professional Cloud Security Engineer Example questions Exam guide Coursera: Preparing for Google Cloud Certification: Cloud Security Engineer Professional Certification Pluralsight: Preparing for the Google Cloud Professional Security Engineer Exam AwesomeGCP Cloud Security Engineer Playlist Global Knowledge IT Skills and Salary Report 2020 Looking for information about a different Google Cloud certification? Check out the directory in the Google Cloud Certifications Overview.
Cloud security is an emerging technology, and even some of the most seasoned professionals in the cloud community are still learning how it works, or at least thinking about it. If all of your data is stored on the cloud, and all of your apps are running on it, you want to know that those apps and that data are secure, and knowing that the cloud is an open, shared environment might not be an immediate comfort. Luckily, the cloud offers all kinds of security resources you can’t access anywhere else. Understanding how these resources can protect your data and assets is crucial to doing the best work possible in a cloud environment. Vijeta Pai is a C2C contributor and Google Cloud expert whose website Cloud Demystified provides comics and other educational content that makes cloud security accessible and intelligible to the average Google Cloud user. C2C recently invited Pai to give a presentation and host a discussion on all things cloud security, from threat modeling to shared responsibility arrangements to best practices, drawing on her work with Cloud Demystified as well as the content she’s published on the C2C blog. Watch her full presentation below, and read on for some of the key conversations from her C2C Talks: Cloud Security Demystified. After providing some background on types of cloud providers (public, private, and hybrid) and the different elements of cloud security (technologies, processes, controls, and policies), Pai broke down the STRIDE threat model. This model defines every type of cybersecurity attack a cloud security system might be required to prevent. The six types are Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Watch below for Pai’s breakdown of the definitions and associated security considerations of each one: Next, Pai explained the different possible models used to share the responsibility for security between an organization and a cloud provider. The three models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), and each allocates responsibility for people, data, applications, and the operating system (OS) differently: Pai kicked off the open discussion portion with a comprehensive review of cloud security best practices, which referred back to a post she wrote for the C2C blog, 10 Best Practices for Cloud Security in Application Development. As she does in the post, Pai went through these strategies one by one, from Identity and Access Management Control to Data Encryption to Firewalls. For anyone in the process of actively implementing their cloud security measures, Pai’s full answer is worth the watch: A unique opportunity for C2C members is the ability to ask questions directly to the experts, and Pai fielded several questions about specific aspects of the technology of Google Cloud itself. The first question came from C2C member Dickson Victor (@Vick), who was concerned with whether the cloud can support better security than an on-premise system. Pai’s answer spoke to the heart of the issue for most prospective cloud users: the policies, processes, and resources available in an open environment like the cloud versus those available in a locked, private system. Her response was nothing but encouraging: Pai also took a moment to let C2C community member Lokesh Lakhwani (@llakhwani17) plug the Google Cloud Security Summit, the first-ever tech summit on cloud security: The discussion wrapped up with a question about cybersecurity insurance and whether it might become an entire industry once cloud security becomes a new standard. Pai wasn’t sure how quickly the industry would explode. Still, she thinks there is room out there for growth and innovation, precisely because of the extent to which technology has become a necessary part of day-to-day life for so many people living through the COVID-19 pandemic, including Pai’s mother, who lives and works in India. Moreover, the more we live our lives on the cloud, the more we will need cloud security, which, to Pai, means there is plenty of opportunities right now for cybersecurity insurance companies to make their mark: Do you have questions or concerns about cloud security that Pai didn’t answer in this session? Feel free to share them in the comments and also to connect with Pai directly. You can find her on LinkedIn or join C2C to keep up with her work and get in touch with other tech professionals working in the cloud security field.
There is a lot of buzz around cloud security on Google Cloud Platform, involving terms and jargon that sound intimidating to beginners and experts alike. Security isn’t an abstract concept but something we practice in our day-to-day life, consciously or subconsciously. Applying security best practices and identifying threats on the cloud is possible.Vijeta Pai (@Vijeta90), technology leader, creator of Cloud Demystified, and regular contributor to C2C hosted this C2C Talks. The presentation portion from this session includes:(1:25) Speaker introduction (3:25) Types of cloud providers Public cloud and space shared between organizations Private cloud and space exclusive for one organization Hybrid cloud using both public and private clouds (9:05) Cloud security technologies, processes, controls, and policies (11:45) STRIDE threat model (17:00) Security as a shared responsibility for IaaS, PaaS, and SaaS (19:45) Google Cloud risk protection program (21:10) Overview of Vijeta’s best practices for cloud security in application developmentOther resources:
Transforming a global manufacturing powerhouse, like Southwire, to a cloud provider is a significant decision. But with 30 years of experience in IT and manufacturing to pull from, Dan Stuart knew the right questions to ask to drive the right decision for Southwire as it navigated a cyberattack, refreshed its hardware, and was in growth mode. As a result, in July 2020, Southwire migrated its SAP environment to Google Cloud Platform, setting a benchmark in the industry for successfully moving an entrenched manufacturing business to the cloud. “Southwire is building a foundation for growth and innovation with the cloud, beginning with the migration of its core SAP business systems and services to Google Cloud,” said Rob Enslin, President at Google Cloud. “We’re proud that Southwire has selected Google Cloud to power its digital transformation.”But how was that decision made? Weren’t there concerns about the business, and more importantly, how secure is it? C2C sat down with Stuart, the senior vice president of IT services at Southwire.“So, I was looking at security, scalability, and modernization of our whole industry, which needed to be fast, flexible, and agile,” Stuart recounted. “But I also wanted to replace our current data centers and move into a more standard Cloud Platform cloud environment, and Google was the right one for us.”A bright brick backyard offset Stuart’s tall frame and created a perfect yellow hue surrounding him, perhaps the light or his proud disposition; Stuart’s confidence in the decision beamed through the Google Meet window. After all, the decision was tough and occurred at an even more challenging time for Southwire, but it proved to be profoundly beneficial, especially when it came to security. “When it comes to security, and you look at the competition out there, Google surpasses,” Stuart said. “From the encryption piece of it, right up and down to their security monitoring, they know what they’re doing.” Google Cloud truly does take security seriously. Their data centers are built with custom-designed servers that run their own operating systems for security and performance. With more than 500 security engineers, Google also has the best minds focused on thwarting risks and is focused on continuous improvement. “As we all know, security just keeps getting more complicated and complicated, and having a partner like Google that you know will stay on top of their game is exactly what we needed,” Stuart said. Completing the Migration To complete the migration, Southwire ran through four major cycles of testing, which occurred over more than ten weeks and involved more than 4,000 scripts. Given the ongoing COVID-19 pandemic, they did the entire operation remotely via conference calls and Microsoft® Teams.The move to Google Cloud will ensure that Southwire remains up to date on the latest supported systems, improves security protocols, and provides a solid foundation for future upgrades, tools, and services to benefit both the organization and its customers.“By moving the SAP environment to Google Cloud, this creates a secure, flexible and scalable environment for Southwire to embark on new projects that move the company forward in areas of strategy important to the long-term growth of the company,” Stuart said. Making the Decision Beyond Google Cloud Platform’s reputation, there were a handful of critical decisions and lessons learned. Among them, which will be shared in more detail in the upcoming Navigator, Stuart said the ability to have a fast and seamless migration was the most important. As they prepared to migrate, the Google Cloud Platform move wasn’t the only major IT project happening. They updated the enhancement pack, the process orchestrator, updated to BW/4HANA. “We didn’t miss a production beat,” Stuart said with emphasis. “We kept on track of our outages at our manufacturing shops, and everything went seamless. Google brought the support; they put the people that needed to be there on this team from the beginning, middle, and at the end.” The 71-year-old manufacturing business just made history. Despite not having any Google experience, they were able to make it happen, and it’s been proven to be a wise decision. Google provided training, education, and a strong governance program, too. But, setting up a governance program earlier in the process is one lesson Stuart can offer others making a lift and shift like this, “Make sure you got the governance in place, make sure you got the right architects helping you build your bill of materials for your deployment of Google and get that training and education upfront for your associates,” Stuart said. “It'll make them more relaxed at knowing what Google's doing, why they're doing it, and what they can expect, and it's helped set the expectations.” Join Us! Stuart sits down with Chief Customer Officer Sean Chinkski for a C2C Navigators discussion on May 18. Register below and bring your questions; Stuart will be answering them live.
This blog from Jian Zhen, Product Manager for Google Cloud, discusses the increasing need for securing access to SaaS applications and introduces a new whitepaper resource for Google Cloud customers.Our new whitepaper, “Secure access to SaaS applications with BeyondCorp Enterprise,'' outlines common scenarios for IT leaders to consider, and provides guidance for how they can approach each one. As with any new deployment, there are a number of security factors organizations must consider, such as: How to govern zero trust access to sanctioned SaaS applications How to prevent leakage of sensitive data from SaaS applications How to prevent malware transfers and lateral movements via sanctioned applications How to prevent visits to phishing URLs embedded in application content Share your thoughts:Have you adopted a zero trust model? What questions do you have about BeyondCorp Enterprise? How are you securing access to SaaS applications?
With the growing adoption of Google Cloud technologies, knowledge of security has gained paramount importance over the years. It is crucial to understand the technologies, policies, processes, and controls to secure Google Cloud Platform applications. Cloud technologies and security go hand in hand, as cybersecurity threats can invade your applications and affect your business’s confidentiality, integrity, and availability. Security is a shared responsibility of the application owner and cloud provider, and it’s essential to understand how to build a robust security model. We have listed 10 security best practices to help keep your cloud environment secure. Understand Your Cloud Locations and Services Understanding your cloud locations and services is a critical best practice to keep your applications secure. Google Cloud services and products are built on top of the core infrastructure, which has in-built security features like access control, segmentation, and data control. However, you need to know how your data is stored, encrypted, and managed to ensure your information is secure. Google Cloud has VPCs, or Virtual Private Cloud, which is an on-demand pool of shared resources. VPC are isolated from each other and can talk through VPC peering. You can control all network ingress, inbound, and egress outbound traffic to any resource via simple firewall rules. When designing a robust security model, the first step is knowing how your applications are hosted and what Google provides all security services and products.Google’s data loss prevention API helps you discover, classify, and protect your sensitive data. It’s a fully managed service that inspects your structured and unstructured data, helping you gain insight and reduce any risk to your data applications. Understand Your External and Internal Security Threats Understanding and being aware of your internal and external threats can help you stay proactive and keep your applications secure. Hazards can be present anywhere, and it’s useful to understand the STRIDE Threat Model to keep on top of all the threats your applications can face on Google Cloud.STRIDE stands for spoofing, tampering, repudiation, denial of service, and elevation of privilege. The infographic below explains each of these threats. Google Cloud Armor helps protect your applications against denial of services and has built-in security against L3 and L4 DDoS attacks. Leveraging this for your applications on Google Cloud can help provide an additional security layer against any of the threats outlined in the STRIDE model. Identity and Access Management Control IAM is a framework of policies and processes defined by the cloud provider to make sure users have appropriate permissions to access resources, applications, and data on the cloud. IAM helps secure the data, prevent unwanted threats, and ensure all the users have the right amount of access to get their work done. Google Cloud Platform has many services and products to protect users and applications by understanding, managing, and controlling access.All resources on Google Cloud are managed hierarchically and are grouped into four parts- organization, folders, projects, and resources. For example, a company using Google Cloud is the top node, followed by folder, project, and resources. Each resource has only one parent, and children inherit the policies of their parents. So, by default, policies set at the organization node are inherited by all the folders, projects, and resources under that organization. Resource Manager lets you centrally manage these resources by projects, folder, and organization. A fundamental way to filter out unwanted users is to set up a robust authentication framework, which gives access only to the users who can validate their identity. Google Authenticator lets you do that without having to put in any extra effort. However, cloud Identity provides additional solutions to secure your account, device, and workspace with advanced protection and password-vaulted applications. You can choose from various solutions like Single Sign-on (one-click access to applications), multi-factor authentication (using two or more devices to validate identity), and endpoint management. To guard access to your applications, you can use Identity-Aware Proxy. You can verify who is trying to access your application and grant access accordingly. This move helps implement a zero-trust model, along with centralized access control. IAP can protect access to applications hosted on Google Cloud, any other cloud, or even on-premise infrastructure. Here are some of the IAM best practices that you can follow to keep the data in your applications secure. Active Monitoring Actively monitoring your environment and application helps discover potential intruders who may be lurking around and targeting your applications’ data. Knowing who is accessing your data and monitoring any suspicious activity can help you stay proactive and keep your applications secure. Google Cloud Monitoring, formerly known as Stackdriver Monitoring, helps monitor, troubleshoot, and improve your applications’ performance on Google Cloud. It’s a fully managed, scalable service that provides easy-to-view and access dashboards with several performance indicators and notifications/alerts. Understand the Shared Responsibility Model Google Cloud Platform provides various services ranging from highly managed (Function as a Service) to highly customizable (Infrastructure as a Service). Each service comes with its security responsibility model. The following diagram shows Google’s Compute offerings, which you can use to run your applications. Knowing and understanding these services would act as a stepping stone to design the shared responsibility model. Like Cloud Functions or Firebase, highly managed offerings have more built-in security than highly customizable offerings that provide more flexibility to the users. The following diagram illustrates the shared security model based on the type of service offering to run your applications. Keep Your Data Encrypted When all data is converted into a secret code or encrypted, the information’s true meaning is hidden. Encryption ensures that the data is not accessible by anyone other than the ones allowed to access it.Google Cloud Platform encrypts data at rest by default, which means it encrypts the data stored by you with no additional action required. Data is encrypted before the application writes it to your disk. A set of master keys encrypt each key and applies to almost all data you have on the cloud. If you have more sensitive data, you can manage your encryption key. For this, you have customer-supplied, and customer-managed keys. The below image compares these two options to help you make the right choice. Thorough Vulnerability and Penetration Testing This complicated term means putting on the hat of the attacker and thinking like one. By this method, the organizations or the cloud service providers attack their infrastructure to test the stability and discover vulnerabilities allowing them to catch and fix vulnerabilities before any outsider can find them. Google Cloud Platform provides a Web Security Scanner as a part of the Security Command Center to detect critical vulnerabilities in your applications, even before its deployment. It identifies vulnerabilities in your App Engine, Kubernetes Engine, and Compute Engine instances and lets you stay ahead in the security game. Establish and Manage Firewalls A firewall is simply a wall or barrier attached to the system to prevent intruders from getting inside. In cloud computing, they are rules attached to systems to block unauthorized access while allowing outward communication.Setting security rules on incoming and outgoing traffic would help establish a barrier between the intruders and the system by filtering traffic inside and blocking outsiders from gaining unwanted access to the data.To allow or deny connections from your virtual machine (VM), you can apply firewall rules in your Virtual Private Cloud (VPC). Within the configuration, you can set, identify and enforce VPC firewall rules allowing you to protect your applications regardless of their configuration and operating system, even if they have not started up. Manage and Institute Cloud Security Guidelines Instituting and managing security best practices and guidelines for the organization is essential to ensure your applications’ safety. It’s necessary to streamline processes to ensure the staff, stakeholders, partners, and leadership are on the same page. Google Cloud has many security partner products you can leverage for all your security needs. Apart from that, they have several infrastructures, data protection, logging, and compliance partners who can guide you and your organization to formulate the best guidelines for your applications. To secure your applications and scan non-compliance resources in your infrastructure, you can leverage open-source tools like Forseti and Config Validator.Here’s a snapshot of some of the partners who can guide you in your security needs on Google Cloud. You can view the complete list under the resources section of this article. Train Your Staff The last but critical best practice is to keep your staff up to date on security threats and best practices. Any security measure is of no use if the organization does not follow it. It’s of paramount importance to ensure everyone is aware of security threats and follow the organization’s best practices instituted. Google Cloud provides training, whitepapers, articles, and support to ensure compliance with all the industry standards to keep your applications secure. Visual Learner? Resource for You. Extra CreditHere are some resources that you can use to understand cloud security better and design a robust security framework for your applications on the Google Cloud Platform: Coursera Professional Certificate on Google Cloud Platform Security Google Cloud Platform Security Best Practices Repository Google Data Loss Prevention API Documentation Google Cloud Virtual Private Cloud (VPC) Documentation Forseti and Config Validator Google Cloud Platform Documentation Google Cloud Platform Security Partners Google Cloud Web Security Scanner Documentation Google Cloud Monitoring Documentation Cloud Identity-Aware Proxy Documentation Cloud Identity Documentation Resource Manager Documentation Google Encryption Documentation Google Cloud Armor Documentation
C2C Deep Dives invite members of the community to bring their questions directly to presenters.Do you have questions about all the options for securing communication between serverless compute products on Google Cloud? In this C2C Deep Dive, Guillaume Blaquiere (@guillaume blaquiere), cloud architect at Sfeir, covered OAuth 2 token usages between access token and identity token, virtual private cloud (VPC) access and private networks access, load balancers, ingress, and egress. Watch the video to learn how you can start taking control of your serverless infrastructure, and see how Guillaume answers the following common security questions:What about the patch management? How do you manage the network? How do you ensure HA? How do you control the access “from” and “to” the service? How do you mitigate DDoS?Download the slides.
Vijeta Pai, a Google Cloud expert, and technology leader demystifies cloud using illustrations, comics, and easy-to-understand explanations. Today, we're bringing you her post about Identity Access Management (IAM). What is IAM? Simply put, it's a framework of policies and processes defined by the Cloud Provider to make sure users have appropriate permissions to access resources, applications, and data on the Cloud. This helps not only secure the data and prevent unwanted threats but also makes sure all the users have the right amount of access to get their work done.There are three main parts to Identity Access Management (IAM) in Google Cloud Platform (GCP). They are Members, Roles, and Policies. You can read more about them on Pai's website, Cloud Demystified. Visual learner? Check out the comic Best Practices On her blog, you'll also find some of the best practices that Google Cloud suggests for IAM, but here is a highlight. Get Connected Keep up with her on the C2C community platform (join here!). Extra Credit Google Cloud IAM DocumentationCloud IAM on QwiklabsIdentity and Access Management (Coursera)
Known as a prominent programmer and entrepreneur in the tech space, Andi Gutmans today serves as the General Manager and VP of engineering for databases at Google Cloud. He is responsible for overseeing a group whose goal is to support customers with their data journeys and with transforming their businesses.“It’s a three-step journey,” he said. “We take them through migration, modernization, and then transformation. The best part of what we do is being able to innovate on behalf of our customers.”Innovating is something Gutmans does well. He co-created PHP, the programming language that is the most widely used web language for creating dynamic web pages, and he also co-founded Zend Technologies, which continues to do much of the work in further developing PHP. Gutmans doesn’t shy away from new challenges. He instead thrives on finding solutions for them. “All customers want to eventually get to transformation,” he said. “But it’s not always easy to make the full leap in one step. I’m excited about the opportunity to partner with them on that journey and to really enable that transformation.”Watch the whole interview below.
This article was originally published on November 20, 2020.Hailed as one of the “Founding Fathers” of the internet for co-creating PHP, Andi Gutmans is just getting started. To discuss his new role at Google and the future of data, Gutmans joins C2C for a discussion in our sixth installment of our thought leadership series where we don’t hold back on both the fun and challenging questions. As a four-citizenship-holding and engineering powerhouse, Gutmans brings a global perspective to both tech and coffee creation.“I love making espresso and improving my latte art,” he mused. “I always say, if tech doesn’t work out for me, that’s where you’re going to find me.But, when he isn’t daydreaming about turning it all in to own a coffee shop and become a barista, he leads the operational database group as the GM and VP of engineering and databases at Google.“Our goal is building a strategy and vision that is very closely aligned with what our customers need,” he said. “Then, my organization works with customers to define what that road map looks like, deliver that, and then operate the most scalable, reliable, and secure service in the cloud.”It’s an enormous responsibility, but Gutmans and his team met the challenge to three steps: migration, modernization, and transformation. They accomplished this, even though they’ve never met in person—Gutmans started working at Google during the COVID-19 pandemic.Driven to support customers through their data journeys as they move to the cloud and transform their business, he digs into the how, the why, and more during the conversation, video above, but these are the five points you should know:Lift, Shift, TransformThe pandemic has changed the way everyone is doing business. For some, the change comes with accelerating the shift to the cloud, but Gutmans said most customers are taking a three-step journey into the cloud.“We’re seeing customers embrace this journey into the cloud,” he said. "They’re taking a three-step journey into the cloud. Migration, which is trying to lift and shift as quickly as possible, getting out of their data center. Then modernizing their workloads, taking more advantage of some of the cloud capabilities, and then completely transforming their business.”Migrating to the cloud allows customers to spend less time managing infrastructure and more time on innovating business problems. To keep the journey frictionless for customers, he and his team are working on a service called Cloud SQL. The service is a managed MySQL, PostgreSQL, and SQL server, for clarity. They also handle any regulatory requirements customers have in various geographies.“By handling the heavy lifting for customers, they have more bandwidth for innovation,” he said. “So the focus for us is making sure we’re building the most reliable service, the most secure service, and the most scalable service.”Gutmans described how Autotrader lifted and shifted into Google’s cloud SQL service and was able to increase deployment velocity by 140% year-over-year, he said. “So, there is an instant gratification aspect of moving into the cloud.”Another benefit of the cloud is auto-remediation, backups, and restoration. Still, the challenge is determining what stays to the edge and what goes into the cloud, and, of course, security. Gutmans said he wants to work with customers and understand their pain points and thought processes better.Modernizing sometimes requires moving customers off proprietary vendors and open-source-based databases, but the Gutmans team has a plan for that. By investing in partners, they can provide customers with assessments of their databases, more flexibility, and a cost reduction.Finally, when it comes to transformation, the pandemic has redefined the scope. A virtual-focused world is reshaping how customers are doing business, so that’s where a lot of Google’s cloud-native database investments have come in, such as Cloud Spanner, Cloud, BigQuery, and Firestore.“It's really exciting to see our customers make that journey,” he said. “Those kinds of transformative examples where we innovate, making scalability seamless, making systems that are reliable, making them globally accessible, we get to help customers, you know, build for [their] future,” he said. “And seeing those events be completely uneventful from an operational perspective is probably the most gratifying piece of innovating.”Gutmans adds that transformation isn’t limited to customers that have legacy data systems. Cloud-native companies may also need to re-architect, and Google can support those transformations, too.AI Is MaturingGartner stated that by 2022, 75% of all databases would be in the cloud, and that isn’t just because of the pandemic accelerating transformation. Instead, AI is maturing, and it is allowing companies to make intelligent, data-driven decisions.“It has always been an exciting space, but I think today is more exciting than ever,” Gutmans said. “In every industry right now, we’re seeing leaders emerge that have taken a digital-first approach, so it’s caused the rest of the industries to rethink their businesses.”Data Is Only Trustworthy if It’s SecureData is quickly becoming the most valuable asset organizations have. It can help make better business decisions and help you better understand your customer and what’s happening in your supply chain. Also, analyzing your data and leveraging historicals can help improve forecasting to better target specific audiences.But with all the tools improving data accessibility and portability, security is always a huge concern. But Gutmans’ team is also dedicated to keeping security at the fore.“We put a lot of emphasis on security—we make sure our customer’s data is always encrypted by default,” he said.Not only is the data encrypted, but there are tools available to decrypt with ease.“We want to make sure that not only can the data come up, [but] we also want to make it easy for customers to take the data wherever they need it,” Gutmans said.Even with the support through the tools Gutmans’ team is working to provide customers, the customer is central, and they have all the control.“We do everything we can to ensure that only customers can govern their data in the best possible way; we also make sure to give customers tight control,” he said.As security measures increase, new data applications are emerging, including fraud detection and the convergence of operational data and analytical systems. This intersection creates powerful marketing applications, leading to improved customer experience.“There are a lot of ways you can use data to create new capabilities in your business that can help drive opportunity and reduce risk,” Gutmans said.Leverage APIs Without Adding Complexity There are two kinds of APIs, as Gutmans sees it: administration API and then API for building applications.On the provisioning side, customers can leverage the DevOps culture and automate their test staging and production environments. On the application side, Gutmans suggests using the DevOps trend of automating infrastructure as code. He points to resources available here and here to provide background on how to do this.But when it comes to applications, his answer is more concise, “if the API doesn’t reduce complexity, then don’t use them.”“I don’t subscribe to the philosophy where, like, everything has to be an API, and if not...you’re making a mistake,” he added.He recommends focusing on where you can gain the most significant agility benefit to help your business get the job done.Final Words of WisdomGutmans paused and went back to the importance of teamwork and collaboration and offered this piece of advice:“Don’t treat people the way you want to be treated; treat people the way they want to be treated.”He also added that the journey is different for each customer. Just remember to “get your data strategy right.”
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.OK
Sorry, our virus scanner detected that this file isn't safe to download.OK