As much as you’ve been ask “what is cloud-native?”, I’ve been asked “how do I secure it?”. Google deploys billions of containers a week, and does so securely /2
-
-
Prikaži ovu nit
-
BeyondProd is not a particular tool, but a model. It’s a realization, like in BeyondCorp, that corp security doesn’t end at the perimeter /3
Prikaži ovu nit -
Service trust should depend on code provenance and service identity, not the location in the production network, like IP address /4
Prikaži ovu nit -
The first big difference when using containers is due to scheduling. You can’t rely on IP addresses or host names for security. You need service identity /5
Prikaži ovu nit -
Since containers are meant to be redeployed when a change occurs, you need an easy way to manage rollouts - and this also gives you a choke point /6
Prikaži ovu nit -
You can actually verify and enforce what ends up in your environment, at deployment time. That’s kind of awesome /7
Prikaži ovu nit -
btw, there’s another whitepaper on this that came out today: Binary Authorization for Borg https://cloud.google.com/security/binary-authorization-for-borg/ … /8
Prikaži ovu nit -
Once you know what’s running in your environment, you can restrict how services communicate and interact, based on the service identity, and more strongly isolate workloads /9
Prikaži ovu nit -
Google published a paper about two years ago on interservice communication: ALTS https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/ … /10
Prikaži ovu nit -
For developers, the best part is that these security controls are built directly into the tools they use - basically, it’s DevSecOps
. You can address security issues earlier, when it’s less costly, and do so in a standardized and consistent way /11Prikaži ovu nit -
You can’t make a change to cloud-native (containers, microservices) in your infrastructure, without also changing your dev practices. (You’re missing the point, and missing out on the security benefits.) /12
Prikaži ovu nit -
TL;DR: Moving to a cloud-native infrastructure let Google meet stronger security principles. BeyondProd assumes no trust between services, isolation between workloads, verified deployments, and centralized policy management /13
Prikaži ovu nit -
-
If you want to do something similar yourself, there’s a list of OSS and Google technologies in this blog post to guide you: https://cloud.google.com/blog/products/identity-security/beyondprod-whitepaper-discusses-cloud-native-security-at-google … /15
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
BeyondProd