securing content in the cloud
TRANSCRIPT
Proprietary + Confidential
#NABShow
Securing Content in the CloudAdrian GrahamCloud Solutions ArchitectMarch 20, 2017
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Why security?
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Overview
On-premises infrastructure
Cloud infrastructure
Connecting to cloud
Hybrid infrastructure
Secure all the things!
Further reading
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
On-premises infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm Nodes
Local Workstations
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm Nodes
File Server
Local Workstations
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm Nodes
File Server
Local Workstations License Server
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm Nodes
File Server
Local Workstations License Server
Render Workers
Render Workers
Render Workers
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm Nodes
File Server
Local Workstations
Queue Manager
License Server
Render Workers
Render Workers
Render Workers
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Asset Mgmt Render Farm Nodes
File Server
Local Workstations
Queue Manager
License Server
Render Workers
Render Workers
Render Workers
On-premise infrastructure
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Cloud infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
Data ingress/egress
https://docs.google.com/presentation/d/1fAZ8Cr-UDNFUzDV4Mw_o7MKGqGIJKf9xCNlDeqyU4-E/edit#slide=id.g1ef6d86f63_0_2608
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
Data ingress
Data ingress/egress
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
NFS File Server
Data ingress
Data ingress/egress
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
Read-through Cache
NFS File Server
Data ingress
Data ingress/egress
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
NFS File Server
Cloud-based License Server
Data ingress
Data ingress/egress
On-prem licenses
Read-through Cache
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
Read-through Cache
UsersCloud IAM
NFS File Server
Cloud-based License Server
Data ingress
Data ingress/egress
On-prem licenses
LDAP sync
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMsCompute Engine
AssetsCloud Storage
Read-through Cache
UsersCloud IAM
NFS File Server
Cloud-based License Server
StackdriverLoggingData ingress
Data ingress/egress
On-prem licenses
LDAP sync
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Connecting to cloud
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm Nodes
Render Workers
Render Workers
On-premise infrastructure
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm Nodes
Render Workers
Render Workers
On-premise infrastructure
CloudVPN
VPNGateway
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm Nodes
Render Workers
Render Workers
On-premise infrastructure
CloudVPN
VPNGateway
Cloud Router
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm Nodes
Render Workers
Render Workers
On-premise infrastructure
CloudInterconnect
CloudVPN
VPNGateway
Cloud Router
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Hybrid infrastructure(better put on your glasses for this next slide…)
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructureOn-premise infrastructure
Asset Mgmt dB Render Farm Nodes
File Server
Local Workstations
Queue Manager
Physical Cache
License Server
CloudInterconnect
CloudVPN
Read-through Cache
Rendering VMsCompute Engine
AssetsCloud Storage
UsersCloud IAM
NFS File Server
VPNGateway
Cloud Router
Cloud-based License Server
StackdriverLogging
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructureOn-premise infrastructure
Asset Mgmt dB Render Farm Nodes
File Server
Local Workstations
Queue Manager
Physical Cache
License Server
CloudInterconnect
CloudVPN
Read-through Cache
Rendering VMsCompute Engine
AssetsCloud Storage
UsersCloud IAM
NFS File Server
Users & Admins
Users & Admins
Cloud Directory Sync
VPNGateway
Cloud Router
Cloud-based License Server
StackdriverLogging
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructureOn-premise infrastructure
Asset Mgmt dB Render Farm Nodes
APIs: gcloud, gsutil, ssh, rsync, etc
File Server
Local Workstations
Queue Manager
Physical Cache
License Server
Accelerated UDP Transfer
CloudInterconnect
CloudVPN
Read-through Cache
Rendering VMsCompute Engine
AssetsCloud Storage
UsersCloud IAM
NFS File Server
Users & Admins
Users & Admins
Cloud Directory SyncProject data I/O
License requests
Queue Manager dispatching
Project database communication
VPNGateway
Cloud Router
Cloud-based License Server
StackdriverLogging
Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
How do we secure all the things?
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud Platform resource hierarchy
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Projects and access
Granting access Manage your organization's identities with G Suite.Implement Google Cloud Directory Sync.
gcloud SDK, Compute Engine API
Authentication is performed by the SDK itself. Credentials are picked up by the API client libraries.
Automating security checks
Implement Forseti Security to run periodic checks for policy compliance.https://github.com/GoogleCloudPlatform/forseti-security
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Controlling user access
Cloud IAM Create and manage permissions at multiple levels.
Service accounts Access Google services and resources programmatically.
Access scopes Set permissions at the resource level.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Proprietary + Confidential
#NABShow
Identity & Access Management
Who (principal)
User Service Accounts
Group Domain
Can do what
Roles: collection of permissions
Authorization Tokens
On which resource
Project VM, bucket…
Resource folder
Cloud IAM unifies access control under a single system.
Create and manage permissions at the organization, project and resource levels.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Encryption key management
Cloud storage All data is encrypted at rest using either AES128 or AES256 encryption.Data is always encrypted before it's written to disk.
Cloud KMS Store encryption keys centrally in the cloud, for use by cloud services.Let Google manage your keys, or manage keys yourself.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Network security
Networks and subnetworks
Isolate resources on separate networks to add an extra level of security.Subnetworks are created automatically, one for each compute zone.
Firewall rules Rules apply to the entire network. To allow incoming traffic, you must create 'allow' firewall rules.
External IP addresses
Ability to disable the assignment of an external IP on instance creation.The instance will then only be visible over VPN, or from within the network.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Disk images
Public Compute Engine offers many preconfigured public images.Each OS image has been configured to work closely with Google Cloud Platform services and resources.
Custom Use your own custom image, but ensure you comply with security best practices.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connectivity
Google Cloud VPN
Regardless of how you're connected to Google, you must secure your connection with a Virtual Private Network (VPN).
Direct peering Connect directly to a Google PoP. This is typically the fastest option.
Cloud interconnect
Connect to Google using a service provider.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
File systems
Object-based Encrypted, localized, available worldwide.Pipeline implications, however.
POSIX-compliant Known as Persistent Disk (PD) on GCP.The security features of object-based storage, available as an NFS server.
Other filesystems Clustered or caching filesystems are also available, however they are not under the management of IAM or other Google security mechanisms.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Encryption
Storage security Security features are consistent across storage classes.By default, Google manages encryption keys.
When is data encrypted?
Both at rest and in-transit.If using VPN (which you should), data is encrypted before leaving on-prem.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Transferring data
SDK and API gsutil, gcloud, rsync, ssh can be used, but we recommend gsutil for anything less than 10Gb in size.
UDP-based Aspera, Tervela Cloud FastPath, BitSpeed Velocity or FDT are all options,however they're all third-party services and are not managed by Google.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Logging
Stackdriver Can be used as a secure logging server for a variety of pipelines.Able to ingest thousands of concurrent log streams.
Audit logging Monitor project-based admin activity.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Other considerations
Queue management
Use the gcloud command to communicate with Google Cloud, rather than via ssh.Consider running your queue system entirely on Google Cloud Platform.
Custom software There are a number of client libraries available for use by third-party software API.Each library provides methods for OAuth2.0 authorization.
Licensing Use your own on-prem license server across a VPN.Running a license server in the cloud.
Projects and access
Controlling user access
Encryption key mgmt
Network security Disk images Connectivity File systems Encryption Transferring
data Logging Other
Proprietary + Confidential
#NABShow
Best Practices for Enterprise OrganizationsGoogle Infrastructure Security Design OverviewEncryption at Rest in Google Cloud PlatformSecurely Connecting to VM InstancesGoogle Security WhitepaperUsing IAM SecurelyConfiguring Imported Images
Further reading
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Questions?
THANK YOU