securing content in the cloud

Proprietary + Confidential

#NABShow

Securing Content in the CloudAdrian GrahamCloud Solutions ArchitectMarch 20, 2017

Proprietary + ConfidentialProprietary + Confidential


Why security?



Overview

On-premises infrastructure

Cloud infrastructure

Connecting to cloud

Hybrid infrastructure

Secure all the things!

Further reading



On-premises infrastructure

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem


#NABShow

On-premise infrastructure

Render Farm Nodes

Local Workstations




#NABShow


Render Farm Nodes

File Server

Local Workstations




#NABShow


Render Farm Nodes

File Server

Local Workstations License Server




#NABShow


Render Farm Nodes

File Server

Local Workstations License Server

Render Workers

Render Workers

Render Workers




#NABShow


Render Farm Nodes

File Server

Local Workstations

Queue Manager

License Server

Render Workers

Render Workers

Render Workers




#NABShow


Asset Mgmt Render Farm Nodes

File Server

Local Workstations

Queue Manager

License Server

Render Workers

Render Workers

Render Workers




#NABShow


Rendering VMsCompute Engine

Data ingress/egress

https://docs.google.com/presentation/d/1fAZ8Cr-UDNFUzDV4Mw_o7MKGqGIJKf9xCNlDeqyU4-E/edit#slide=id.g1ef6d86f63_0_2608














#NABShow



AssetsCloud Storage

Data ingress

Data ingress/egress



#NABShow



AssetsCloud Storage

NFS File Server

Data ingress

Data ingress/egress



#NABShow



AssetsCloud Storage

Read-through Cache

NFS File Server

Data ingress

Data ingress/egress



#NABShow



AssetsCloud Storage

NFS File Server

Cloud-based License Server

Data ingress

Data ingress/egress

On-prem licenses

Read-through Cache



#NABShow



AssetsCloud Storage

Read-through Cache

UsersCloud IAM

NFS File Server


Data ingress

Data ingress/egress

On-prem licenses

LDAP sync



#NABShow



AssetsCloud Storage

Read-through Cache

UsersCloud IAM

NFS File Server


StackdriverLoggingData ingress

Data ingress/egress

On-prem licenses

LDAP sync



Connecting to cloud



#NABShow

Connecting to cloud

Render Farm Nodes

Render Workers

Render Workers




#NABShow

Connecting to cloud

Render Farm Nodes

Render Workers

Render Workers


CloudVPN

VPNGateway



#NABShow

Connecting to cloud

Render Farm Nodes

Render Workers

Render Workers


CloudVPN

VPNGateway

Cloud Router



#NABShow

Connecting to cloud

Render Farm Nodes

Render Workers

Render Workers


CloudInterconnect

CloudVPN

VPNGateway

Cloud Router



Hybrid infrastructure(better put on your glasses for this next slide…)



#NABShow

Hybrid infrastructureOn-premise infrastructure

Asset Mgmt dB Render Farm Nodes

File Server

Local Workstations

Queue Manager

Physical Cache

License Server

CloudInterconnect

CloudVPN

Read-through Cache


AssetsCloud Storage

UsersCloud IAM

NFS File Server

VPNGateway

Cloud Router


StackdriverLogging



#NABShow



File Server

Local Workstations

Queue Manager

Physical Cache

License Server

CloudInterconnect

CloudVPN

Read-through Cache


AssetsCloud Storage

UsersCloud IAM

NFS File Server

Users & Admins

Users & Admins

Cloud Directory Sync

VPNGateway

Cloud Router


StackdriverLogging



#NABShow



APIs: gcloud, gsutil, ssh, rsync, etc

File Server

Local Workstations

Queue Manager

Physical Cache

License Server

Accelerated UDP Transfer

CloudInterconnect

CloudVPN

Read-through Cache


AssetsCloud Storage

UsersCloud IAM

NFS File Server

Users & Admins

Users & Admins

Cloud Directory SyncProject data I/O

License requests

Queue Manager dispatching

Project database communication

VPNGateway

Cloud Router


StackdriverLogging



How do we secure all the things?



#NABShow

Cloud Platform resource hierarchy



#NABShow

Projects and access

Granting access Manage your organization's identities with G Suite.Implement Google Cloud Directory Sync.

gcloud SDK, Compute Engine API

Authentication is performed by the SDK itself. Credentials are picked up by the API client libraries.

Automating security checks

Implement Forseti Security to run periodic checks for policy compliance.https://github.com/GoogleCloudPlatform/forseti-security

Projects and access

Controlling user access

Encryption key mgmt

Network security Disk images Connectivity File systems Encryption Transferring

data Logging Other



#NABShow


Cloud IAM Create and manage permissions at multiple levels.

Service accounts Access Google services and resources programmatically.

Access scopes Set permissions at the resource level.

Projects and access


Encryption key mgmt


data Logging Other


#NABShow

Identity & Access Management

Who (principal)

User Service Accounts

Group Domain

Can do what

Roles: collection of permissions

Authorization Tokens

On which resource

Project VM, bucket…

Resource folder

Cloud IAM unifies access control under a single system.

Create and manage permissions at the organization, project and resource levels.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Encryption key management

Cloud storage All data is encrypted at rest using either AES128 or AES256 encryption.Data is always encrypted before it's written to disk.

Cloud KMS Store encryption keys centrally in the cloud, for use by cloud services.Let Google manage your keys, or manage keys yourself.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Network security

Networks and subnetworks

Isolate resources on separate networks to add an extra level of security.Subnetworks are created automatically, one for each compute zone.

Firewall rules Rules apply to the entire network. To allow incoming traffic, you must create 'allow' firewall rules.

External IP addresses

Ability to disable the assignment of an external IP on instance creation.The instance will then only be visible over VPN, or from within the network.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Disk images

Public Compute Engine offers many preconfigured public images.Each OS image has been configured to work closely with Google Cloud Platform services and resources.

Custom Use your own custom image, but ensure you comply with security best practices.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Connectivity

Google Cloud VPN

Regardless of how you're connected to Google, you must secure your connection with a Virtual Private Network (VPN).

Direct peering Connect directly to a Google PoP. This is typically the fastest option.

Cloud interconnect

Connect to Google using a service provider.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

File systems

Object-based Encrypted, localized, available worldwide.Pipeline implications, however.

POSIX-compliant Known as Persistent Disk (PD) on GCP.The security features of object-based storage, available as an NFS server.

Other filesystems Clustered or caching filesystems are also available, however they are not under the management of IAM or other Google security mechanisms.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Encryption

Storage security Security features are consistent across storage classes.By default, Google manages encryption keys.

When is data encrypted?

Both at rest and in-transit.If using VPN (which you should), data is encrypted before leaving on-prem.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Transferring data

SDK and API gsutil, gcloud, rsync, ssh can be used, but we recommend gsutil for anything less than 10Gb in size.

UDP-based Aspera, Tervela Cloud FastPath, BitSpeed Velocity or FDT are all options,however they're all third-party services and are not managed by Google.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Logging

Stackdriver Can be used as a secure logging server for a variety of pipelines.Able to ingest thousands of concurrent log streams.

Audit logging Monitor project-based admin activity.

Projects and access


Encryption key mgmt


data Logging Other



#NABShow

Other considerations

Queue management

Use the gcloud command to communicate with Google Cloud, rather than via ssh.Consider running your queue system entirely on Google Cloud Platform.

Custom software There are a number of client libraries available for use by third-party software API.Each library provides methods for OAuth2.0 authorization.

Licensing Use your own on-prem license server across a VPN.Running a license server in the cloud.

Projects and access


Encryption key mgmt


data Logging Other


#NABShow

Best Practices for Enterprise OrganizationsGoogle Infrastructure Security Design OverviewEncryption at Rest in Google Cloud PlatformSecurely Connecting to VM InstancesGoogle Security WhitepaperUsing IAM SecurelyConfiguring Imported Images

Further reading

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

https://cloud.google.com/security/security-design/

https://cloud.google.com/security/security-design/

https://cloud.google.com/security/encryption-at-rest/

https://cloud.google.com/security/encryption-at-rest/

https://cloud.google.com/solutions/connecting-securely

https://cloud.google.com/solutions/connecting-securely

https://cloud.google.com/security/whitepaper

https://cloud.google.com/security/whitepaper

https://cloud.google.com/iam/docs/using-iam-securely

https://cloud.google.com/iam/docs/using-iam-securely

https://cloud.google.com/compute/docs/images/configuring-imported-images

https://cloud.google.com/compute/docs/images/configuring-imported-images



#NABShow

Questions?

THANK YOU

securing content in the cloud

Technology