Google Cloud Apparently Has A Security Issue Even Firewalls Cant Stop

Today on Twenty-four hour period 2 Cloud, we talk nigh new ways of thinking about security for cloud. Every bit organizations adopt  cloud services, they’re applying on-prem security designs to deject. Our guest is hither to argue that this doesn’t work, and that y’all need a different arroyo.

Our guest is Adeel Ahmad, Implementation Services Lead at Hashicorp. This is non sponsored show, and Adeel is speaking for himself.

Nosotros discuss:

  • The mistaken assumption that cloud security operates the same as on-prem
  • Why identity controls are essential to get right
  • Focusing on gamble
  • Compliance complications
  • Hybrid and multi-cloud security challenges
  • More than


  1. Aim for architectural simplicity of the platform (allows for calibration).
  2. Aim to reduce operational complexity (or avoid operational hazards) – (allows for distributed cocky-service deject provisioning).
  3. Sympathize the principle (business or compliance) run a risk and question whether stipulated controls add any value.

Sponsor: Aviatrix

Bank check out Aviatrix’s Flight Training to larn most multi-cloud networking and security. It’south worth your time if you’re defining your visitor’due south multi-cloud strategy or desire to nail down your Aviatrix Certified Engineer certification. Become details and register at

Show Links:

– Adeel Ahmad on Twitter

Adeel Ahmad on LinkedIn


[00:00:00.190] – Ethan
Cheque out sponsor aviatrix’due south Flight Training to learn about multicloud networking and security from the Avaitrix perspective, aviatrix dot com slash flight-preparation worth your time if you’re defining your company’s multicloud strategy or desire to nail downwardly your Aviatrix certified engineer Cert. Aviatrix dot com slash flight-training.

[00:00:25.950] – Ethan
Welcome to 24-hour interval Ii Club Strap in, everybody. This prove is basically getting on the back of a rocket ship and going for a ride. Our guest today is the bargain, Adeel Ahmad, and nosotros are talking near new security thinking for Deject. And the big idea hither is a lot of folks are trying to take the security designs that they had built for an on Prem environs and apply them to Cloud and Adeel’s arguing very well I might add, that that doesn’t work, and that’due south a impaired idea, and that tin can actually pb to issues.

[00:00:53.630] – Ethan
And we demand to rethink how we do security in Deject and the rocket ship part is Adeel’due south encephalon considering the human being is full throttle all the way. Wouldn’t you agree, Ned?

[00:01:02.640] – Ned
I would. And I don’t want to belabor the indicate. I don’t want to ramble on my ain considering Adeel has got so much to say. All I desire to say is he asks two critical questions that anybody should exist asking the why and the so what? And if you’re not sure what that means, yous volition find out in this episode.

[00:01:19.550] – Ethan
Enjoy this episode with Adeel Ahmad Implementation Services lead at HashiCorp. Adeel Ahmad, Welcome to the Day Two Cloud podcast. It’s fun to talk to you, man. I got to say, considering I’ve listened to a couple hours of you lot on the hashicast where you were talking nearly a lot of these security ideas. Ned’s listened to them as well. So we’re both pretty keen to dive into some of these concepts some more. Just earlier we do that, you got to tell us, who are you? What do you do?

[00:01:49.870] – Adeel
Hi, Ethan. My proper noun is Adeel. I’m from the UK. London. I piece of work for HashiCorp. I’ve been there for the last eleven months now. By the way, me working for HashiCorp, and whatsoever I’thou about to say is non representative of HashiCorp. They’re all my personal opinions, from my experiences that I’ve picked up from in this function as well as really significantly, my final part, I’ve worked for Tier ane investment bank, working on Google Cloud. and working very closely with the U.k. regulations.

[00:02:22.240] – Ned
Okay, man.

[00:02:23.460] – Ethan
Got yous. Okay, so we’re very clear on this. Everyone listening. Yeah, Adeel works for HashiCorp. This is non him speaking on behalf of HashiCorp. This is Adeel speaking on behalf of Adeel and all of his existent world hands on feel with the security craziness, the crazy ideas you’re going to bring to u.s. Adeel. We should start there to gear up the show upward for everybody in a sentence. Or maybe two. Explicate what SecOps folks are getting wrong about practical security in the Deject. Maybe you lot could cite a few examples to assistance us get our heads effectually it.

[00:02:55.190] – Adeel
Yeah, certain. This is from my ascertainment and my experiences working in the cloud very closely with security is that at that place is a common misunderstanding that the components in the cloud, the constructs in the cloud are very much the aforementioned as the constructs on Prem, such as a VM or networking. With that in listen, there is this tendency of applying the very aforementioned controls that you would utilise on Prem and applying that in the deject more so, specially around defense in-depth, and how some of these multiple layers are not necessarily applicable in the cloud.

[00:03:41.950] – Adeel
Definitely. Specially when it comes to understanding the impact of some of these perceived risks.

[00:03:48.980] – Ned
Right. One affair that I’ve seen a lot of security professionals and even it Ops folks do, is they kind of treat the cloud as just some other data center, and in that location’south so many more services and constructs in the deject that they could be using and they totally missed the boat. I recollect you have a couple of examples of cases where a security professional person is treating the cloud like but another data center. Could y’all jump into one or two of those?

[00:04:12.720] – Adeel
Yes. I recall one of the biggest examples actually is in my previous role, I actually had to piece of work hard working with both the networking squad and the security squad in convincing them that there’s no need to carry out multiple micro network sectionalization in the deject, specially when it comes to around VPCs. And if I apply Google Deject, for instance, where they have this concept of a shared VPC, I believe AWS has recently started rolling this out where you tin can accept multiple billing accounts or GCP projects attached to this shared VPC.

[00:04:50.180] – Adeel
Therefore, all of these different multi tenants are really using the same VPC. As far as saying, actually, this is what I really push hard with both InfoSec and our security team. Having the backing of Google is that I went every bit far as fifty-fifty pushing for having a Dev surroundings and a Prod environs in what we would seem to be a unmarried subnet in Google Cloud. What nosotros must understand two things right is that we know nigh of us who are working in the cloud.

[00:05:25.620] – Adeel
Know and understand that there is no broadcast domain. Therefore, when yous think about a slash 24 subnet, for example, if there is no broadcast domain, then intrinsically two IP addresses within that range shouldn’t be able to talk to each other because there is no ARP, they’ll be unable to discover each other in GCP. However, in reality that slash 24 in reality, each IP address is a slash 32. Therefore, it’s own circulate swarm and they actually road to each other providing at that place is a firewall rule that allows them to talk to each other.

[00:05:58.760] – Ethan
And then Adeel, permit’s just park right there for a 2d and recap that. In other words, the way routing from host to host happens in the cloud is not the same every bit we would think of it if nosotros were building a traditional networking VLAN. There’due south no broadcast domain as yous’re talking about, then no ways to discover. And in fact, they’re non even in the aforementioned what we would call layer two address space. They’re not in the same VLAN, so to speak, they accept similar address space. They’re in a common block of IP addresses.

[00:06:28.930] – Ethan
But that doesn’t mean it’s functioning in the GCP cloud. In this example, like information technology would function on a switch on your on Prem network. And then instead you’re maxim what’south really happening is every host is its ain standalone little domain. In order for each of those host to talk to 1 another, in that location’s got to be a firewall rule that permits that. So if that’southward the case, we can rethink and so what the security looks similar so that the hosts are protected one from another. Just doing the same old thing we did on Prem and applying it to this construct in GCP would make no sense.

[00:07:03.550] – Adeel
Exactly. That’southward the point. Networking in the deject is not networking. The constructs are not the same. I mean, they are just a facade. This is my opinion. Again, I believe that they’re simply a facade to ease the transition for the consumer of the deject from moving away from this on Prem onto the deject. Peculiarly considering if we understand these networking constructs or subnets, let’south just call Subnets and Microsoft Vnets or VPCs, they all have API endpoints. Right? So if you have an API endpoint, it’s a programmable object.

[00:07:39.220] – Adeel
When you lot understand that, you realize that how yous would manage that differently. In Google Cloud, for instance, you have IAM permissions against subnet. How practise yous accept IAM permissions against subnet? Information technology makes sense to have IAM permissions against programmable objects. So when y’all understand and realize actually in reality they’re not subnets, it’southward just a contiguous block. And inherently, unless there is some kind of default, let all internal firewall rule in identify. One time you understand that y’all realize actually forget having multiple VPCs, why exercise I even need to have multiple subnets?

[00:08:16.450] – Adeel
Why do I even demand to go downwards the whole static IP addressing? Why do I even need to do whatsoever subnet planning? Why do I need IPAM?

[00:08:23.320] – Ethan
Because your boundaries are different now. So once again, on Prem, the traditional way you would design a network would be y’all build a cake of addresses. They can probably talk to one another. If you lot need to firewall between a group of addresses, yous have some kind of a layer iii point that traffic has to route betwixt and then there’s firewall rules applied at that point. Access list rules, some kind of a control in that location. Only since the image has completely inverse upward in again in your GCP case here, why would you lot build it that fashion?

[00:08:53.800] – Ethan
It doesn’t brand sense where your checkpoints are are in different places now. So it does actually change your network design and once more, just underscoring your bespeak. Doing design and applying a security paradigm exactly like you did on Prem upwardly in the cloud doesn’t make sense. Information technology isn’t the right thing. And I guess to your bespeak Adeel, it’south making things worse or needlessly complex.

[00:09:xviii.120] – Adeel
100%. And that’s the crux of it. When yous read these security reports out in that location, the cloud security reports and the DevOps reports are out at that place. Near of them there’southward a trend well-nigh how a lot of these vulnerabilities or security incidents are related to these misconfigurations. I 100% believe the misconfiguration is related to the farthermost complexity that we produce equally consumers within the deject. It’southward important nosotros empathize. And I believe from my feel, at that place is this piece of education that every bit consumers, nosotros take a responsibility to have on ourselves, but also how our cloud providers would also demand to really button on the fact of how there is paradigm shift and how that has shifted and how we should exist expected to consume the cloud.

[00:ten:06.350] – Adeel
I think there is some of that also missing. I mean, y’all have docs public docs out there explaining that, only to be a full general enterprise, these are central pieces that really need to be in place that would help security and regulations really understand where the take chances is and where the assault surfaces and therefore what the attack factor is.

[00:ten:28.740] – Ned
Right, I’1000 wondering if the cloud providers to a certain degree. You kind of said they wanted to present these familiar constructs to the people consuming the cloud. So they called it a subnet, but that’southward non really a subnet. And they called it a VPC, a virtual private cloud. But information technology’s not an accurate descriptor. So maybe they shot themselves in the human foot a little fleck past going with this familiar terminology that doesn’t really map to the construct that it’s applied to. I approximate some other question that I would take is because there’southward all these new features and solutions in the cloud.

[00:11:07.390] – Ned
Is there stuff that SecOps is missing out on by beingness so focused on the traditional mode of budgeted security?

[00:eleven:17.170] – Adeel
Let’s take this example, because we focus on these multiple, lower levels, lower layers. Essentially, if you look at the shared responsibleness model, the clouds are very clear, to say from the host below, everything is inside the cloud responsibleness, and they literally meant that, networking is your responsibility. But the networking on our layer is our responsibility. Well, it’southward not networking, is it anything above that is just applications. And this is what nosotros demand to understand. Once we understand we realize that why don’t we start backwards? Let’s get-go with or sort of pinnacle down?

[00:11:57.870] – Adeel
Rather, allow’s just say right. Allow’s start with security application and work our way downwards. In essence, in that location’s a lot of focus, especially in my experience, when enterprises are going into the cloud, the very first thing they desire to exercise is work on the network, and they’re asked to work on the perimeter, earlier that no one’s allowed to go in. So the perimeter needs to be secured. Right. But there is no perimeter. Fifty-fifty though clouds have been saying there is no perimeter, why exercise we still focus the perimeter?

[00:12:28.380] – Adeel
Because the penny has to driblet for us to sympathise that a perimeter would mean that there is a broadcaster domain and that you’re limiting this broadcaster domain around the perimeter, which and then y’all call up is okay. Even if the data is open somewhat, nosotros have a secondary protection here that they can’t get out of. But it’s not true, correct? For instance, if yous were to create, say, a GKE and yous’ve put it inside the VPC and yous’ve now added a perimeter around VPC, anything that goes out in and out of must go through some virtual network apparatus.

Popular:   Umbrella Academy Season 3 Trailer Teases New Timeline Consequences And Lots Of Infighting

[00:13:01.860] – Adeel
Merely the moment you turned on public IP accost to reach GKE, it’s not using your Palo Alto or F5 or whatsoever information technology is that you’ve got virtual apparatus. Information technology’s at present going through the back end of GCP’s underlay and thereafter from in that location is going out to the Internet. So there is no perimeter.

[00:thirteen:23.470] – Ned
Information technology’s something we’ve brought up multiple times, particularly in the context of networking is traditionally your information centre. There’south only a couple of ways out, and those ways out are guarded by metallic boxes sitting there being the Sentinel for you, whether or not those were e’er configured properly and unremarkably just the tangle of firewall rules that no 1 can actually comprehend. Just those concrete boxes were there when you moved to a cloud construct. You don’t take that concrete box sitting there. And any developer who has sufficient permissions can but say, oh, I desire a public IP address assigned to my instance, and they got information technology.

[00:13:59.790] – Ned
And all of a sudden you have another entry point into the network. So what’s the answer? Instead of trying to set up this simulated perimeter, I think you sort of alluded to it with the idea of identity beingness a large component and service accounts inside GCP would be an example of that.

[00:14:18.850] – Adeel
Information technology does all come downwardly to identity. I was a previous network engineer, and we all are familiar with the concepts of we’ve seen the concept of segregation around information technology, but we’ve never chosen information technology identity. Simply now when we’re exposed to these ideas, nosotros understand that we were treating IP addresses every bit identity, correct?

[00:fourteen:42.590] – Ethan
In fairness to the manufacture, there’s been some attempts at identity, but there’s never been whatsoever one consistent theme beyond typically v tuple that always became identity consistently across vendors. You lot did some vendors doing some fancy stuff and adding a lot more metadata to give y’all a more intelligent identity of what that flow was and user context then on. But it’s been not industry standard, shall we say Adeel. Then just to become back to your point, yeah. Ip accost kind of has ended upwardly being the default identity for all of its shortcomings.

[00:15:17.730] – Adeel
100%. And what nosotros need to understand is right is that the loonshit has changed, equally in that the identity is no longer the IP address, or one must accept that the identity is now operating at a different layer. To the extent even network. In my stance, networking professionals need to be aware or awarding aware and understand that the application itself has at present become the identity. And if you have, for case, 2 applications, you’re able to identify and allow or deny access, even from a networking perspective, let’s put this in a networking perspective.

[00:15:52.810] – Adeel
When we take Firewalls, nosotros would allow a continuous block that’due south assigned to a set up of applications to and then talk to another contiguous block which assigned to some other ready of applications. At this bespeak, what we’re maxim is actually app A from this gear up of applications is merely allowed to talk to app C from that set of applications, which is far more secure than assuasive a big continuous block to talk to each other because you don’t have whatsoever command. For example, if there’s a three tier awarding, you have your web tier, app tier, and DB tier.

[00:16:24.580] – Adeel
Well, you’ll only let the app tier to talk to the DB tier in another awarding or in some other projection. You lot can’t exercise that with networking unless y’all kickoff assigning, as you say, making those subnets even smaller.

[00:xvi:36.810] – Ethan
Okay, so it sounds like you’re talking virtually different groups of applications that are classified by some kind of metadata. Things similar IP addresses are ephemeral, so you can’t bank on them every bit new nodes come up up in an app puddle. Let’south say, because we’re doing automobile scaling the IP address is going to exist any it is, it really doesn’t matter. You still need to be able to enforce a security policy no matter what IP was assigned. And so yous’re talking nearly identity again, higher upwards the stack where that identity is determined what that period is.

[00:17:05.020] – Ethan
Just what I’chiliad not articulate on from this perspective, where are you talking virtually enforcement happening? Is it still there’s a command layer in there that is mapping whatever that IP address ephemeral, though it just happens to be and doing an IP drop, or are we talking about drops and blocks happening somewhere else? Not at the IP layer at all.

[00:17:25.110] – Adeel
The betoken is, if we accept that IP address is no longer an accepted identity, then all of these controls that nosotros talk about, particularly period controls, are only around identity. And if the simply accustomed identity at that signal, say, example, in Google Cloud is Google Deject identity, then why would yous add these other controls that are not fastened to an identity or that you’re forming as your own identity? But they’re non identities. Similar, for example, if we say the two applications a service account is allowed to access GCS saucepan, for example, correct.

[00:17:56.120] – Adeel
How practise you network layer to that and how do you identify that?

[00:18:03.330] – Ethan
So you’re moving enforcement way upwards the stack to I mean, are we saying firewalls don’t matter anymore because of things like IAM controls.

[00:18:13.590] – Adeel
What I’g maxim is firewalls. IAM is the new firewall, fifty-fifty the Firewall as a concept. Permit’due south go back to GCP Firewall rules, GCP firewalls, although they’re managed centrally, they’re actually enforced at the host level, it’s actually a host-based firewall. It’s distributed. Right. We have the traditional concept of the firewall. It’s a centralized device that we expected all the traffic to come up through here. And at that point the firewalls then decide which fashion information technology goes to. Right. But the moment we beginning going a more decentralized enforcement arroyo.

[00:eighteen:49.750] – Adeel
The concept of firewalls is non applicable here unless we say distributed host based firewall. Once more, if we say hosts are ephemeral, and then the firewalling is now taking place at the awarding. An instance would be envoy proxy. Let’southward say is that enforcement and then you take a primal command plane like Istio Service mesh basically essentially do. Every bit an example. Let’s go dorsum to say Google Cloud or AWS. Their control plane is IAM. And the identity or the enforcement essentially, is happening at the underlying the API endpoint. If you lot’re calling GCS Bucket or if y’all’re calling a VM, that API endpoint is protected around an IAM and an entity or principle that’s allowing a phone call to the endpoints.

[00:xix:37.470] – Ned
Right. Because we’re not just talking nigh virtual machines anymore with IP addresses. We’re talking about all the other cloud services that exist inside a public cloud, and those don’t accept overnice tidy IP addresses or ranges that you tin can necessarily assign. So we demand that extra metadata to control access to those. The pushback I would have on this is the Firewall doesn’t just do allow deny lists based off of Tuples, right. Some firewalls also do parcel inspection and maybe fifty-fifty looking for suspicious traffic or malformed packets or requests that aren’t expected, and they’re filtering out that sort of stuff, too.

[00:20:16.580] – Ned
And if someone has managed to compromise, say, your application servers somehow and now they’re trying to land and aggrandize. I don’t see the identity piece working to filter out what could potentially exist a lateral attack. So how do you guard against that vector without a firewall doing that inspection?

[00:20:35.010] – Adeel
I’ll disagree. Right. Because the assumption here is if you’re already taking a single layer control, which is the identity based approach, at which signal the supposition should be that you’re already applying the principle of least previous access. Essentially, an application would just accept access to what information technology needs to. So if there was to exist some vulnerability or some rogue action safeness within that awarding, your firewall volition not prevent them from accessing what they already have access to. Right. Whatever they all have access to. Well, the firewall hasn’t really added whatsoever value for those applications that they never had admission to in the first place.

[00:21:16.350] – Ethan
Well, okay, I’m going to push back, as well, because Ned’s statement is the Firewall is going to see certain packets that trip a signature that fails some sort of a deep parcel inspection and discard them before they always get to the awarding.

[00:21:xxx.750] – Adeel
What’s the problem? Nosotros go to the application.

[00:21:34.170] – Ethan
Permit’due south say the application is non patched to current vulnerability standards. Whatever’due south come through, that payload can take advantage of that vulnerability.

[00:21:44.530] – Adeel
Well, in that location’s two things, correct. Okay. I accept that that’s a scenario that tin happen at which point nosotros’re now trying to embrace or mitigate a dissimilar gamble hither. Right. And the risk of trying to mitigate here is this unpatched vulnerability. Then this unpatched vulnerability, how is the risk hither because of the human being error? They forgot patch it. We demand to understand this scenario here for you to think there is a potential take chances. The merely way we tin think of that is to understand the context is that actually we do have a human being intervene process in place.

[00:22:25.920] – Adeel
Therefore, there is this risk of the inevitable human error, and at which point we call back the control to mitigate that human fault is this firewall. Practise we not think that it’south the wrong control that’s been applied hither? If the risk hither is human error, if the risk is human being error, then surely the control that nosotros need to be applied to the human error should be removing the human being altogether.

[00:22:47.530] – Ned
Well, I think a adept example this would be a SQL injection attack, correct. I take an application server. It should be talking to the SQL server through whatever interface, but somehow it’s been developed incorrectly. And there is this SQL injection vulnerability. If yous have something in the path, say something like a WAF or something forth those lines that’s looking at that layer 7 and going, oh, that looks like a SQL injection attack. And so I’m merely going to reject that. I think there still could exist value putting a device betwixt the ii different things.

[00:23:19.860] – Ned
Possibly not doing that through a traditional firewall, but nonetheless some type of filtering.

[00:23:26.890] – Adeel
I hold. Right. In principle, as in in that location needs to be a function that is able to discover and prevent that from taking identify. I agree with that. Right.

[00:23:34.550] – Adeel
Whether that’due south the firewall or not, that’s debatable where I recollect in my view, that would take identify or should take place, as in this detection and control would exist something. This is an case. I don’t think this exists today where if we went back to this whole distributed envoy proxy scenario at this point in time, when we apply these kind of service controls, service A can talk to Service B that enforcement takes identify on the ingress of the Envoy proxy. However, if we were able to use those like controls again, say around SQL injection attack and also the power to detect or even say, don’t permit annihilation outside of XYZ and too apply that on the egress of an envoy proxy, then yous accept a more distributed manner of managing that instead of actually trying to centralize everything I would have at this point, I don’t know whether this exists or not, but the betoken is that if nosotros were to button for that today we may be able to develop something like that, only what it is our problem is that we endeavor to rely on the electric current engineering science and use that into the cloud, especially when.

[00:24:53.210] – Ethan
The part of this, I think is driven by compliance stuff. So I’ve had highlighted here in the notes that I definitely desire to hit this compliant affair. I’ve supported PCI, SOXs and HIPAA environments in the The states, for case. And the way some of those regulations are written there, they tin can exist fairly prescriptive with you demand to have a firewall here to split these things. So on are those regulatory bodies of those regulations and compliance regulations keeping up with public deject and the fact that the epitome is changing and you can have the same security that they intend for you to have, simply in an updated in a modernistic mode, not just replicating what we’ve done on Prem.

[00:25:31.550] – Adeel
Yeah. So I accept that there is that right. The regulatory that can exist prescriptive and actually become to the Nth degree to dictate or describe how to isolate data from unauthorized access. In the Great britain in the U.k., I know that FCA who take their guidelines from NCSC, is a financial conduct authority. They take the guidelines from NCSC, which is the National Cyber Security Center, and they actually very upwards to date and recently have published as guidelines effectually zero trust architecture in the deject. Their guidelines are more than high level and more of a recommendation.

[00:26:xv.480] – Adeel
So the guidelines will exist around ensure that the emphasis hither is the data and ensuring that the data is isolated from unwanted access, and and then they start providing recommended guidelines around. Okay, well, this can be washed for say, IAM. This can exist washed through mutual TLS. Simply actually the funny affair is they say that if the network is too large, such equally an enterprise, they should exist treated equally if it was a public net, therefore don’t trust the network. I appreciate and agree this will vary from country to country, but I believe and I strongly believe and I recall one of the reasons why I joined the team of the HashiCorp is that I remember at that place needs to exist a push from these vendors equally well every bit enterprise consumers.

[00:27:05.700] – Adeel
When I was working in my final role, for example, we did come across these roadblocks and we did start talking to FCA and we got clarity there. And so in our instance, really it was more of a the guidelines were not and then clear. Once nosotros had directly engaged with them, nosotros realized that we got clarity. Only I do believe there’southward a massive effort that in that location’s a massive gap hither, especially in the effort of edifice more clarity or, let’southward just say, working together with the likes of FCA or PCI to empathize or educate the nature of cloud and how it works and therefore actually to be less prescriptive, but too even for the deject providers likewise as for the deject based vendors to understand how do their products or how do solutions within their platform, how should they exist built to exist PCI compliant or how can they be built to exist HIPAA compliant?

Popular:   Want A Flagship Gpu Amd Rx 6900 Xt Price Falls Fast And Its Now Below Msrp

[00:28:x.150] – Adeel
Now, these are efforts that I 100% believe needs to take identify, specially given that they take they build the platform with their opinion on how it should be. Therefore, I also believe it’s their responsibility to too and so reach out to these regulations to help educate them and so aid rewrite guidelines that can be like shooting fish in a barrel to consume.

[00:28:32.250] – Ned
Got yous. And so I will say that equally far as my knowledge, I don’t know nigh GCP, but both Azure and AWS exercise have guidance docs architecture docs that recommend an compages for PCI or HIPAA. Now, assuming you follow that, they don’t guarantee you’re going to pass considering they don’t want that legal responsibility. But they do have at least the guidance on that. That takes advantage of some of this stuff. But I think it’s really an education component, partly for the deject engineers. They need to brainwash themselves on unlike options out at that place.

[00:29:03.010] – Ned
Simply Additionally, those deject engineers also need to bring the compliance security folks into the conversation and permit them know, hey, these are your options. And this is a compensating control for this. You no longer have to become with the traditional approach. In that location is another approach that meets the same ultimate goal.

[00:29:23.610] – Adeel
Yeah, there’s two things there, right? I mean, you’re right. There needs to be more of those kind of guidelines out there to say, hey, these are compliant, and I am certain here that they probably read the guidelines based on the guidelines. This is the solution that they built, and they believe it to be compliant. They’re non proverb certified considering the regulations haven’t certified it. Simply more so, though, I retrieve is that even though I’ve read those guidelines, right. And when I read those solutions, architects or recommended reference architectures or recommended patterns, when I read them, I realized that they haven’t gone to the regulations and spoke to say, hey, you need to change how you prescribe your guidelines because wait how I found information technology.

[00:thirty:06.080] – Adeel
Rather, what they’ve done is pulled off the public docs. And based on that, they build out the solution compages, because if you look at information technology, for example, the PCI compliant ones, they’re still recommending network segregation. They’re still recommending a separate VPC. So even though, and this is I’thousand talking nigh Google Cloud as well, correct. Even though there are constructs where they know that the isolation is already accomplished, they still recommend a separate VPC considering maybe they want to go something quickly. It is easily consumable. People only signed off or something and they continue with it rather than really going back to the regulations say, hey, this network segregation that you’re talking nearly, it’due south unfair because nosotros want to reach.

[00:30:46.780] – Adeel
What is it that you ultimately desire to achieve here? Is that the awarding isolation? Is information technology the network isolation? If so, nosotros’ve already accomplished that. Why are yous prescribing network segmentation as an example? These are the teaching that needs to happen. Just when yous look at your guidelines, they don’t reflect that.

[00:31:01.410] – Ethan
[Advert] I’m rudely cutting into this conversation to enquire y’all where you’re at with your multi cloud networking strategy. Because a few different multi cloud networking vendors.

[00:31:08.170] – Ethan
They’ve come up on as podcasts and they’ve shared their approach here on the Bundle Pushers Podcast Network. One of those vendors is today’s sponsor Aviatrix. And in fact, you heard from Aviatrix engineers and a customer equally Ned and I nerded out with them on the day 2 deject podcast, episode number 113. We covered their data aeroplane that’southward common beyond all the different clouds, giving yous consistent network operations. Now, if Aviatrix isn’t a visitor name, yous know very well, don’t just blow them off.

[00:31:35.470] – Ethan
I challenge you lot to consider all vendors that might solve your problems. And Aviatrix is going out of their fashion to make it easy for y’all to include them in your upcoming multi deject networking Bake off. Outset, they are well funded. And then they’re going to be effectually for a long fourth dimension.

[00:31:49.390] – Ethan
Tell your boss, Aviatrix just closed a $200 meg Series E funding circular if you get asked. Second, Aviatrix is likewise offering Nerdy deep dives for you, the engineer, then that you lot can make an informed, nuanced decision about whether Aviatrix is the right multi cloud networking strategy for your system. They phone call information technology flying training, and you can go for a 90 minutes hands on lab.

[00:32:ten.840] – Ethan
A five hr deeper teacher led hands on feel and fifty-fifty prep for the Aviatrix Certified Engineer certification. So requite day ii deject episode 113 a listen and then visit Aviatrix dot com slash flight-training to detect out more. I’m hoping to take the five 60 minutes flight school training sometime myself soon if they can find room for me again, that is Aviatrix dot com slash flight-training and let them know you heard well-nigh information technology on the Packet Pushers Podcast network. And at present back to today’s episode. [/Advert]

[00:32:44.490] – Ethan
Well, the joke about these regulations, too, is being compliant with the regulations does non necessarily hateful that yous’re secure likewise. Something else. They’re a guideline. They’re a practiced place. You can go an awful long way with information technology, just just existence compliant with a particular regulation does not guarantee a secure surround, and you’re coming at it from a different fashion. Saying, hey, we can be compliant and not come across the regulation, or we can be secure and non come across the regulation and non exist compliant Adeel.

[00:33:16.030] – Adeel
There’southward a good example of that. I tin can give y’all good instance, actually. Then in my previous role, for instance, they try to anchor on the fact that we must encrypt sensitive information or confidential information with our own keys, especially PII data, and it has to be with our own keys, and nosotros must demonstrate control and rotation etc, etc. And then, I started looking deep into the guidelines or the regulations and the prescriptions, there what they say is that should you encrypt with your ain keys? First of all, they say that it’south actually plenty for you to receive an SLA from your cloud service provider.

[00:34:00.310] – Adeel
This is again, I’m talking most Britain. Here a function of shared responsibility model. Information technology’s enough for you to get an SLA from your platform every bit far as they take encrypted information technology. And they are managing and they are able to provide auditing report. They demonstrate the whole rotation and management of those keys and auditing capabilities around those. Right. So their reports or annual reports are enough for the likes of FCA to apply and accept equally compliant. That’southward the first matter. second thing, though, is okay. Allow’south go with the scenario where okay, we must demonstrate the ability to rotate and ain those keys, et cetera.

[00:34:42.320] – Adeel
So in Google, they have something chosen CMEK, the customer managed encryption fundamental where y’all would utilise the Google grade Kms generate a Kms key, and then you would encrypt a GCS bucket or a difficult drive with this Kms key, and security professionals are believing that.

[00:34:58.590] – Adeel
Okay, this is how we are demonstrating the whole management of rotation of the key. And technically, we own the key because it’south under the ownership of the account of the banks. In truth, though, is that CMEK enabled the GCS saucepan. Well, what they mean in that location is that starting time of all, the Kms key is not what’s encrypting the information. That’s a KEK. Right. The primal encryption central, which is encrypting. The GCP endemic DEK, the information encryption central. And so all yous’ve done is demonstrated the rotation and direction of a fundamental that’due south encrypting the key and not the data.

[00:35:38.900] – Adeel
So actually, you’re not compliant, but you lot’ve got a false sense of control, and all y’all’ve done is actually added an operational hazard and increase operational complexity. Because with Kms keys, there’s that danger of where if you delete that Kms primal, you’ve lost that data forever.

[00:35:59.050] – Ned
Right. I think that’s an important thing to really depict out a little bit. And what you’re talking about is we have this idea in security of defense force in depth that I need multiple layers of security and more layers is probably better. Right?

[00:36:13.320] – Ned
Because if they go through ane layer, oh, there’s another layer. Now you tin can’t go through that one. But each of those layers, like managing your own key. That is another layer of administrative burden, complication and a possible failure too. Considering similar I said, you lot mishandled the primal, you lose the device that has the original key on it. Yous’re kind of upwardly the Creek without a paddle, every bit information technology were there.

[00:36:39.410] – Adeel
100% At that place is that slice. Right. But again, you might take some security professionals that will show no empathy towards that. Right. They’re showing the empathy towards the operational complication or any workflows around that just just for the mandate. You must have it. How you do it? That’s up to yous. Okay, fine. Fair plenty. Your security. Let’due south get with the security perspective. Correct. Take you considered that each of these layers is an additional assail surface? Therefore, there’southward an assail vector here. I’ll give you lot one instance in my last role again, when I was rolling out HashiCorp vault, I ensured that everyone has access to vault.

[00:37:18.040] – Adeel
There is no networking restriction on who tin admission Vault. Every client is essentially a vault client, anybody is a vault client, and nosotros will control the RBAC through vault policies. And the security team, then were going to reply to information technology, and nosotros should have a broker. We should besides have multiple layers of load balancers or firewalls. Actually, two layers of firewalls. And so obviously having a broker in between all of this stuff. Right. To foreclose from what are you trying to forbid? What are you lot trying to mitigate here? A DDoS set on.

[00:37:53.410] – Adeel
I said, if they exercise a DDoS to the firewall, your Vault services are unavailable. Right. Let’s consider that. I think all these other layers, if those layers were so compromised. When I say compromise, at this point, they had a DDoS attack and therefore normal traffic tin’t go through, so your vault service is unavailable. And so the impact is just every bit much as if y’all had your Vault service open to all the other clients. And so really the trouble hasn’t gone, right?

[00:38:24.470] – Ethan
You’re arguing the divergence betwixt designing a holistic security system where every step is designed to work as an integrated whole versus I on this team am responsible for this slice. And so therefore, I have to have that piece in place and then that when things go sideways, I don’t get blamed, which sadly, is what frequently happens.

[00:38:42.030] – Adeel
The truth. But the truth of the matter is, let’s take it back to you. On a business level. Why has an enterprise going to the cloud? And the lesser line is they want to save money. They’ve been promised. They’ve been given an ROI to say if you get into the cloud, the 10 number of VMs that yous had on prem moved to the cloud, you’re saving XYZ coin. But what’s not credible there is that if yous were to blueprint and consume the power consumption model this manner, and so you will salve this coin.

[00:39:11.780] – Adeel
Right. Which means that actually those silos that you’ve created and those you have on Prem rather and those homo intervene modify review procedure, man review process yous have if y’all desire to apply that into the cloud, you’re actually more expensive. And what happens and you’ll see my experience. What’s happened is that third year into the program. The plug is pulled because it’s too expensive. We don’t come across the returns and actually come back to on prem again. This is what you lot run into cause the exec team. Don’t understand why they’re not saving the money that they’ve been promised.

[00:39:45.590] – Adeel
The bespeak I’m trying to make here is that security or governance and all of these silo things probably don’t have deliberately don’t accept the business organisation context. And they should. For example, let’s talk about some of the securities and the impact of such if, for example, at that place is a run a risk, I don’t know. Let’s come up back to the case of lateral move and networking. So nosotros take full confidence that all applications are secure at the top layer. Yet, security professionals are demanding and mandating that nosotros should get-go specifying which ports to exist open up in each of these holes, which are host based firewalls.

[00:twoscore:31.030] – Adeel
And in addition to that. But allow’s but add all of this stuff. Correct. What’south the adventure hither? We say it’s just best practise. The matter is, we need to understand hither is that if there are no risks, well, permit’southward just say we did get a rogue attack was rather unauthorized admission into the network. My response will be, so what? Right? If there is no impact, why are you lot investing up front? Again, I’m not dismissing that these controls be practical, simply I remember if you take the business impact into consideration, it helps you prioritize those controls.

[00:41:10.540] – Ethan
Yeah. You’re arguing for risk assessment. What is the risk? And if the risk is tolerable plenty, why are we killing ourselves with all of this complexity, either in the pattern or the cost to put this command signal in? If the risk is tolerable, nosotros can handle it. If we get striking with that thing, it’s fine.

Popular:   Dji Mini 3 Pro Is A Highlights Reel Of Djis Best Drones

[00:41:28.070] – Adeel
Aye. Especially what yous demand to empathise is if you lot think what’southward the impairment in doing that is it not better to have multiple layers anyways, have you not considered the unintended consequences that have come about considering of those? Right. Let’due south understand that. And start weighing up the pros and cons. And this is what we’re not doing, because again, the silos haven’t gone. We’re so isolated with really not having contextual architecture. And this is extremely important, specially fifty-fifty with this KMS piece. Right? If the data, given that it’s not storage, one of the things one security professional I was having long been most is that let’s utilize the example of the VM image and security professionals were mandating that those VM images must be encrypted.

[00:42:18.230] – Adeel
With the KMS primal. I asked them the difficult question. Why?

[00:42:26.690] – Adeel
Considering someone might pull the image downwardly from GCS market and then fire up on a VMware VirtualBox. This is where we need to sympathise a VM image in the cloud is not the aforementioned as a VMDK as an instance, right? Information technology’southward not files. It’s an object that is represented equally a file to us. But in reality, they’re sharded pieces of multiple streams to come up together to represent this VM image to us. When you sympathise that the underlay engine, the storage engine, for example, the epitome engine. Right. They’re congenital upward of multiple components Google Cloud has published.

[00:43:04.550] – Adeel
I know I always referencing back to Google Cloud only because that’south where majority of my cloud experiences are. They will publish all these white papers to explicate how Andromeda works, how Colossus works. It will tell you that how all of these images in reality, in the back they merely sharded different types of objects. And even if y’all did, for example happen to bring them all together, you can’t spin them up with Virtual Box as a vmdk. So that’south the first slice of agreement. Right? Simply let’south only say yous can.

[00:43:34.740] – Adeel
And then what? My adjacent. I will ask the question again. Then what? Okay, so someone managed to download a VM that was based by the depository financial institution. Okay, why are you basing a base golden image with sensitive information and all might have sensitive information? A base image should but have a manifest of what the banking company presumes to exist your secure prototype. For example, it should have Splunk agent installed in it should have different monitoring, but any sensitive information or like, password back to abode for connectivity.

[00:44:18.990] – Adeel
Once more, I know I’thousand contextual here, right? But in a scenario where you accept a secrets director or you take something like vault, then essentially, yous would spin upward Vault agent, and that would pull upwardly all these secrets runtime one time, booted upwardly all the secrets or credentials, place them in the necessary ini file, and then those agents, other agents will operate based on that. In our scenario, nosotros did that right at present, we did have our base of operations images that style. And so I don’t sympathize what the trouble is. If someone did say, manage to observe first of all, the way the nature of the cloud, even an internal say, Google employee can’t actually steal a disc and find anything in there.

[00:45:01.340] – Adeel
Secondly, the bucket that is stored once more, that bucket is a back endpoint which no i else has admission to. Let’s but say forget all of that. Right? Forget all these other controls. Even it’s just that it was properly bare and it’southward open. What’s the problem? And I call up that should exist the first question we should ask before we start creating all these controls to a nonexistent chance.

[00:45:24.000] – Ethan
I dear the Adeel schoolhouse of security. So what? So what if information technology happens? Is that so bad? It’s actually an important question.

[00:45:32.620] – Ned
I similar the two things that you go on coming dorsum to is and then what? And why? When someone comes to you with the control they want you to put in place, what’s the actual take chances that y’all’re trying to mitigate confronting? And why is that a problem? The thing that I keep coming back to is you’re talking nearly all these additional services and options and features that exist in the cloud that let you to approach a security consequence from a totally different low-cal, like having a secrets managing director where you tin can shop all of that sensitive data, you lot don’t take to Bake it into the gold image.

[00:46:06.940] – Ned
You can simply have it dynamically, pull at boot up, and you tin configure that Secrets manager to simply accept requests from a validated identity, which gets back to our identity conversation. That VM has an identity on whatever of the clouds. They all take some version of that. And if it can’t verify the identity, the Secrets managing director goes no, you can’t talk to me and get that information. So that completely makes sense to me. One terminal thing I want to bring upwardly, and this is because we’ve really been focusing on GCP, and apparently there’s at to the lowest degree three big clouds out at that place and so other clouds as well.

[00:46:45.980] – Ned
Alternative public clouds. I’ve heard them called how does your concepts? How do your concepts map to a multi cloud world where an arrangement isn’t simply dealing with GCP? Just they’re also dealing with Azure and AWS? Let’s say.

[00:47:06.190] – Adeel
That’s a gap. The reason why I say this is because if you lot were to consume AWS or Azure or GCP, it just goes that deject lone. You’re taking advantage of their native cloud identity system to be able to manage that. Right. The moment you get-go going to multi platform, given that we don’t really have a good story around a vendor neutral, solid accustomed identity system, information technology becomes quite difficult to do. From a user base of operations. Allow’south take it dorsum to our user base of operations. Right.

[00:47:41.960] – Adeel
We have multiple identity providers now, like Okta, similar Centrify, all of these different ones for a human. And they’ve got a practiced story now where they try to add all these different factors to place you properly. For example, the location, what device you lot’re coming from, what kind of plans on your phone, as in the usual business hours for you. Other factors. Right. And all of these build this kind of trust to say. Okay. Actually, you’re authorize to access XYZ or like, for example, if yous’re non coming from i trusted device, and then you do have admission to your emails, only yous won’t have access to Git.

[00:48:22.290] – Adeel
At that place’s a good story there, simply at that place needs to be a good story for machine authentication, considering what I’thousand suggesting hither is essentially, I’ve already assumed that the human element is now removed away from the process for you to remove the human element. That ways that we have a good story around human hallmark. I’one thousand sad. Automobile authentication and auto identity. I mean, you could possibly, for example, Vault, HashiCorp Vault. I know, referring back to Vault every bit well, but considering I’1000 quite passionate most and I’ve been using it a lot.

[00:48:57.880] – Adeel
For example, you can create multiple authentication methods like AWS, so that Vault then recognize AWS machine identity because you just plug into the AWS platform. And this by the same virtue for Google Cloud and Azure. Right. So at that place is a potential where actually, I can perchance, for example, have Azure VMs to be able to consume content from a GCS bucket. And how we would exercise that would be we would have to showtime speak to Vault. Vault will then provide dynamically generated credentials subsequently that, to the actual VM, and then the actual VM would use that to consume GCS, and so it’s possible.

[00:49:39.090] – Adeel
Simply there is also the element of passing credentials around. One of the things I discussed in our HashiCast with Rob was that ideally correct. Nosotros need to move away from cloak-and-dagger aught. And with Vault essentially, even though I don’t like to phone call it secrets management considering I don’t call up information technology does justify that. Rather, I think it’s a dynamic access direction. But the only problem is how does information technology provide access? It provides access by providing or generating credentials. Right. But what we really need to practice is move away from credentials in the first place.

[00:50:11.830] – Adeel
Just similar how Azure, AWS and Google have a good story when they practice the whole IAM control when you lot tin can say really, this GCS bucket tin can only be has this VM has read access to this GCS bucket. In that location are no credentials that they laissez passer around to make that happen. So today for multi cloud scenario, you need to have some kind of central, say multi platform accessible function like Vault or say Consul as some other instance, Delegate service mesh. Actually forget Consul, just a Federated service mesh right across multiple platforms that tin can besides unify those kind of resource identity and Vault again tin also kind of facilitate that likewise.

[00:51:01.330] – Adeel
From the point where if you were to integrate with every procedure or every advice process, so take you talking to another VM or talking to say BigQuery or RDS must become to Vault and generate a credential on the fly and give that to you. We tin do that today. Just in an ideal world, really, we should exist moving towards something that is more credential less. Simply information technology does mean that the identity volition be central has centralized. Rather, it will be ubiquitous and identity that will be accepted across multiple platforms.

[00:51:33.420] – Adeel
I think that’south a future country, right?

[00:51:35.990] – Ethan
Yeah. Information technology is a time to come land, and information technology feels like actually kind of a natural place for usa to end up this conversation today Adeel. Man, I think you accept fit in twice every bit many words every bit whatever of our other guests always. You talk so fast.

[00:51:48.170] – Adeel
Distressing. Especially when I get passionate. I got so much in my listen, I experience similar I need to unload and I take all this context out of my head. Everyone already knows what I’m talking virtually.

[00:52:02.930] – Ethan
No, information technology’s great. But compartmentalized three big things. Three takeaways from this episode, things you want to leave the listener with. Simply go along them tight. Some bullet points that folks tin walk abroad with from today.

[00:52:14.930] – Adeel
Yes. Okay. There are three ways I’ll succint, right? Is that first of all, security is anybody’s job. It’s almost the awareness that really every different function should take. So you shouldn’t exist centralized back to the security professional person. 2d, is understanding the business concern risk and actually non but that is to don’t be afraid to go ahead and really bear out a streamlined validation process, even though these risks seem to be the same gamble that you may seemingly seem to be actualization on Prem. Don’t be afraid to go ahead and run a validation procedure.

[00:52:51.800] – Adeel
That’s the second one and the third is agreement the identity piece and understanding how the identity being the master layer. And what does that look like for each different deject providers? Those are the 3 things I retrieve are fundamental going to the cloud.

[00:53:xiii.560] – Ethan
The identity affair is particularly big to me. The more I thought about some of your ideas when I was listening to the HashiCast that you were on earlier and so on. That’s the indicate. I go along coming dorsum to that. Identity changes the game, how we recollect about securing application workloads and flows and so on. Adeel, how can folks follow you on the Cyberspace?

[00:53:33.470] – Adeel
I’g on Twitter. My Twitter handle is DevOps underscore Adeel. That’south one I’one thousand nigh active on, and I’m bang-up on getting lots of feedback from everyone. I may be incorrect. These are all personal ideas I accept. So I’d love to share this with everyone. And really, the more people tin come together, maybe there’south some mature story that comes out of this.

[00:53:54.490] – Ethan
Yeah. And Adeel really does want to have more conversations with you lot. This whole testify began because he pinged me on Twitter simply to have a chat about some of the things he was talking nearly on a couple of hashicast podcasts. And we had some back and forth and some dialogue, and it turned into this show. And and so, yeah, at DevOps underscore Adeel, striking him upwardly with your thoughts and ideas and questions and let’south get a conversation going as a grouping of people that listen to Twenty-four hour period 2 Cloud, that would exist fantastic.

[00:54:19.670] – Ethan
So, Adeel, cheers to you lot again for actualization on day 2 Cloud. And if you’re still listening out there virtual high fives to you, you lot made information technology amazing. If yous accept suggestions for future shows, Ned and I want to hear them. Nosotros monitor at day ii Cloud evidence on Twitter. So tweet us your ideas. And if you’re non a Twitter person, that’due south cool, go to Ned’s fancy website ned in the deject dot com. He’s got a form at that place and you can submit your ideas there. A little bit of housekeeping now.

[00:54:43.280] – Ethan
Did you know that you don’t have to scream into the engineering void alone? You’re not alone out there considering the Packet Pushers Podcast network has a free slack group that’s open to everybody. Visit Packet Pushers dot cyberspace slash Slack and join. It’south a marketing free zone for engineers to chat, compare notes, tell war stories, and solve problems together. Packet pushers dot net slash slack and we’ll see you lot in there. And until and so, just remember, Cloud is what happens while It is making other plans.

Google Cloud Apparently Has A Security Issue Even Firewalls Cant Stop