Talk round-up from 'Securing The Cloud: DevOps Best Practices for Secure Operations'
Greg Smith, Principal Product Security Engineer @ GoCardless
Is your move to the Cloud making you feel like a fish out of water? 🎣 In our Cloud Security meetup, Principal Product Security Engineer Greg cast his line and hooked the audience with his imaginative fish-themed approach on making a successful transition to the cloud, and the importance of adopting a secure mindset. Read below for a round-up of the full talk. 🐠
Keeping your fish alive
As you move into the cloud, you need to change the way you think about how you look after your workloads. You’ve got to keep your fish alive, so you need to think about the body of water that they’re surviving in. Are all your pumps working? i.e., think about your data centres or workloads; you’ve got loads more responsibility, and you need to care about every single one of your poor Carp. You’ll need to protect them from predators, you’ll need to make sure the powers there, and make sure they don’t get ill.
But, IF one of them was to get ill… what do you do? They’re all in the same pond, and it’ll affect the other fish, what happens to all your fish that are dying? Well, that’s how you need to think about your workloads, and how you’re protecting them, after all, they’re all in the same pond.
The benefits of the cloud
Security: Take advantage of the benefits of the cloud to build more secure services
Focus on business value: Build the apps and services for your customers
Simplicity: How you build in a scalable way
Automation: Faster time to value and reduce TOIL
Whereas, with on prem and data centre services, you own and manage it, and there’s lots to manage before you add business value.
Use the oceans! (AWS, GCP, AZURE etc).
By moving into the cloud, you get the scalability, and visibility that you need from the services, and so by moving this way, it’s much easier for you to maintain your services if you do it in the right way. If you can convince your organisation to move into the cloud in a sensible way, you can start to see away with some of the Shadow IT you might see, and this will ultimately allow for teams to have the freedom to build in an agile environment, with a much better understanding about what’s there.
If you just move straight to the cloud it might cost you a lot of money to start off with, but you can start to see where your services are because the asset information you get from the billing information and the asset inventories can help you understand what’s in your cloud from a security standpoint, if you don’t know what you’ve got, you can’t protect it.
Billing information is a source of truth and it’s really helpful!
Don’t lift and shift!
Greg warns against simply "lifting and shifting" legacy applications to the cloud without taking into account the benefits and specific needs of the cloud. Migrating workloads and applications can be a good first step, but the real challenge is operating them in the cloud in a scalable, cost-effective, and secure manner. To achieve this, he suggests thinking about connecting services using VPC rules, taking advantage of cloud providers' load balancing and WAFs, and reskilling the workforce to think and operate in the cloud. To reduce complexity, Greg suggests frequently deploying services, using self-learning tools like A Cloud Guru or Google Cloud Skills Boost, and practising with interactive labs to remove complexity.
GCP Security and IAM
Here Greg discussed Identity and Access Management (IAM) in Google Cloud Platform (GCP). He suggested organising resources into a hierarchy, where the organisation is at the top, followed by folders, projects, and resources. When assigning IAM permissions, it's important to minimise the permissions for the lower-level resources, to reduce the risk of something going wrong. In GCP, there are basic roles like Editor, Viewer, and Administrator, but for production workloads, it's better to use more granular roles. Using tools like Terraform, GCP Cloud Deployment Manager, or AWS Cloud Formation can improve confidence in deploying services. Greg also emphasised the importance of managing identities and access to cloud services, suggesting using G Suite, Active Directory, or OKTA to federate identities. When someone changes their role, their old permissions should be dropped, and new permissions assigned.
Design for scale
If you’re going to design for scale, think about how you can use private VPC’s, the data never traverses the internet, because it just stays within the cloud environment that you’re using, and use tax to help you scale for services up and down, rather than having an individual resource, use tax and labels to scale that resource up and down at a group level. You can simplify how you can find your services and logically separate out your layers.
Think about Dolphins, they’ll fight off whales and sharks by grouping together as a group to defend. If you think of this as a DDoS type scenario, they’re all working together to take over that load and make sure you can stay up and stay resilient.
To defend against attacks, you’ve got Cloud endpoints you can use that have built in WAF functionality with GCP and Security health analytics, so making use of capabilities in the ocean. If you think of all the little clown fish, or our good friend Nemo, he hides away in Sea Anemone to get protection, as the Sea Anemone is giving them the visibility and the understanding about what’s going on. We’re helping protect him from the predators, obviously applying the principle of least privilege.
Secret and builds
Greg’s talk then goes on to discuss the challenges of secrets management in cloud computing. He suggests using native tools provided by cloud providers such as AWS SSM and GCP Secrets Manager, as well as third-party tools like Hashicorp Vault. Greg also highlights the importance of authentication and access control in build pipelines and using tools like Kubernetes to manage secrets. He recommends thinking about how services are built in a scalable way and adding security controls to ensure containers are free of vulnerabilities.
I’d like to thank Greg for doing a brilliant job not only including so many different types of marine life in a talk about Cloud Security, but providing insightful and highly helpful information on the topic to everyone that came. It’s clear that after our recent CTO survey was realised, Cloud Security was a priority for lots of the CTOs in our network, so I’m sure they found this talk to be of great benefit!