App Engine A Practical Approach To Cyber Security WCA - 2019
1 BILLION users
Let’s level set with some Defjnitions and Examples
Protecting digital data and assets (a subset of information security)
Confidentiality 1 Integrity 2 Availability 3
Activists 1 Profiteers 2 Nation States 3
Data Exfiltration 1 Ransomware 2 Advanced Persistent Threats 3
Typical View of Security
Traditional Security Google Cloud Platform Confidential & Proprietary 10 10
As you conduct periodic assessments of risk, here are Five Things to Consider
Use Policy to Limit Access Least privilege access is imperative ● ● Focus on central administration and monitoring Regularly audit your accounts and review access privileges ●
Protect the Logs Compromise of logs can lead to a complete systems compromise ● ● Know where your logs are being stored and who can access them Consolidate and retain your logs for as long as possible ●
Understand Your Network Boundaries Connections to the cloud open new attack vectors for your network ● ● Define a connectivity strategy to the cloud from on-premises Options: Trusted Internet Connections, Virtual Private Cloud, etc ●
Inventory Your Endpoints Build and maintain an inventory of your endpoints ● ● Understand your endpoint statuses (patched, virus scanned, etc) Employ a rules engine that grants access based on status ●
Patch, Patch, Patch Patch your systems as soon as patches are available ● ● Make sure your providers are patching their services Get out of the patching business where able ●
A view of the Google’s cyber security landscape from Concrete to Customer
Google Cloud Platgorm Amsterdam Faster (US, JP, TW) 2016 London Stockholm Havfrue (US, IE, DK) 2019 Montréal Unity (US, JP) 2010 Seatule 3 Our global infrastructure Toronto 3 3 3 Chicago 3 3 Hamburg 3 San Francisco 3 3 Frankfuru Paris Current regions 3 4 3 3 3 3 and number of zones Hong Madrid Tokyo 3 Munich Kong Mumbai Milan Osaka 3 Marseille 3 Los Angeles New York Zurich Future regions 3 Dunant (US, FR) 2020 Taipei and number of zones Miami PLCN (HK, LA) 2019 Washington DC Chennai Denver 3 Atlanta Curie (CL, US) 2019 Edge points Dallas 3 of presence Rio de Janeiro Kuala Lumpur São Paulo CDN nodes JGA (AU, GU, JP) 2019 HK-G (HK, GU) 2019 3 Singapore SJC (JP, HK, SG) 2013 Monet (US, BR) 2017 Network 3 Junior (Rio, Santos) 2018 Dedicated Interconnect Buenos Aires Tannat (BR, UY, AR) 2018 Sydney Indigo (SG, ID, AU) 2019
Defense in depth at scale Usage Operations Deployment Application Network Storage OS + IPC Boot Hardware
Infrastructure defense against key attack vectors Security Key Usage Log Auditing Safe Browsing API BeyondCorp Enforcement Compliance & Live Migration Infra Threat analysis and Open Source Anomaly Detection Incident Response Operations Certifications maintenance & patching intelligence Forensics tools (Infrastructure) (Infrastructure) Google Services TLS Certificate Free and automatic DDoS Mitigation Deployment encryption with perfect Authority certificates (PaaS & SaaS) forward secrecy Peer code review Source code/Image Binary WAF IDS/ IPS Web Application Scanner Application & Static Analysis provenance authorization (PaaS & SaaS Use cases) (PaaS & SaaS Use cases) (Google Services) (Infrastructure SLDC) (Infrastructure) (Infrastructure code) Infrastructure RPC Andromeda SDN Jupiter Datacenter Network encryption in transit DNS Global Private Network B4 SDN Network Controller Network between data centres Identity and Access Global at scale Key Storage Encryption at rest Logging Management Management Service Encryption of Hardened Authentication for each OS + IPC Curated Host Images Interservice KVM Hypervisor host and each job Communications Cryptographic Boot Trusted Boot Credentials Purpose-built Purpose-built Purpose-built Purpose-built Purpose-built Hardware Chips Servers Storage Network Data Centers
Thanks!
Recommend
More recommend
