If you want to learn what's up and coming for Google Cloud and make some great connections, Google Cloud NEXT is an informative, lively event to prioritize on your conference calendar. Coalfire attended the recent Google Cloud NEXT '18 conference in San Francisco (July 24-27) and found it to be a good venue to meet existing customers, make new contacts, and attend informative technical sessions. This is the second year for Google Cloud's conference, and it proved to be a platform for many product and feature announcements while conveying a strong security theme. In addition to the many technical talks on security topics, Google Cloud made several important service announcements related to security; this blog post will review a few of the more noteworthy topics.
In addition to security, Kubernetes was also a hot topic at the conference. Kubernetes is a tool for container orchestration but poses security challenges, including hardening and micro-segmentation. It is important to understand that the managed service approach, using the Google Kubernetes Engine (GKE) versus running Kubernetes yourself, should not be seen as "turnkey" for security. High-level takeaways include the importance of configuration management (removing defaults) and partitioning traffic for different workloads.
Google offered multiple sessions on how to configure and manage Kubernetes security, both for on-premises Kubernetes and GKE customers. Google publishes all sessions from the conference, so folks who weren’t lucky enough to attend can still learn from them. Two notable sessions to view are GKE Multi-tenancy Best Practices and Kubernetes Enterprise Security. Google also provided details for the many security integrations now available to GKE customers.
Coalfire often receives questions on how to secure containers (read as micro-services) from our customers. Containers can pose challenges for customers with regulatory requirements to secure the perimeter of their in-scope environment, because the original conception for containers was to be lightweight environments for code execution. The complexity of firewall-like traffic management requires additional effort to isolate and secure clusters, even before other operational considerations (such as visibility and auditability) are layered on.
To aid customers with these requirements, GKE is now available with integrations for multiple industry tools for container security management. Each has a specific focus, but all offer additional visibility into security posture. Istio offers a service mesh and capability for service identities, which can be useful for logical access design. Aqua Security and Twistlock offer options to better manage container perimeters. Capsule8, Sysdig Secure, and StackRox offer advanced threat detection and protection capabilities. All offer integration with Cloud SCC, Google Cloud's Security Command Center.
For container workloads that should be sandboxed, Google has open sourced their gVisor sandbox, a lightweight, user space container runtime for untrusted code. gVisor was originally developed by Google to manage security of customer code running in Google App Engine and Google Compute Engine.
There were also a number of interesting announcements around logical access at the show. We'd like to highlight two announcements of interest to Google Cloud customers and a broader audience: Google's BeyondCorp context-aware approach to securing its own workforce has been a documented success story. Two elements of that design are now available to Google Cloud customers in the form of VPC-level policy controls and an identity-aware proxy.
Google uses a U2F security key for multi-factor authentication and has now released its own design as a widely available product, which is compatible with the FIDO U2F standard. The Titan security key incorporates a Google proprietary cryptographic module. Why use a U2F security key? U2F security keys provide protection from phishing, a continued and growing threat to the enterprise. Use of multiple factors for authentication is an industry best practice but can be implemented in several different ways. As recent events have reinforced, second factors delivered by SMS can be vulnerable. Mobile applications that provide one-time use codes avoid the SMS issues, but may still be phished from lookalike sites or with social engineering. U2F security keys leverage a private key to construct cryptographic codes, which are provided to the browser directly.
Overall, Google Cloud NEXT '18 was a valuable glimpse into future product advancements, immersion in current relevant topics, and a good networking opportunity.