Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Content in the Cloud

12,314 views

Published on

The last 3 years have seen a major shift in how Hollywood film studios view public cloud usage. WIth an increased awareness and generally acceptance of the security and scalability these clouds offers to the VFX and animation vendors creating pre-release content, the focus has now shifted to ensuring best practices implementation.
Speaker: Adrian Graham, Google

Published in: Technology
  • Be the first to comment

Securing Content in the Cloud

  1. 1. Proprietary + Confidential #NABShow Securing Content in the Cloud Adrian Graham Cloud Solutions Architect March 20, 2017
  2. 2. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Why security?
  3. 3. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Overview On-premises infrastructure Cloud infrastructure Connecting to cloud Hybrid infrastructure Secure all the things! Further reading
  4. 4. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential On-premises infrastructure
  5. 5. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Render Farm Nodes Local Workstations On-premise infrastructure
  6. 6. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Render Farm Nodes File Server Local Workstations On-premise infrastructure
  7. 7. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Render Farm Nodes File Server Local Workstations License Server On-premise infrastructure
  8. 8. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Render Farm Nodes File Server Local Workstations License Server Render Workers Render Workers Render Workers On-premise infrastructure
  9. 9. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Render Farm Nodes File Server Local Workstations Queue Manager License Server Render Workers Render Workers Render Workers On-premise infrastructure
  10. 10. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow On-premise infrastructure Asset Mgmt Render Farm Nodes File Server Local Workstations Queue Manager License Server Render Workers Render Workers Render Workers On-premise infrastructure
  11. 11. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Cloud infrastructure
  12. 12. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Data ingress/egress
  13. 13. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage Data ingress Data ingress/egress
  14. 14. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage NFS File Server Data ingress Data ingress/egress
  15. 15. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage Read-through Cache NFS File Server Data ingress Data ingress/egress
  16. 16. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage NFS File Server Cloud-based License Server Data ingress Data ingress/egress On-prem licenses Read-through Cache
  17. 17. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage Read-through Cache Users Cloud IAM NFS File Server Cloud-based License Server Data ingress Data ingress/egress On-prem licenses LDAP sync
  18. 18. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud infrastructure Rendering VMs Compute Engine Assets Cloud Storage Read-through Cache Users Cloud IAM NFS File Server Cloud-based License Server Stackdriver LoggingData ingress Data ingress/egress On-prem licenses LDAP sync
  19. 19. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Connecting to cloud
  20. 20. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Connecting to cloud Render Farm Nodes Render Workers Render Workers On-premise infrastructure
  21. 21. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Connecting to cloud Render Farm Nodes Render Workers Render Workers On-premise infrastructure Cloud VPN VPN Gateway
  22. 22. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Connecting to cloud Render Farm Nodes Render Workers Render Workers On-premise infrastructure Cloud VPN VPN Gateway Cloud Router
  23. 23. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Connecting to cloud Render Farm Nodes Render Workers Render Workers On-premise infrastructure Cloud Interconnect Cloud VPN VPN Gateway Cloud Router
  24. 24. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential Hybrid infrastructure (better put on your glasses for this next slide…)
  25. 25. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Hybrid infrastructure On-premise infrastructure Asset Mgmt dB Render Farm Nodes File Server Local Workstations Queue Manager Physical Cache License Server Cloud Interconnect Cloud VPN Read-through Cache Rendering VMs Compute Engine Assets Cloud Storage Users Cloud IAM NFS File Server VPN Gateway Cloud Router Cloud-based License Server Stackdriver Logging
  26. 26. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Hybrid infrastructure On-premise infrastructure Asset Mgmt dB Render Farm Nodes File Server Local Workstations Queue Manager Physical Cache License Server Cloud Interconnect Cloud VPN Read-through Cache Rendering VMs Compute Engine Assets Cloud Storage Users Cloud IAM NFS File Server Users & Admins Users & Admins Cloud Directory Sync VPN Gateway Cloud Router Cloud-based License Server Stackdriver Logging
  27. 27. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Hybrid infrastructure On-premise infrastructure Asset Mgmt dB Render Farm Nodes APIs: gcloud, gsutil, ssh, rsync, etc File Server Local Workstations Queue Manager Physical Cache License Server Accelerated UDP Transfer Cloud Interconnect Cloud VPN Read-through Cache Rendering VMs Compute Engine Assets Cloud Storage Users Cloud IAM NFS File Server Users & Admins Users & Admins Cloud Directory Sync Project data I/O License requests Queue Manager dispatching Project database communication VPN Gateway Cloud Router Cloud-based License Server Stackdriver Logging
  28. 28. Proprietary + ConfidentialProprietary + Confidential Proprietary + Confidential How do we secure all the things?
  29. 29. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Cloud Platform resource hierarchy
  30. 30. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Projects and access Granting access Manage your organization's identities with G Suite. Implement Google Cloud Directory Sync. gcloud SDK, Compute Engine API Authentication is performed by the SDK itself. Credentials are picked up by the API client libraries. Automating security checks Implement Forseti Security to run periodic checks for policy compliance. https://github.com/GoogleCloudPlatform/forseti-security Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  31. 31. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Controlling user access Cloud IAM Create and manage permissions at multiple levels. Service accounts Access Google services and resources programmatically. Access scopes Set permissions at the resource level. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  32. 32. Proprietary + Confidential #NABShow Identity & Access Management Who (principal) User Service Accounts Group Domain Can do what Roles: collection of permissions Authorization Tokens On which resource Project VM, bucket… Resource folder Cloud IAM unifies access control under a single system. Create and manage permissions at the organization, project and resource levels. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  33. 33. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Encryption key management Cloud storage All data is encrypted at rest using either AES128 or AES256 encryption. Data is always encrypted before it's written to disk. Cloud KMS Store encryption keys centrally in the cloud, for use by cloud services. Let Google manage your keys, or manage keys yourself. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  34. 34. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Network security Networks and subnetworks Isolate resources on separate networks to add an extra level of security. Subnetworks are created automatically, one for each compute zone. Firewall rules Rules apply to the entire network. To allow incoming traffic, you must create 'allow' firewall rules. External IP addresses Ability to disable the assignment of an external IP on instance creation. The instance will then only be visible over VPN, or from within the network. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  35. 35. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Disk images Public Compute Engine offers many preconfigured public images. Each OS image has been configured to work closely with Google Cloud Platform services and resources. Custom Use your own custom image, but ensure you comply with security best practices. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  36. 36. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Connectivity Google Cloud VPN Regardless of how you're connected to Google, you must secure your connection with a Virtual Private Network (VPN). Direct peering Connect directly to a Google PoP. This is typically the fastest option. Cloud interconnect Connect to Google using a service provider. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  37. 37. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow File systems Object-based Encrypted, localized, available worldwide. Pipeline implications, however. POSIX-compliant Known as Persistent Disk (PD) on GCP. The security features of object-based storage, available as an NFS server. Other filesystems Clustered or caching filesystems are also available, however they are not under the management of IAM or other Google security mechanisms. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  38. 38. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Encryption Storage security Security features are consistent across storage classes. By default, Google manages encryption keys. When is data encrypted? Both at rest and in-transit. If using VPN (which you should), data is encrypted before leaving on-prem. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  39. 39. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Transferring data SDK and API gsutil, gcloud, rsync, ssh can be used, but we recommend gsutil for anything less than 10Gb in size. UDP-based Aspera, Tervela Cloud FastPath, BitSpeed Velocity or FDT are all options, however they're all third-party services and are not managed by Google. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  40. 40. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Logging Stackdriver Can be used as a secure logging server for a variety of pipelines. Able to ingest thousands of concurrent log streams. Audit logging Monitor project-based admin activity. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  41. 41. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Other considerations Queue management Use the gcloud command to communicate with Google Cloud, rather than via ssh. Consider running your queue system entirely on Google Cloud Platform. Custom software There are a number of client libraries available for use by third-party software API. Each library provides methods for OAuth2.0 authorization. Licensing Use your own on-prem license server across a VPN. Running a license server in the cloud. Projects and access Controlling user access Encryption key mgmt Network security Disk images Connectivity File systems Encryption Transferring data Logging Other
  42. 42. Proprietary + Confidential #NABShow Best Practices for Enterprise Organizations Google Infrastructure Security Design Overview Encryption at Rest in Google Cloud Platform Securely Connecting to VM Instances Google Security Whitepaper Using IAM Securely Configuring Imported Images Further reading
  43. 43. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem Proprietary + Confidential #NABShow Questions?
  44. 44. THANK YOU

×