The document discusses the security enhancements provided by Google Cloud Anthos across hybrid and multi-cloud environments, highlighting a four-step workflow for securing applications. It outlines features such as infrastructure hardening, establishing guardrails, and monitoring capabilities available on various platforms including GKE, on-prem, and AWS. Key security practices emphasized include zero trust principles, workload isolation, and compliance with various industry standards, enabling organizations to manage security effectively at scale.

1. Greg Castle, Google Cloud
Samrat Ray, Google Cloud
SEC230
Anthos Security: Modernize
Your Security Posture for
Cloud-Native Applications

2. Anthos/GKE Security Tech Lead, Google Cloud
@mrgcastle
Greg Castle
Anthos Security Product Manager, Google Cloud
@samratray
Samrat Ray

3. How Anthos improves security across a hybrid
production environment
Which security features are available today across
each environment
A 4-step workflow to configure Anthos security
Takeaways

4. For this presentation:
GKE = Anthos on Google Cloud
On-Prem = Anthos On-Prem
AWS = Anthos on AWS
Names

5. We are seeing a confluence of
technology trends
Service based
architectures
Kubernetes
& Containers
Hybrid and
Multi-Cloud

6. Anthos: security for the modern hybrid cloud
Google Cloud Other CloudsOn-prem Edge
Infra Management
Service/App Security
Policy Enforcement
Monitoring and Detection

7. 4 steps to securing applications with Anthos
Harden
infrastructure
Establish
guardrails
Monitor
and detect
Across all your environments: GKE, OnPrem, AWS, and more
Secure
workloads

8. Harden
Infrastructure

9. Security Patching and Hardening
Application containers (base image,
dependencies and application code)
GKE/K8s system container (logging, DNS etc.)
Kubernetes (node and control plane)
Container runtime
OS userspace
Linux kernel
Firmware/Bootloader
Virtualization, Network fabric
Hardware
https://bit.ly/2YkdjBd
https://cloud.google.com/anthos/gke/docs/on-prem/getting-support#shared_responsibility_model
GKE
Responsibility
(automated with node
auto-upgrade, excluding any
customer modifications or
additional software)
Customer
Responsibility
Customer
Responsibility
Anthos (non-GKE)
Responsibility
(customers perform upgrades,
excluding any customer modifications
or additional software)
Customer
Responsibility

10. Node
Anthos on GCP (GKE):
we do even more
We manage infrastructure best practices:
● Shielded VMs and nodes
● Customer Managed Encryption Keys for
disk encryption
● Application layer secrets encryption
● Control Plane & Node auto-upgrades on
by default
● Release channels
CMEK
vTPM
Secrets
Encryption
Rapid,
Regular,
Stable

11. Hardened by
default,
following
industry
benchmarks
and standards
● Publish full Kubernetes
CIS benchmark resultsGKE, On-Prem
● GKE-specific CIS security benchmarkGKE
● Compliance coverage includes: ISO 27001,
ISO 27017, ISO 27108, HIPAA, and PCI-DSSGKE
● Solution guide for PCI applicationsGKE
https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks
https://cloud.google.com/anthos/gke/docs/on-prem/concepts/cis-benchmarks
https://cloud.google.com/security/compliance
https://cloud.google.com/solutions/pci-dss-and-gke-guide

12. Harden
Infrastructure
● Anthos does most of the work for youGKE, On-Prem,
AWS
● Follow our guidelines for multitenancy org
setupGKE
● Follow our hardening guides when
creating clustersGKE, On-Prem
● Follow our solution guides for
compliant applicationsGKE
https://cloud.google.com/kubernetes-engine/docs/best-practices/enterprise-multitenancy
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
https://cloud.google.com/anthos/gke/docs/on-prem/how-to/hardening-your-cluster
https://cloud.google.com/solutions/pci-dss-and-gke-guide

13. Establish
Guardrails

14. Infrastructure:
Terraform
Anthos Config Management:
manage cross-cluster / cross-cloud
Kubernetes:
ACM Config Sync
Application Resources:
GCP Config Connector
Namespaces
RBAC
Service accounts
https://cloud.google.com/config-connector/docs/overview
https://cloud.google.com/anthos/config-management
https://www.terraform.io/docs/providers/google/index.html
GKEGA
GKE On-premGA
GKEGA
GKE On-premGA
GKE on AWSGA
Cloud Pub/Sub
Big Query
Cluster VPC Project

15. https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
runAsUser:
rule: MustRunAs
ranges
- min: 100
max: 200
Anthos Policy
Controller
We supply a policy library
E.g. No containers may run as root
Based on Open Policy Agent’s
Gatekeeper
GKEGA
On-premGA
AWSGA

16. Restrict regions for resources
Restrict services exposed to the InternetBETA
Constrain configuration:
GCP Org Policies
https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations
https://cloud.google.com/load-balancing/docs/org-policy-constraints
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
GKE
Internet
Admin
Google Cloud VPC
Service
developers VMs GKE clusters
GKEGA

17. ● Reduce risk of data exfiltration
● Isolate production VPC and GCP resources
● Private GKE clusters inside perimeter
● Isolate images in Container Registry
● Hybrid support via Interconnect or VPN
Protect GCP Cloud Data:
VPC Service Controls
https://cloud.google.com/vpc-service-controls
https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept
GKEGA
Production Project
Service Perimeter
(+ VPC Network)
Compute
Cloud Storage
Internet
Cloud Storage
Unauthorized Project
BigQuery Compute

18. Establish
Guardrails
● Enforce policies with ACM Config Sync and
Policy ControllerGKE, On-Prem, AWS
● Enforce locality restrictionsGKE
● Restrict Internet exposed servicesGKE
● Establish a VPC-SC perimeterGKE
https://cloud.google.com/architecture/blueprints/anthos-enforcing-policies-blueprint
https://cloud.google.com/architecture/blueprints/anthos-enforcing-locality-restrictions-blueprint
https://cloud.google.com/load-balancing/docs/org-policy-constraints
https://cloud.google.com/vpc-service-controls/docs/how-to

19. Secure workloads

20. ● Trusted build and deployment
● Isolate applications within a cluster
● Isolate pods on the node
● Protect internet-exposed services
Secure
Workloads

21. Anthos: Zero trust production workload security
Only trusted code and
configuration can be
deployed to production.
Trust is associated with
workload and user; and not
just network location.
All service access is
granted under the right
peer and request context.

22. Code
GCR Vulnerability
Scanning
Binary
Authorization
Trusted
images
Workload 1
ID = (td1, ns1,
sa1)
Cloud Build
Workload 2
ID = (td1,
ns2, sa2)
Anthos Service Mesh
mTLS authn/z
Anthos workload lifecycle
External service
Production Runtime:
Secure access based on trusted
identities
Build and Deploy:
Trusted workload assumes
the right production identity

23. Trusted code pipeline:
Binary Authorization
Code Build Test Scan Deploy Run
Binary
authorization
Image metadata
Kubernetes
Engine
Secure Base
images
Container Registry
Vulnerability Scanning
CI toolsCode
Deploy time policy
chokepoint
Structured, centralized
image knowledge base
Centralized, locked down CI/CD
pipeline/process
GKEGA
On-premPREVIEW
AWSIN PROGRESS

24. Anthos
Node
Application Isolation
Service
Pod
GKE Sandbox/
AppArmor
Node
Service
Pod
GKE Sandbox/
AppArmor
Cloud Armor
Corp Network
Identity Aware Proxy
Internet
Egress Firewall Policy
Anthos
Service
Mesh
Network
Policy

25. ● Multi-tenant: one namespace per team
● Write ingress and egress policy using IP
CIDRs or K8S namespaces, labels
● GKE Network Policy logging BETA
to
debug/verify
Isolate multi-tenant clusters
using Kubernetes Network Policy
kind: NetworkPolicy
spec:
podSelector:
matchLabels:
service: pii-database
ingress:
- from:
- podSelector:
matchLabels:
service: acct-summary
egress:
GKEGA
On-premGA
AWSGA

26. ● Encryption in transit
● Certificate based credentials
that are not replayable
● Context-aware access control:
Peer identity, Source IP range,
Request claims, App method
● IAP enables user authentication
based on BeyondCorp
principles.
● No code changes required
Service Isolation with Anthos Service Mesh
Network + Access
Credit Card FE
Proxy
Credit Card BE
Proxy
mTLS
Identity Aware
Proxy
User
(request)
identity
Token
validation
with issuer
BeyondCorp
Peer identity

27. GKE Sandbox
● Run trusted and untrusted workloads with
gVisor on the same VM
● General purpose solution that doesn’t need to
be customized for most applications
AppArmor
● Kubernetes Beta feature
● Reduce privileges accessible by application
● Application-specific profiles required
Isolate Pods on Nodes
Container A
host kernel
virtual machine
gVisor
Container B
gVisor
syscalls syscalls
limited syscalls
Container A
GKEGA
GKE, On-prem, AWS BETA

28. ● Trusted workload deployment:
○ Enable Binary AuthorizationGKE, On-Prem
● Isolate applications on the networkGKE, On-Prem, AWS
○ Network policy in cluster
○ Anthos Service Mesh for in / cross cluster
● Isolate pods:
○ GKE SandboxGKE
○ AppArmorGKE, On-Prem, AWS
● Protect Internet exposed services:
○ Use CloudArmorGKE
; or
○ An existing WAFOn-Prem, AWS
Secure
Workloads
https://cloud.google.com/binary-authorization
https://cloud.google.com/service-mesh/docs/overview
https://cloud.google.com/kubernetes-engine/docs/
how-to/network-policy
https://cloud.google.com/kubernetes-engine/sandbox
https://kubernetes.io/docs/tutorials/clusters/apparmor/

29. Monitor and Detect

30. Monitor Posture and Threats
Visibility
Security Command Center
Cloud Asset Inventory
Operations Logging and Monitoring
Threat Detection
Container Threat Detection
Event Threat Detection
Access Transparency
Threat Prevention
Security Health Analytics
Web Security Scanner
PubSub Export
Logs and Events

31. Checks for common GCP misconfigurations
Aligned with recommendations in the GKE
hardening guide
Results shown in Security Command Center
Security Health Analytics
https://cloud.google.com/security-command-center/docs/quickstart-security-health-analytics
GKEGA

32. Container Threat Detection offers detection capabilities
that cover the most common threats
● Pre-built detectors for the top attacks
○ Added Binary Executed
○ New Library Linked
○ Reverse Shell
● Security findings in Security Command Center
Container Threat Detection
GKEBETA
On-premIN PROGRESS
AWSIN PROGRESS
https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview

33. ● Operations logging and monitoring enabled by
defaultGKE, On-Prem
● For GKE, enable Security Command Center, Container
Threat Detection, Event Threat Detection, Access
Transparency, Security Health Analytics, Web Security
Scanner
● View alerts in Security Command Center
Monitor
and Detect

34. Anthos: Automate Policy and Security @Scale
Harden
infrastructure
Compliant, hardened
infrastructure for all
environments. You can focus
on your apps.
Establish
guardrails
Separate trust and access by
regions, clusters, services
and pods. Manage RBAC,
namespaces, and security
policy across many clusters.
Monitor
and detect
One place for
misconfigurations, threats,
real-time security alerts.
Pubsub APIs to export to
your own systems.
Across all your environments: GKE, OnPrem, AWS, and more
Secure
workloads
Only run what you built and
trust. Fine-grained control of
access to workloads.

35. Thank you