Securing Content in the Cloud

Proprietary + Confidential
#NABShow
Securing Content in the Cloud
Adrian Graham
Cloud Solutions Architect
March 20, 2017

Proprietary + ConfidentialProprietary + Confidential
Why security?

Overview
On-premises infrastructure
Cloud infrastructure
Connecting to cloud
Hybrid infrastructure
Secure all the things!
Further reading

On-premises infrastructure

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
#NABShow
On-premise infrastructure
Render Farm
Nodes
Local
Workstations

#NABShow
Render Farm
Nodes
File Server
Local
Workstations

#NABShow
Render Farm
Nodes
File Server
Local
Workstations
License Server

#NABShow
Render Farm
Nodes
File Server
Local
Workstations
License Server
Render
Workers
Render
Workers
Render
Workers

#NABShow
Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
License Server
Render
Workers
Render
Workers
Render
Workers

#NABShow
Asset Mgmt Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
License Server
Render
Workers
Render
Workers
Render
Workers

#NABShow
Rendering VMs
Compute Engine
Data ingress/egress

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
Data ingress
Data ingress/egress

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
NFS File
Server
Data ingress
Data ingress/egress

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
NFS File
Server
Data ingress
Data ingress/egress

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
NFS File
Server
Cloud-based
License Server
Data ingress
Data ingress/egress
On-prem licenses
Read-through
Cache

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
Users
Cloud IAM
NFS File
Server
Cloud-based
License Server
Data ingress
Data ingress/egress
On-prem licenses
LDAP sync

#NABShow
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
Users
Cloud IAM
NFS File
Server
Cloud-based
License Server
Stackdriver
LoggingData ingress
Data ingress/egress
On-prem licenses
LDAP sync

Connecting to cloud

#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers

#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
Cloud
VPN
VPN
Gateway

#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
Cloud
VPN
VPN
Gateway
Cloud
Router

#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
Cloud
Interconnect
Cloud
VPN
VPN
Gateway
Cloud
Router

(better put on your glasses for this next slide…)

#NABShow
Asset Mgmt dB Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging

#NABShow
Nodes
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
Users &
Admins
Users &
Admins
Cloud Directory
Sync
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging

#NABShow
Nodes
APIs: gcloud, gsutil,
ssh, rsync, etc
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Accelerated
UDP Transfer
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
Users &
Admins
Users &
Admins
Cloud Directory
Sync
Project data I/O
License requests
Queue Manager dispatching
Project database communication
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging

How do we secure all the things?

#NABShow
Cloud Platform resource hierarchy

#NABShow
Projects and access
Granting access Manage your organization's identities with G Suite.
Implement Google Cloud Directory Sync.
gcloud SDK,
Compute Engine API
Authentication is performed by the SDK itself.
Credentials are picked up by the API client libraries.
Automating
security checks
Implement Forseti Security to run periodic checks
for policy compliance.
https://github.com/GoogleCloudPlatform/forseti-security
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other

#NABShow
Controlling user access
Cloud IAM Create and manage permissions at multiple levels.
Service accounts Access Google services and resources programmatically.
Access scopes Set permissions at the resource level.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Identity & Access Management
Who
(principal)
User Service Accounts
Group Domain
Can do
what
Roles: collection of permissions
Authorization Tokens
On which
resource
Project VM, bucket…
Resource folder
Cloud IAM unifies access control
under a single system.
Create and manage permissions at the
organization, project and resource
levels.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Encryption key management
Cloud storage All data is encrypted at rest using either AES128 or AES256 encryption.
Data is always encrypted before it's written to disk.
Cloud KMS Store encryption keys centrally in the cloud, for use by cloud services.
Let Google manage your keys, or manage keys yourself.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Network security
Networks and
subnetworks
Isolate resources on separate networks to add an extra level of security.
Subnetworks are created automatically, one for each compute zone.
Firewall rules Rules apply to the entire network.
To allow incoming traffic, you must create 'allow' firewall rules.
External IP
addresses
Ability to disable the assignment of an external IP on instance creation.
The instance will then only be visible over VPN, or from within the network.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Disk images
Public Compute Engine offers many preconfigured public images.
Each OS image has been configured to work closely with
Google Cloud Platform services and resources.
Custom Use your own custom image, but ensure you comply with
security best practices.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Connectivity
Google Cloud
VPN
Regardless of how you're connected to Google, you must
secure your connection with a Virtual Private Network (VPN).
Direct peering Connect directly to a Google PoP. This is typically the fastest option.
Cloud
interconnect
Connect to Google using a service provider.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
File systems
Object-based Encrypted, localized, available worldwide.
Pipeline implications, however.
POSIX-compliant Known as Persistent Disk (PD) on GCP.
The security features of object-based storage, available as an NFS server.
Other filesystems Clustered or caching filesystems are also available,
however they are not under the management of IAM or
other Google security mechanisms.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Encryption
Storage security Security features are consistent across storage classes.
By default, Google manages encryption keys.
When is data
encrypted?
Both at rest and in-transit.
If using VPN (which you should), data is encrypted before leaving on-prem.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Transferring data
SDK and API gsutil, gcloud, rsync, ssh can be used, but we recommend
gsutil for anything less than 10Gb in size.
UDP-based Aspera, Tervela Cloud FastPath, BitSpeed Velocity or FDT are all options,
however they're all third-party services and are not managed by Google.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Logging
Stackdriver Can be used as a secure logging server for a variety of pipelines.
Able to ingest thousands of concurrent log streams.
Audit logging Monitor project-based admin activity.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Other considerations
Queue
management
Use the gcloud command to communicate with Google Cloud, rather than via ssh.
Consider running your queue system entirely on Google Cloud Platform.
Custom software There are a number of client libraries available for use by third-party software API.
Each library provides methods for OAuth2.0 authorization.
Licensing Use your own on-prem license server across a VPN.
Running a license server in the cloud.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Transferring
data
Logging Other

#NABShow
Best Practices for Enterprise Organizations
Google Infrastructure Security Design Overview
Encryption at Rest in Google Cloud Platform
Securely Connecting to VM Instances
Google Security Whitepaper
Using IAM Securely
Configuring Imported Images
Further reading

#NABShow
Questions?

Securing Content in the Cloud

More Related Content

Similar to Securing Content in the Cloud

More from ETCenter

Recently uploaded

Securing Content in the Cloud