If you are a developer or a security admin shifting left is a phrase you may have heard but what does it mean practically? Organisational and procedural change Incorporating a security first approach as part of your approach to development Incorporating security checks and gates as part of your development to production pipeline i.e incorporate security as early as possible. Getting Devs to think like security admins and security admins to think like developers.
A slightly different type of post for a change which doesn’t involve talking about security! I haven’t used terraform in anger for a while. By this I mean creating a full config from a blankish page rather than updating ones I created before or using a framework to help build out an environment on Google Cloud. I had reason to create a config from scratch recently that involved GCS, Cloud functions, pub/sub and DLP.
So let’s assume you have put into practice all the guidance to protect your cloud compute resources . Defence in depth, mitigations against ransomware andunauthorised crypto mining and the myriad of other best practices provided by govts, NIST, and your cloud provider of choice . You’ve done everything you can and you have still been compromised. As I have said on numerous occasions being compromised may happen so you need to be prepared for that and not only have recovery plans in place but have a robust incident plan in place .
I’ve discussed Ransomware Defence in Depth and in this post I’m discussing how to defend in depth against another pesky issue Unauthorized Cryptocurrency mining. Unauthorized cryptocurrency mining is alongside ransomware one of the major outcomes bad guys gaining access to your cloud resources are looking to achieve. I’m going to focus on Google Cloud as that is the Cloud I know best these days but the other large Cloud providers have equivalent defences to the ones I discuss here.
Last year ( 2021) I managed to visit a number of castles in Wales. It got me thinking how much the medieval castles were designed with defence in depth and how similar it is to applying defence in depth when using Google Cloud. A medieval castle has layers of defences here’s a list of some of them ( and yes I am aware I have left some parts out but if this post entices you to learn more about medieval castles there are plenty of great posts that dive into the detail.
One of the key mantras from my day job is to meet customers where they are when working with them to start their journey to the cloud. Unfortunately this can sometimes lead to customers basically lifting & shifting their on-premises environment directly to the cloud and just stopping at that point. I read an article on the UK NCSC site ( I reference it below too) that gave me pause for thought about why folks should** not **stop at the Lift/Shift stage on their migration journey even if they think that’s good enough as it never is!
So I finally decided I should put some words down about the approach to defending against ransomware attacks. Why you may ask when there’s been so much written about this topic? Basically because so much of the stuff that’s been written has been an opportunity for folks to push their products as the way to save you from this malaise yet they only ever give you half or not even that of a 360 view so encouraging a false sense of security!
In this post on thinking about security when coming from an on-premises world to the cloud I do focus on Google Cloud so some of the techniques I discuss may not easily map to your cloud of choice that aside the principles are pretty much the same . How is security in the cloud different? When addressing security concerns on-premises you are responsible for everything from the physical security of assets, the operating system, application servers , the applications, and managing user permissions .
In my incredibly narrow and brief tour of auditing and enforcement policies for GKE I spoke about OPA and gatekeeper . In this post I am having a look at creating Gatekeeper policies . This however was going to entail me getting to grips with Rego! So what is Rego? To understand what Rego is you need to know what Open policy agent ( OPA) is. I discussed it in my post but the key thing is it’s a general-purpose policy engine.
Asking questions of past me has been fun but what I wanted to do next is see what future me might conceivably tweet next so a little machine learning fun was my next stop . This post like my first post in this series on having fun with my twitter feed is about showing you how easy it is to use GCP to help you have fun with your tweets in the simplest way possible ( ok laziest way !
I’ve been using Twitter for over 10 years now and I was thinking it would be cool to analyse my tweets over the years. It also would give me a new dataset that I could use when looking at data related stuff ( I find it easier to use data I actually care about when exploring data things). You can download your twitter archive so there is no need to use the twitter API to get hold of my data.
Admission controllers When enforcing policies in K8s (I am assuming that you are running an up to date version of k8s) and when I say k8s I will specifically be talking about GKE (but you knew that 😀) you use Admission controllers ( This shouldn’t be optional hence “use” with no qualifier!) . Admission controllers essentially provides a way to govern how the cluster is used by intercepting calls to the k8s api prior to persistence of the object, but after the request is authenticated and authorized.
My top 5 things I wish GCP would shout louder about Ways to stop yourself deleting things you don’t want to delete. Project liens. This stops you accidentally deleting a project. My colleague @MrTrustor waxes lyrical about that here VM deletionProtection flag - this helps prevents the accidental deletion of a VM maybe you are running AD on an instance or perhaps you have a monitoring service that needs to be up and running all the time Use IAM to grant least privilege permissions Cloud storage bucket locks.
Please note that I have no association with any training companies or third parties linking through to this post. This post is freely available to help folks understand Google Cloud! For those of you who have been reading my GCP flowchart series over on medium the collection now lives here. This post contains all the ones that are still applicable at the time of writing that I posted on medium here together with a few brand new ones.
I will be blogging here for now. I’ve been posting at medium for a while but I needed to move somewhere where I had more control yet still minimised the operational overhead with managing a website. For the curious this site is created with Hugo and hosted with firebase . If you’re interested in using Cloud Storage then I’ve walked through using Hugo and GCS here