BeyondProd: The Origin of Cloud-Native Security at Google

Monday, January 27, 2020 - 2:00 pm2:30 pm

Brandon Baker, Google

Abstract: 

Containers and microservices are increasingly being used to deploy applications, and with good reason, given their portability, simple scalability and lower management burden. In changing from an architecture based on monolithic applications to one using distributed microservices, known as a "cloud-native" architecture, there are changes not only to operations but also to security.

Where BeyondCorp states that user trust should be dependent on characteristics like the context-aware state of devices and not the ability to connect to the corp network, BeyondProd states that service trust should be dependent on characteristics like code provenance and service identity, not the location in the production network, such as IP or hostname identity.

Just like the security model evolved beyond the castle walls with BeyondCorp, BeyondProd proposes a cloud-native security architecture that assumes no trust between services, provides isolation between multi-tenant workloads, verifiable enforcement of what applications are deployed, automated vulnerability management, and strong access controls to critical data. These principles led Google to innovate several new systems in order to meet these requirements.

In this talk, we will cover what a cloud-native architecture is, and why it's different from a security point of view; design principles for security in a cloud-native world; how Google addressed these requirements and the internal tools used as part of this architecture; and how your organization might approach the same requirements. You'll come away with a better understanding of how to think about cloud-native security, and more capably decide what tools you might need to secure your infrastructure.

Brandon Baker, Google

Brandon Baker is Tech Lead for Cloud Security at Google, where he is responsible for security strategy and technical direction for the Google Cloud Platform. Brandon started the Cloud Security team at Google in 2010, building core security features to protect Google's Cloud users and infrastructure from compromise. Since the discovery of Spectre/Meltdown in July 2017, Brandon has also worked to address CPU side-channel issues from the Cloud perspective.

Brandon has specialized in virtualization, operating system, cloud, and CPU security for over 20 years, at companies including Google, Microsoft, Digex, and the U.S. Department of Defense. Brandon has also contributed to Trusted Computing research, standards bodies, and developments across the industry. He currently resides in Redmond, WA and enjoys hiking and photographing the beautiful mountains and coasts of Washington state. Brandon holds a B.Sc. degree in Computer Science from Texas A&M University.

BibTeX
@conference {244696,
author = {Brandon Baker},
title = {{BeyondProd}: The Origin of {Cloud-Native} Security at Google},
year = {2020},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = jan
}

Presentation Video