Cloud

Keyless Entry: Securely Access GCP Services from Kubernetes

This is a talk I gave with Aaron Small and Mike Danese about foregoing long lived credentials (PKI) for short lived access tokens on GKE.

You can read about it over on the Google Cloud Blog, too!

No more exporting Google service account keys or lumping permissions onto one account. Kubernetes now provides a way for Kubernetes workloads to prove their identity outside of their cluster. We’ve built on this to deliver a simpler, more secure way to authenticate to Google services whether you’re running Kubernetes on GKE, GCP, on-premises, or a hybrid mix. This talk will explain and demonstrate how to use this exciting new capability to easily access Google Cloud services without any changes to your application code.

Securing the Software Supply Chain

This is a talk Jianing Guo and I gave at Google Cloud Next 2018 about securing software supply chains with Binary Authorization. I showed off the tool my team developed called Voucher which we later donated to the Grafeas organization.

I also wrote about this over on shopify.engineering.

Containers have revolutionized how we develop, package, and deploy applications. As enterprises create more containerized workloads, the security of the software supply chain must be top of mind. Join this session to learn how security teams can enhance deploy-security security. We’ll also hear from the security team at Shopify to learn how they use GCP tools as part of their container security strategy and best practices.

Securing Shopify's PaaS on GKE

This is a talk I gave at SecTor, as well as at KubeCon the following month!

Shopify has leveraged Kubernetes through Google Container Engine (GKE) to build its new cloud platform. This PaaS is currently serving the majority of the company’s internal tools as well as business-critical production workloads. Moving to Kubernetes and a public cloud is no easy task, especially for a security team.

Unfortunately for us, a hosted solution does not offer all the features we’ve come to love in Kubernetes including NetworkPolicies, PodSecurityPolicies, and admission controllers among others. Given this, the security team has created a number of Kubernetes controllers and other cloud platform solutions to maintain an effective security posture on our new platform.

In this talk we’ll introduce our cloud platform, explore the tools we’ve created to bridge the security gaps, detail the struggles we’ve encountered using Google Cloud Platform and GKE, and discuss our growing pains with Kubernetes multi-tenancy. Attendees will gain an understanding of the current state of Kubernetes security controls on GKE, a familiarity with some of the products available on Google Cloud Platform, and insight on how to integrate security controls into their development pipelines.

Infrastructure Security 2.0

Shopify has leveraged Kubernetes through Google Container Engine (GKE) to build its new cloud platform. This PaaS is currently serving the majority of the company’s internal tools as well as business-critical production workloads. Moving to Kubernetes and a public cloud is no easy task, especially for a security team.

Given industry’s limited experience with cloud computing and cloud native technologies, this talk hopes to demystify some of these core cloud concepts. We’ll talk about containers: what they are, how to build them, how to secure them, and how to integrate security tooling into build and deployment pipelines.

Building a secure container is one thing, but how do we deploy containers to production? What does this mean? We’ll introduce Kubernetes, an open-source system for automating deployment, scaling, and management of containerized applications. With Kubernetes we also have a number of security controls that we can implement to further restrict the operation of containers. We’ll explore some of these primitives as they’ll fit nicely with the context on container security.

Lastly, running on a public cloud comes with its own unique challenges. We’ll explore some of the pitfalls we’ve encountered deploying infrastructure to a public cloud.