Photo by Samuel Zeller on Unsplash
It is apparent that more and more companies are taking their apps and software to the cloud. The cloud itself, has evolved from an alternative web host, a place where you can “rent” a virtual machine, to Infrastructure as a Service, and now to Everything as a Service, a develop without hassle approach. The cloud launches new challenges for us security people everyday which means we need a complete approach change and that begins with a mind shift.
My motto or mantra in security for a long time has been: “Know it before you secure it.” Driven by this motto, I choose to expand my knowledge on different cloud providers in the market. My work has kept me close to AWS and Azure, but I had always been interested in growing my expertise in, what is seen as the “underdog” cloud provider, Google.
The way I acquired expertise in the Google Cloud Platform has been by studying, working with, and understanding the key differences between GCP and AWS. Once I could map the known services and had a list of what the differences between the two service offerings were, I knew that if I wanted to become proficient with them I had to use them.
I started off by reading up on the official GCP docs. This basically provided me with comprehensive documentation, guides, and resources for GCP products and services. You can find these resources here: https://cloud.google.com/docs/
After reading as much on the subject as possible, I wanted to put my learnings to the test. I enrolled in the Linux Academy Google Cloud Platform Training course focusing on the GCP architect. (Linux Academy offers several courses around GCP so I recommend reading into which would best fit your goals)
As with any new learning opportunity, I choose to tackle a mini project to implement and become more familiar with the technology stack. My project was to automatically deploy an application inside Google Cloud and implement an automated CI\CD pipeline that also has the capability to perform baseline security tests on the deployed application.
The design of this is pretty simple and is based on OpenSource tools such as Jenkins, OWASP Dependency Check Jenkins plugin, and OWASP ZAP. All of the tools were deployed inside a Google Kubernetes Cluster as individual pods, for ease of prototyping and speed of development. (Explore more on the topic of dependency confusion attacks.)
The project implementation has taught me a lot about new technologies such as securing K8s deployments (mentioned above), Container Security, Cloud Service Accounts and IAM roles, Network Security inside Google Cloud, encrypting data at rest, auditing events and items and logging inside the platform. After I got to know the tools, the platform, and the workflow; I decided wanted to get a benchmark of what I have learned and where I was in terms of knowledge and I thought I was prepared to take on the Cloud Architect exam. I am happy to say that I passed on my first try.
My advice for you is to study the documentation in detail, understand the best practices under each service, like the storage best practices, understand the difference between different service offerings of the same service (for example: the different storage classes from Google or the different network interconnects between your Google Cloud VPC and your Data Center, and also understand where to use what, and always, always take in consideration the security component and attention needed for each service.
And always remember:
“Know it before you secure it”