How to get the most out of Google Cloud Platform’s Security At The Data Level.

In this episode, we dive deep into how policy as code can help you manage resources in the cloud that could end up costing organizations a lot of money. In addition, we cover why it’s so critical to make sure you understand permissions and access.

Meet the Speakers

Han Kim

Han Kim

Principal Architect

Jeremy Pries

Jeremy Pries

Director of Cloud Infrastructure

Transcript

– So again, a closed loop where we’re using policy to help us with reporting at the end of the day to manage the costs and also the access, so we can see what we’re doing without being blind to unknown ramifications.

– Yeah, that policy is the consistency, right. The way we guarantee that things are set up the correct way.

– Hello, today we’re gonna be talking about how policy as code can help you manage resources in the cloud that could end up costing you a lot.

– So we were talking about security permissioning and the value of strategically looking at how to manage things like IM, but I think a real world example of this might be something like a BigQuery. When they’re using big data and you have access to this big data and why it’s so critical to make sure you understand why permissions and access are critical.

– Yeah, obviously data… There’s sensitive data out there and we need to make sure that only the correct people have access to it for the obvious, right. If we have credit card numbers or social security numbers or whatever type of personal information, that’s fairly obvious to understand why and frankly how to encrypt that, every cloud provider has a method and part of the challenge for us as IT organizations, is to make sure only the right people have access and so how do we do that, right? It’s about controlling the people instead of buying a product here.

– When you say controlling the people who have access. What is the actual concern about who has access to something like BigQuery?

– Yeah, I mean there’s the obvious, right? That’s the bad person is going to place the data where you don’t want, right. For example, download the, you know, CSV file of the socials and place it somewhere publicly accessible, that’s easy to picture. But then there’s the more hidden concerns such as the ability to run up a really large bill using a platform native, you know, scaling very high, scaling very wide product like BigQuery. We wouldn’t want to allow poorly crafted queries for example to run up a bill quickly.

– So when you say run up a bill, I mean, I don’t exactly understand maybe what type of bill we’re talking about, like how crazy can that really get?

– Yeah so you pay, I get it you pay per per gig typically. When you buy BigQuery there’s a number of ways to limit how fast you can, you know, consume that but you pay per gig analyzed. So it’d be pretty easy to run up a bill of $10, $20, $30,000 in minutes.

– Okay, I now understand That’s pretty crazy. So aside from like just controlling the people who may have access, you know, because of this issue of and possibly not understanding the ramifications of rolling up the bill that way. What about like, separating billing and access? Is that something that we should be concerned about as well?

– Separating billing and access would be, yeah I mean, I think the biggest thing to bring up in this area is the quotas and trying to limit how fast you can consume that data. In that actually spreads across users instead of just trying to focus on one user at a time, depending on how large your user community is.

– Got it. So there are ramifications of how many users at one time are utilizing the service and then the danger of hitting quota across all of them because nobody individually understands the usage of the entire group of people who has access.

– Yeah for sure, we’d recommend, you know, connecting up some reporting tools, right. It’s pretty easy to ship your usage data into a central spot for you to view and part of a cost control culture for a cloud organization is making sure that your users have tools to directly see what they’re doing from a cost perspective, but then also putting some limits on it like I mentioned such as quotas.

– So I think that this brings the idea of security, policy, access to a larger conversation about how we strategically integrate all the way through billing at the end of the day and then who has access to utilize those resources that generate that billing. So a kind of an end to end look at the strategic implementation of security and policy and how it impacts an organization as a whole.

– Yeah, I think one thing is that if we produce a design, but we don’t have a way to enforce policies, will end up with, for example, a BigQuery instance, that doesn’t report back where it needs to, right. From, to report the usage data back. So if we have users creating BigQuery, we should probably have an automated process. Instead of require that person to manually remember to go click the box that tells it to ship the data to the central reporting spot, for example.

– I see. So again, a closed loop where we’re using policy to help us with reporting at the end of the day, to manage the costs and also the access so that we can see what we’re doing without being blind to unknown ramifications.

– Yeah, that the policy is the consistency, right. The way we guarantee that things are set up the correct way.

– Cool. Thanks for watching. Let us know what security issues are important to you.