Google Cloud Security – how does google cloud work?

View Show Notes and Transcript

Episode Description

What We Discuss with Francesco Cipollone

  • Why would someone choose Google Cloud over AWS or Azure?
  • What does Security in Google Cloud look like for those using other cloud?
  • Is making Terraform a universal script for multi-cloud environment, great idea?
  • Is multi-cloud a good idea?
  • How mature is Security in Google compared to AWS/Azure?
  • For any Security Architect listening to this episode, what should they consider for Google Cloud?
  • EKS vs GKE?
  • And much more…

Thanks Francesco Cipollone!

If you enjoyed this session with Francesco Cipollone,, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Francesco Cipollone, on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: [00:00:00] Morning morning, everyone. Welcome to another show of Virtual Coffee with Ashish .Today! We’re talking about Google cloud, but it’s appropriate. I should start with Bonasera as my guests for today, a self proclaimed, pretty face as we would like to call him,m Francesco. let me just bring him online because I’m just going to kill the suspense quickly.

Hey man! How are you? Good. I’ve had you as my guest before, and I’ve always loved having you as a guest, but just because it’s pretty face, but because

Francesco Cipollone: [00:00:39] no, it’s not so well known. I can’t disclose this. Of

Ashish Rajan: [00:00:44] course you can’t disclose the note. Well, goopy cloud security, and I thought it’s a great. Time to bring you in. No, for two reasons. One, because you are the chair of, well, you have been part of the cloud security Alliance for awhile. And, I guess I would love to [00:01:00] get into that as well for people who don’t know.

And for people who don’t know this, you’re actually awake at 11. That’s why you need to start with that first friend, Jessica, who is, and why Francisco awake at 11:00 PM in the night,

Francesco Cipollone: [00:01:13] because I love broadcasting and I love being on, on shows and I love being live. So it’s like a drug executive and actually it didn’t start that long, but a big of, me, background about me.

So I’m Francesca super Lorna. I’m the head of the cloud security Alliance, for UK and. Since recently Ireland has just started his own chapter. We have been recognized as the number one, chapter worldwide, from the, the Alliance. We have also some collaboration globally. And, what we do with the KOSPI Alliance is we host the event podcast and other stuff.

So every Wednesday we have a live event on different topics. actually this Wednesday, we’re going to have the Cecil perspective on. [00:02:00] How not to security cloud. So we’re going to talk anything but security about the class

Ashish Rajan: [00:02:06] we need to start off with, with a beverage. Hector. I’ve got my beverage here with your beverage, man.

Francesco Cipollone: [00:02:10] Yes. I think,

Ashish Rajan: [00:02:12] Oh, more appropriate for 11:00 PM. the bottle is what is it?

Francesco Cipollone: [00:02:19] It’s the venous extent. It’s one of my go to whiskey, especially travel-wise it’s quiet. It’s not that expensive. It’s like 40, 50 bucks a hour though. Well, call me, sorry, whenever you travel. And it’s definitely a good companion is well-rounded his moods tiny bit of water for perfect North of caramel.

And this is actually, yeah, just tiny bit of Peaky, but that’s about it. I actually got off BD. I used to be really the peat monster. I used to drink a lot of pizza stuff and I have half of the islands, this Island in that next day, you came to this very famous for Pete and [00:03:00] Pete. Is that really smoking whiskey.

Ashish Rajan: [00:03:02] Oh, but clearly, by the way, for people who are lifting Francesca for the first time, he loved whiskey on a fear. And that’s why by the way, is what’s the word for cheers in Italian is a salute.

Francesco Cipollone: [00:03:14] Was.

Ashish Rajan: [00:03:15] So Luther

Francesco Cipollone: [00:03:17] and I’ve

Ashish Rajan: [00:03:18] got a couple of people who are saying hi to yourself as well. So hi Karthik and, hi, Abdullah.

Welcome on the spectrum of the show. All right. So we’re going to start off with the obvious question. how did you get into cyber security? What was your route into it? What was your path into cybersecurity?

Francesco Cipollone: [00:03:35] I laugh because that’s usually my question to all of my guests and actually I had to do kudos because the shows that now it’s like the cybersecurity club podcast, it was inspired by yours, or really?

Ashish Rajan: [00:03:47] There you go.

Francesco Cipollone: [00:03:48] So used to be seven mentoring Monday. Yeah. I watch yours sensei has reenact the fact that he’s focused on cloud and that’s what we should be doing because I mean, it’s [00:04:00] Sabre and cloud. So just to differentiate, you don’t want to call it. It’s like

Ashish Rajan: [00:04:04] people wouldn’t listen to this. Should definitely go check out the show as well.

Plus your pretty face?

Francesco Cipollone: [00:04:10] No, actually it’s just on iTunes. So it just,

Ashish Rajan: [00:04:13] all the audio

Francesco Cipollone: [00:04:15] went all you on and that’s it. it’s better for the audio quality and for the fellowship and time. Hence why I pop in and out here.

Ashish Rajan: [00:04:24] Fair enough. Fair enough. So you still have worded the question. How did he get into cyber security?

Francesco Cipollone: [00:04:28] That’s a good question. This is a very good question. So, I’m actually learning to get more into politics, avoiding question, but I’ll fight through yours. I actually need to thank one of my professor, Roberto. Uh that’s directing me to the part of security. So I was half and half about network and infrastructure and security during university.

My major is math and then on the side was, cyber security and I went [00:05:00] really deep in AI. So I was doing machine learning before machine learning was actually cool. And I was scoring exam after exam and I was getting so passionate about data science and sort of thing, a great man and, any kind of thing about data science and.

It was just exciting. And I went into this class that is really their fundamental about cyber security. So the, you know, the very first model that the military has used from the very beginning to actually at least privilege where it comes from, how the saw that help originate from the ministry and you a lot.

That was my first class about cyber cyber as pure cybersecurity or information security, and really got. Excited because I, so that’s what the plane shot, because it was a very theoretical one, but also also, so this can be applied to so many things and has so many ramifications and it [00:06:00] was quite a hard, I did, at the top, top class for that.

And the professor said, you’re really smart kid. Why don’t you see me afterwards? And I’ll give you some visitation topic and. Think about it because I was, I was, you know, called by my machine learning professor because it was the best in the class. There’s a night. Yeah. That block is that, Hey, couple of conversation with my natural professor said, yeah, that professor is really cool.

He’s doing a lot of research. Yeah, I like, I like the idea of doing some research. I should have said that because the dissertation actually took a year.

Ashish Rajan: [00:06:39] Right.

Francesco Cipollone: [00:06:41] So we started doing some research around, cloud before it was clouds or how to apply security in virtual machines without being inside the virtual machine.

So from the host, the hypervisor and trying to scan the two machines with a small agency. And [00:07:00] whenever something was happening, freeze the machine, capture a memory graph and then analyze it off of topic. But the machine is safe. It is more or less similar to container before it was called container security.

And we developed and developed a software around that. And the funny thing is at that time, the hypervisor and the virtual machine were in communicating that well, There was no mechanism. So the best thing I could do is, you know, I’ll put something in the individual memory in the memory, and then I need to have a way to signal.

The Bertram was sharing that something is happening. So we’re just locking the CPU. So you see for your spark a hundred percent and they will mostly through the virtual machine. It was really brutal though. It was like programming in Sienna assembly. And because you didn’t have any mechanism to communicate at that time now, everything, everybody has it easy, but they was back 10 years ago.

That’s why it took like 10 years. And we got a [00:08:00] paper out, because actually somebody develop a software on the back of it. And yeah, that’s how I stuff. And then they start teaching with Microsoft and Cisco, and that’s how I got a lot of consultancy down. Then we sold the company, the trading company back in Italy, and we expanded here in the UK.

Ashish Rajan: [00:08:18] Oh, there you go. And to, I guess to take it a bit further, I guess the first question that I would like to ask is obviously. You had been doing some work in the Google cloud space as well. So it was not asked in dental, Google cloud security for people who don’t know,

Francesco Cipollone: [00:08:36] how,

Ashish Rajan: [00:08:38] where does one start with security and Google flowers?

Same. Some people obviously have background native BS already. Like I, I have background ended up. Yes. Oh. Is there someone like from Melbourne? Are you sorry? I got distracted by the way, for people who are in watching this live, feel free to leave a comment on where you’re joining in from Gord, from someone from Melbourne, a few people from the U S as well.

So it’s really [00:09:00] good to have you guys, if you guys have questions, feel free to drop them in.

Francesco Cipollone: [00:09:04] I can see that comments. Ah,

Ashish Rajan: [00:09:11] yeah, there you go. Perfect. You just zoomed out, man. Just get back and focus. You have some high tech stuff going on over there. I don’t know what you have going on there, but 11 o’clock in the night, he has some really high tech stuff going on over there. So, my first

Francesco Cipollone: [00:09:25] question.

Ashish Rajan: [00:09:27] Oh yeah. Risky is the high tech.

That is right. Yeah. My first question for you is I guess, what does Google, what is cloud security in Google for you like Google cloud? So

Francesco Cipollone: [00:09:37] let’s maybe speak a little bit of a history. So AWS of course was the first one that came about and they effectively, what they did is they took the data center. And whatever they were doing.

And they said how we can save this spare memory in the spare time and how we can sell it to everybody. So they’re really engineering focus. They’re really, you know, that’s the backbone of computing. You can do whatever you [00:10:00] want. They open up every API possible to whatever they want and then came along as you, I think, 2006 was when the first AWS service were born in 2010 is when, as you showed up.

As you’re a little bit different because they started with officers because if vibes or the more SAS solution, they’re more a cloud solution for office emailings and so on, because historically they were a causative enterprise. And then after that came GCP, so GCP started with very or full cloud service.

So that we’ve very, very specific service or compute was actually. One of the lists that was added. So they started offering not complete as such, but what they were really powerful on. So data analytics, machine learning or any kind of argument, but very, very tailor-made in any kind of, if you [00:11:00] want function that they were already using and reselling to the party.

So big query, big data, the whole analytic platform where the first one that actually came about. And then because everybody was asking computes, once you’re in GCP. And, you know, what we offer also compute and fundamentally computable was one of the last that came about, the PPC, the, if you want the virtual machine isolation in the cloud was not, not the very least to be added, but it wasn’t something very, very straightforward.

So back to your question, where do you start in, in GCP as AWS? Plan your networks. It mentioned network divided for blast radius. So saying this is a service, this is a three staff year. I just did they give the number of network and close this thing in plot PPC that is effective with the virtual network, started applying access control rule about the virus there.

Yeah. [00:12:00] Rodin. And that’s pretty the basically you can do

Ashish Rajan: [00:12:02] right. About Google cloud started off the other way, because AWS already has, the competition can, are taken out by compute power and data was kind of like this, but yeah, they haven’t funded it for a long time.

Francesco Cipollone: [00:12:17] Other than data analytics was very powerful.

So they repurpose a lot of analytics things. so they, they offer for example, very simple way to plug in their query and big data. Equality’s effectively their big data platform. Everybody. Leave me with names. The only, the only common names that is across cloud providers is identity and access management and the identity and access manager.

I am. That’s the only thing that is consistent. Anything else this caused you to a different way?

Ashish Rajan: [00:12:49] Oh yeah. I think that’s why I walked with fail. The whole concept of multicloud is, is challenging for a lot of people, right? I think because it’s all just different names as a [00:13:00] security easier. Sorry.

Francesco Cipollone: [00:13:02] It’s different skills as well as different terrible missions.

I mean, terrible mission is still behind them or who doesn’t know that information is effectively, you know, the scripting language that lies behind, you know, spinning up a number of resource. and for example, AWS has its own specific one that is not aligned with our formation cloud formation has effectively a number of servers available before there are formation ketchup, because there are formation is multicloud.

So, yeah, it needs to translate a number of things and it’s still catching up with Terra formation without permission is much more on the front foot.

Ashish Rajan: [00:13:35] Yeah. And I think to your point about, I guess, Terraform and a lot of people actually using Terraform as universal, almost like a universal language across the organization so that they can write once and use multiple in multiple clouds.

But reality is far from it.

Francesco Cipollone: [00:13:51] You have to break once, then trust with, for multiple clouds.

Ashish Rajan: [00:13:59] And then there is what [00:14:00] the expectation is. I guess,

Francesco Cipollone: [00:14:01] in a lot of my clients also Terra formation, somebody is asking is effectively a common language that you can write to a scripting effectively, the resource that you want to spin up. How do you want to link them up and so on? And it’s not specific. So it is what is commonly called infrastructure as code.

Ashish Rajan: [00:14:21] Tara formation. Do you mean Terraform as in territory? Yep. Yep. Right. Okay. That makes sense. Cause I was like hard, kinda like, it’s it’s stands out on its own, but to your point, Terraform is the language that you use to kind of start building up suite. So in terms of Google cloud and the conversation around Google cloud multicloud.

I’m keen to, to start from the very basic in terms of, we spoke about blast radius. We spoke about, I guess some of the basic things and how, so this is like quite different in terms of Google cloud security. Would you just use it for [00:15:00] data or is that, is that the main purpose people use? Cause I think it’s worthwhile finding out what do people use it for?

So from a security perspective, you can look at, okay, so those kinds of projects are what you would feel primarily in Google cloud. So to your point earlier where I only see data analytics projects on Google cloud.

Francesco Cipollone: [00:15:18] No, I actually, so, I actually saw a lot of projects going on, on GCP. Analytics is the prevalence one that they saw around.

but one of my latest clients had a lot of, I don’t know, the computing back. So capital machines and stuff like that. And cattle machine is effective with just machine that you can spin up what function, and kill it. And it’s not the majority of dogs. So I haven’t seen a lot of organization going with GCP.

So. I think here GCP was competing with, the police, for [00:16:00] the license or effective to operate. And in the UK is a little bit particular because anything government wise, they need to have a completely different segment that element. So the three provider were challenging each other. We’re competing with each other.

We’re actually, Get on board first and get them on for it. So some, some, some department goes in towards you. Some department went into AWS and some other NGCP, and they’re using effectively them GCP as a standard whenever, whenever, they decided so compute data and so on and so forth. But as you said, I really saw a lot of projects in, in big queries and analytics.

very few times I saw computes in

Ashish Rajan: [00:16:43] there. Ah, interesting. And I’ve just, I think that’s a question from Neil as well, which is a good one. If you’re embarking on a journey on multicloud, what is a good recommendation for a service to use to run code? If it doesn’t Terraform.

Francesco Cipollone: [00:16:58] My suggestion is [00:17:00] don’t start the journey multicloud.

Ashish Rajan: [00:17:02] Oh

Francesco Cipollone: [00:17:09] no. It’s for another Phantom will be cloud and it may be controversial because of classic airlines, but it, the amount of time I saw any transformation fail on one cloud. You need to really, really be mature to have multicloud. And whenever you consider multicloud, my suggestion tend to be considered service by service.

So a good example is you spend all your services in AWS, but you don’t want to lock down in one system. So what you can do is you spin the data in another cloud provider, so you can spin them up, with a basic number of,, you can repeat the machine in a basic way, but the data is already there.

Because the export of the data is the consideration, the major consideration. And you have to do cloud provider a really cheap in [00:18:00] pumping data in and really expensive in pumping it out because they want to lock you in. And the ratio is almost one to 10. So the cost of company data in versus the company that our 10 why I said,

Ashish Rajan: [00:18:13] wow,

Francesco Cipollone: [00:18:20] On that, on that actually it’s true because GCP before being GCP there, where, at Kubernedes shops or, Microsoft, what Kubernetes microservice, anybody plugging in a different way. Mmm. Let’s call it micro service in general. And for that essay. Yes. If you have a microservice environment where you have chassis or multiple cloud environment and effectively, you almost obstruct the concept of cloud and you have a cloud on your cloud, because effectively you have the microservice environment where you spin up service here and there, and then effectively you just use spare or metal.

Regardless of where it [00:19:00] is, it could be GCP, it could be a Rackspace, it could be your server in your home or your server in your data center. It doesn’t really matter because you have effectively create your own private cloud across cloud provider. As long as you maintain a good connectivity and a group encryption.

And in that way you can orchestrate the microservice and for orchestration is spinning up, spinning down where they spun up and so on regardless. So at that point, you can do really multicloud and some organization organizational doing, but these with a specific car yet that is really expensive. And you can’t, and you don’t use the potential multicloud of club.

I’ll give you a good example. you use Kubernedes you use microservice. Okay. AWS has a security consultant monitor the service. Your servers are almost completely invisible to them because they’re not natively hooked up to that as you’re the same as you security center has a [00:20:00] number of security measure when you do move it.

When you do a container, what you tend to do is effectively firewalls inside the containers too, because left East and West is where you want to focus your attention on Powell in North, North, and South. As you is completely is completely for us. You’re as completely invisible. What you’re doing inside the containers.

GCP is slightly different because they’re natively, at Kubernedes shop. But if you use just compute with a chassis and your Microsoft is on top, then you know, it’s still invisible for them, not on the. And that’s, that’s kind of the trade off we’re using, the microservice environment across multicloud.

And that’s when you really doing multicloud, but you can’t use really the power of multicloud or power of cloud because they’re not, the service are not natively called thin.

Ashish Rajan: [00:20:57] Oh, I get where you’re coming from. The, I [00:21:00] guess the school authority that you’re coming from, it’s more that you need to have some kind of maturity or probably have the caveat or what service I gotta maximize.

The, the value that you can bring to a customer through, I guess, microservices model, where you’re focusing more on the micro services layer at the bottom, shouldn’t really matter whether it’s Google cloud or AWS or whatever, but it’s more about, I guess, the microservice and what it, what it needs to serve in terms of Napier requests coming in.

I guess

Francesco Cipollone: [00:21:28] it really depends on what you want to do. So the majority of. I mean, we’re talking about the scale. So if we look at a scale of maturity, you’re looking at infrastructure as a service and lift and shift. So take your service and put it in the cloud. Really basic, really outweighed, but it’s the first approach to the cloud.

And then you start using cloud native service. Like I dunno, a function as a service or, their log analysis or the service you SNS and SQS or, AWS and so on and so [00:22:00] forth. So you, you’re going from few bare bone metal rented to a more, a ball, cloud solution of concert is where you start using the native service and then all the way to Nirvana when you use eventually some services of microservice, but.

In order to microservice is unless you using it from the very start, that’s an evolution. That’s the end of the journey when you use the cloud and infrastructure on top of the cloud.

Ashish Rajan: [00:22:28] Interesting.

Francesco Cipollone: [00:22:29] Oh, you could use them though. Or you could use them though, or, or as you function or, yeah, I don’t remember the GCP one anyway.

Yeah. Called call this function. Infrastructure as a code platform, as a service infrastructure, as a service personnel, as a service software, as a service, and then functional as a service it’s the van is the least spot where you just run cold somewhere.

Ashish Rajan: [00:22:54] Yep. And, I think that a couple more questions coming in.

So would you say GKE is still a [00:23:00] leader in terms of managed container orchestration? So thanks for the question open.

Francesco Cipollone: [00:23:05] I haven’t poked around, AKA S. Too much, so

Ashish Rajan: [00:23:13] far,

Francesco Cipollone: [00:23:15] sorry. Yes. On Amazon, the Amazon version of GKE. So effectively the container service or the container offering of Amazon

Ashish Rajan: [00:23:26] and they call it ETS.

Francesco Cipollone: [00:23:29] Yeah,

Ashish Rajan: [00:23:32] I know. Right. So if the, so it’s game on from the ETF, which is the address container service, but now the value they have a enterprise, I think the enterprise enterprise humanity service. So anyway, you’re GE versus you had, so you haven’t played around much with EKS?

Francesco Cipollone: [00:23:48] No. but, Gigi is a bit more, played around a little

Ashish Rajan: [00:23:53] bit more.

What are your thoughts on Gigi? Is that from a security perspective?

Francesco Cipollone: [00:23:58]

I guess [00:24:00] in this context,

the orchestration is good. It’s effectively the abstraction of the, yeah. So you effectively delegate it to somebody else to walk up straight and to run your own content service. So you have the image somewhere, you have your stuff somewhere and you can apply some, so men and women, more natively like access control.

So if you look at container service, like bare metal, you deploy a container somewhere, a container orchestration service somewhere, with the hardware I shoot to run the container, you spin your containers and then one.

Ashish Rajan: [00:24:36] Thanks man. I’m losing that touch note. Even I’m losing my touch for anyone who’s listening, elastic, Norfolk E for enterprise.

So it’s Lastic Cuban. It is. ETF. Let’s just go with that service. There you go. Love to community service. Took me a second. My, for my coffee to kick in,

Francesco Cipollone: [00:24:56] when I go, I like [00:25:00] because it was Amazon container

Ashish Rajan: [00:25:02] service. You should have named it fantastical. You should have named it, but

Francesco Cipollone: [00:25:08] isn’t going to be one of the spokesperson for Amazon. So I’m joining Amazon.

Ashish Rajan: [00:25:13] Oh, wait. This is exclusive.

Francesco Cipollone: [00:25:16] Yes,

Ashish Rajan: [00:25:19] where the pretty face is moving to Amazon. Oh, wait. Oh, there’s going to be on all sanction now. So we can only

Francesco Cipollone: [00:25:29] speak freely after this point, then I’m going to wear my head, unfortunately.

Ashish Rajan: [00:25:35] So for people who are listening again, please bash up more Google before he changes the group to AWS.

No, that’s a bad group to be yet. Cause I think, my area is primarily with AWS, so I don’t, I don’t disagree with your approach, but it’s always good to have more people talk about GKE and Google cloud in general. So going back to the topic again, and I think so GKE is great from an [00:26:00] orchestration perspective viewpoint.

I think Carter just came back also saying. That it’s definitely from an SME perspective and multicloud is more of a fortune thousand or 2000, which I kind of agree with and are keen to know your thoughts on this as well. A multicloud is more of an enterprise or multinational global company. They probably have that problem because they obviously have different teams.

It’s not only a problem, but they have different teams which are

Francesco Cipollone: [00:26:27] allowed.

Bigger organization have more people skilled. The multiple cloud providers have different opportunity.

Ashish Rajan: [00:26:39] That’s true.

Francesco Cipollone: [00:26:42] But also if you consider it, anybody that starts natively on the cloud as also the same opportunity. So a lot of startups. So I was discussing, I think with tenants. In a, in a financial forum and who doesn’t.

we have a flourish of FinTech [00:27:00] in the UK and 10 X is one visual credit cards. there is that one, connects, we bald and Monzo. I think they’re, they’re the three major one that drives their FinTech and they called me from the get. And in that environment, they can do whatever they want because they don’t have legacy in a big organization.

What you tend to find is smaller plots on the cloud, but a lot of legacy and a lot of organization that drive for different things.

Ashish Rajan: [00:27:28] Oh yeah. And I think to your point earlier, when we were talking about serverless whole function as a service, a lot of people have. Well, some of the product companies that I know they have gone into serverless and still carry the old weight of legacy running on iffy too.

Or competence senses as well. So it’s almost like a mixed bag. And to your point about maturity earlier from a Google cloud space perspective, where does maturity at a big level look like in terms of someone starting off on Google cloud today? What are the basic [00:28:00] things that they could be doing in terms of it could be upscaling or it could be, if you turn on, say for example, in AWS, you can turn on cloud trail, cloud, watch, things like that.

Is there a similar, almost like a top five things to do and. Google cloud when you’re starting today?

Francesco Cipollone: [00:28:15] I think so from my perspective and with the CC, SK that is effectively, the cloud knowledge is with the classic events. We tried to take that approach at cloud independence. So what are the pillars that we recommend?

And one of the pillar is actually step number one, understand the division of responsibility. So what. Depending on the service, they want to use what you are responsible for in terms of data security and so on and so forth and what the cloud provider is responsible for. And I’ll give you a good example.

if you decide, okay, I’m going to use compute. So I’m going to use effective infrastructure as a code. Hence I’m responsible for the full stack after the physical layer where the physical layer is dedicated [00:29:00] from, is effectively handled all that to, the cloud provider. So I’m delegating the responsibility of the physical layer in terms of security and so on and so forth to a cloud provider.

Anything else is my responsibility. So understand which kind of service do you want to use and to which level, stat number two limited number of service, the list you have, the better you have, the better chance of securing them. You have. And I’ve seen that over and over and over the organizations say, Hey, we go to the cloud, let’s use everything.

And. Your security team is two people and you’re stretched across 400 projects and you die. So is that it’s much better to say, you know, as AWS says organization, so on and so forth, you say, well, we’re going to spin up machine in this region. We’re going to review a service by service. And then we’re going to give you patterns on how to use the service and that effectively step a number four.

In between step number two, that a job then, and for there is the [00:30:00] foundation. So step number three for me is the foundation and is decide effectively which service or you want to use. And for the fundamental one, what security requirements do you want to put so that effectively you can start developing the patterns on how to use the service.

Depending on which service do you want to use. And as very simple example is okay, we want to start using compute. What is the basic stuff, networking, connectivity, and access control. There is some specific requirement for that. you can’t have scores, RDS or IDP function, unique to spin up things in three years with three different network and access control rules across different things.

you want, your environment as segmented as possible because if one element gets compromised, you know, you limit your blast radius. You want to divide, accounts that can manage. Different things or different application as much as you can. So you don’t want one single administrator, the [00:31:00] effecting and manage everything because then your blast radius reduction where the segmentation is completely this, because, you know, what do I attack your servers?

Or do I attack the person who manage all the service? I think that’s such an engineered person. and, and that’s effective step number four, and we can go on and on. And I have,

Ashish Rajan: [00:31:25] yeah, I think to a point I was hoping more in terms of, if you could name a few services that they could be turning on. And to your point, from an architecture perspective, a hundred percent, I guess the step you mentioned probably should be, the first few things we think about, are there any, I guess, specific services that you can call out that people should look at?

Francesco Cipollone: [00:31:46] Such not as such. I mean, the reason then is, so if you take a zero, there is Azure security center that tells you a number of things. GCP is not as mature, so it doesn’t have [00:32:00] native security service. So is really there, you know, you have specific things, but you need to know what you’re effectively enabled.

Don’t worry. I think in shelter, in place, we are all stuck at home feds and dogs and fence, and why

Ashish Rajan: [00:32:21] mine is like a puppy. So he’s just been quite interested in getting involved in the port cuts quite a bit. Now I was thinking that your point about if every security, I guess each service and DCP, you need to know how to sew.

what are some of the, how do you do auditing on Google cloud? Like

Francesco Cipollone: [00:32:38] real question. I actually, I had exactly the answering one of my podcasts because I had ended the day, the head of compliance for GCP in my podcast. So we, we did an hour just on compliance and continuous compliance, but to summarize the discussion that we have, and we had.

so there is something called for setting [00:33:00] that is effectively a rule engine, embedded in GCP where effectively against specify the, conditions and specific rules. So you want to match yes or no, and you can display them so you can, okay. Dual force. Well, we can specify the rules in our four city engine and then, you know, export the data or the result effective we’ll paste in big queries, and then displayed, with a query with a dashboard, with whatever to see are my machine compliant or not.

And a good example of that is, am I machine built on the latest image or am I machine have my machine being rebuilt in the last. I been off seven days and things like that. So you can bride effectively your specific role.

Ashish Rajan: [00:33:47] Interesting thing to point about. It’s the rule engine. where does a mature, cause I guess one of the questions people ask always for doing security in cloud is the fact that you can scale.

[00:34:00] So as your microservices scale or as your infrastructure scales in cloud, you’re able to scale your security, whether through automation and through, I guess, integrating security as it’s developed, is that a challenge in Google at the moment? And I’m just going off Dublin’s comment as well, basically mentioned that.

or AWS did well with organization based firewalls and GCP diligent beater, and Kartik has got a point on the FedRAMP approval as well as to why people call multicloud. So I’m thinking multicloud and very limited feature set in Google cloud probably doesn’t come across as a very, security friendly, or a security forthcoming, like, cause I’m just getting a bit nervous about this.

You need to give me some comfort, man.

Francesco Cipollone: [00:34:47] I can just close me at the night, kind of greet me at the night and, because, we represent them all. And, so I don’t want to barge, I don’t want to budge any [00:35:00] cloud cloud environment, but I came is GCP is the one that joined the race. The last, so EWS NSU are really the one that are challenging each other.

And. If you want creating service by default, insecurity is a big part of both of them. So AWS has a lot of heat for their three buckets open by default. as you had a lot of heat because effectively the, rules for, role based access control. So effectively, how you do they get service here and there we’re not bright enough for an AWS were extremely runner.

GCP is still catching up. So you still have access control rules from an API where you had a service similar to Twitter. Yes. Where you effectively say this particular key can access decision desk. That is fundamentally very, very similar, but you don’t have a security service as such like this as, [00:36:00] as your security center or the log monitoring.

He doesn’t have a lot of those components by default. They’re incidental. The configuration item that. Ideally is how it should be, but they’re not called security guests.

Ashish Rajan: [00:36:13] Right. Okay. So I kind of have to figure out a way how I write. So if I’m starting today, is there some in Google cloud? And I’m thinking for security architects or by listening into this and yeah,

That one just came out, came back on forth for SETI, said it’s an open source as well. So opportunities like this to contribute directly as well as just an interesting thing, because a lot of services on AWS are opensource, but you can’t like, I mean, they have that AWS umbrella on it, but some sounds like.

[00:37:00] Francesco Cipollone: [00:37:02] Google is a little bit different. Google is a little bit different because I mean, if you look at what they did with Kubernetes, if you do, if you look at what we get with, the, the con, well, the container service per se is a lot of open source stuff. So they encourage really community to contribute.

Ashish Rajan: [00:37:20] Oh, right. So, and to your point, does that make, Oh, thanks, Amanda. Great efforts. great effort on, sorry, I’m trying to answer this. the

Francesco Cipollone: [00:37:36] I think for the canteen streaming

Ashish Rajan: [00:37:43] offline, I’ll let everyone know what you said offline. I think it’s, it’s, it’s really interesting. And I’m just going to do time as well for you because it’s really. I find a lot of security. People are still a bit unsure and [00:38:00] party for rightly so, but there’s opportunity to improve in Google cloud.

And whether you want to go with it as it improves is probably a decision that people should consider. w would that be right in assuming that okay, because. You have a team which is working on Google cloud at the moment. And there might be a lot of services that may be in beta or may not be as mature as AWS.

We probably should be giving it a bit more closer lens or a bit more, I guess zoom into it a bit more. If would you say at least that’s a good recommendation for security architects listening in

Francesco Cipollone: [00:38:37] for security architect is use the least amount of service that you can. Because then you can interpret how to use it.

And that’s why I was stressing a lot on patterns, develop the person on how to use the service and how to change them up, like compute storage and networking and access control and so on. They can be a single pattern to [00:39:00] specify. This is how to use it. And then you can also develop, Tara formation template on the back of it saying, this is the ideal way to configure.

And then you find tweak it, fine, tune it and tweak it. Oh, if you want to look at one service in GCP, that is what you’re trying to push me to say, look, the four safety rules and continuous compliance. So how can you break some rules, one them against your environment, brights. So one, one really easy set of rules that you can implement the SIS.

so center for internet security, they develop a number of controls and sets, for, well, GCP as you AWS, but you can embed those role inside for city engineer. You can say, you know, what is my environment compliance for CIS and CS is a well known standard. So it’s from a compliance perspective, you go well along and from a security compliance you get [00:40:00] get it’s a right.

Interesting. does a goodAshish Rajan: [00:40:05] point, but I just saw the question from Darwin again, which is, do you consider cloud armor as one of the GCPS native security service?

Francesco Cipollone: [00:40:15] Which one? Sorry.

Ashish Rajan: [00:40:17] Cloud armor is in the comments and you may want to, link to it, I guess, unless cloud armor is like a windows. Oh, sorry. I don’t remember what chart on, where it’s cloud Henri is a SAS provider.

Francesco Cipollone: [00:40:33] Good. Shout out

Ashish Rajan: [00:40:35] a product. I came across, they do cloud security Porsche. If this was by the way, this was a great way for them to have a shout out on a show without have for like, what is cloud armor? I haven’t heard of the service in AWS or GCP or like, Oh, it’s a, it’s a, it’s a vendor. Great shout out from Brenda.

Francesco Cipollone: [00:40:55] But if you want, if you want. a very independent [00:41:00] one, Hashi Corp Perez reveals of recent, a number of, Tara formation template with the posture and patterns from a security perspective. fortunately, and unfortunately they’re operating in the us. So you can have that a number of patterns and thinking or who develop a lot of them and you headed in your show.

Ashish Rajan: [00:41:23] Yup. Yup.

Francesco Cipollone: [00:41:25] And, Coming from Netflix. I know

Ashish Rajan: [00:41:32] I’m pretty sure, but that’s what I’m like. I’m just trying to be quiet. Y’all making me pay things. Now.

Francesco Cipollone: [00:41:39] I know the industry. I know everybody in this industry.

Ashish Rajan: [00:41:44] Wait, is this actually something in Google cloud?

Francesco Cipollone: [00:41:47] I will definitely look at it.

Ashish Rajan: [00:41:52] Where you think you were confusing and something else, but I think I need to bring that up on, in that you’re going to hear from you, man. That sounds [00:42:00] like you’re doing it.

Francesco Cipollone: [00:42:01] That’s a challenging thing that a lot of things are copping out struggling. So that’s why I’ve developed podcasting because I can tell from the cuff provider itself, but he’s still doing this danger release and a lot of them, they don’t know because it’s so, it’s so quick.

Ashish Rajan: [00:42:18] Oh, and I think the comment from Justin as well about Microsoft is the number one contributor to open source in the world. So plenty of opportunity to contribute Azure tooling and services,

Francesco Cipollone: [00:42:29] they can afford get hub. And now they’re developing lab on the back of GitHub. So they took a definite step approach, a definitely strong approach on open source and, the sense, pharma, Let’s say they changed completely the change completely perspective on open source and all that stuff.

So, yes, it’s true. and they’re doing a lot of stuff around open source and opening up at the state [00:43:00] closed source, a lot of stuff they doing, but they opening up.

Well, it’s, it always is, interestingAshish Rajan: [00:43:08] to consider talking about Google cloud and all the questions coming in, but we are coming close to our time.

I do. And I do want you to go to sleep, not at midnight, but

Francesco Cipollone: [00:43:17] in streaming. So yeah.

Ashish Rajan: [00:43:21] I, I do want to give you back your weekend as well, by the way, it’s a long weekend for people in Australia or at least in Victoria, new South Wales. So I’m gonna try and do something with that. So I’m gonna switch over to a bit more fun questions now, and I know we have kind of gone through this, but I wonder if the answer has changed.

the first question that I have for you is what do you spend most time on when you’re not working on cloud or technology? And I’m going to add with scheme because clearly you need to control your whiskey, man,

Francesco Cipollone: [00:43:51] I collect. And if, if, if you, if you taking Twitter just recently, cause I spent probably a day [00:44:00] cleaning all my whiskey and then sorting them out and then not just the capital that quite as long.

Oh, so clean the collection. So Y I run a lot, tennis biking, a lot of outdoor activities and sometime gaming or researching, but the main key thing is with a podcast going with the cloud secure lights that don’t have a lot of free time.

Ashish Rajan: [00:44:26] I can imagine, man, and for people who haven’t checked out, cloud security Alliance and you’re in the cloud security expert, they should probably check our cloud security Alliance.

the next question, what is something that you’re proud of, but not on your social media?

Francesco Cipollone: [00:44:39] My social media is really locked down. and I had this policy seems a lot. A long time ago. And I had a girlfriend that actually was on tick-tock a lot. And she kept on teasing me where we need to do take top staff and so on.

And I kept on saying, I [00:45:00] absolutely disagree. First of all, whenever I take talk is doing is yeah, whatever. And I don’t want my face to be associate. So whatever is. Joseph’s aside whenever I’m live. I know that whatever is on the internet is completely public. So I’m really, really careful about whatever I post, Instagram and such.

So most of the stuff you see is most of the stuff that I do. So running, cooking, I do all of the cooking, especially shelter in place. So one of my Instagram has that stuff, condense it, cooking and whiskey.

Ashish Rajan: [00:45:38] That is really interesting. And I, maybe we’ll have a conversation with tick-tock later.

Cause, cause I do men’s fashion on Instagram and my wife and I do comedy videos on tick-tock. So we want to have found our, I guess, outlet with those two point about there’s a specific purpose for those social media platforms. but definitely it’s it’s so yeah, for me, it’s [00:46:00] like men’s fashion and, I guess making comedy reduces my wife and I’m getting bored during


Francesco Cipollone: [00:46:06] I, I wasn’t born in grown on teeth dog. So for me, it’s, it’s something new and

Ashish Rajan: [00:46:15] I’m already done. I don’t know what he talking

Francesco Cipollone: [00:46:17] about. You all much younger than me. So

Ashish Rajan: [00:46:20] I’m looking at, I’ve got white beard now. Like I think it was like, stop calling me a young kid, man.

Francesco Cipollone: [00:46:27] I’ll pause, pause, because actually you weren’t fearless.

Ashish Rajan: [00:46:31] I know I’ve got older. This is the, for people that don’t know, this is the quarantine beard. So as long as you’re in quarantine, I’m going to keep growing the beard. That’s my, that’s my, I guess promise to myself, I guess. Well, so you see me clean shaven again, once a corporate period is over, but for the moment yeah, you look well, you’re a good looking, a European cybersecurity person as well, man.

Final question. What’s your favorite cause or restaurant that you [00:47:00] can share?

Francesco Cipollone: [00:47:01] I fight between Korean and Thai.

Ashish Rajan: [00:47:08] Hi.

Francesco Cipollone: [00:47:09] Yes, those are my tool.

Ashish Rajan: [00:47:13] No, they’re

Francesco Cipollone: [00:47:13] super hard. They’re super hard. So I buy, I buy Korea, especially Korea. I mean, to set up a Korean barbecue is so long. And Rian is not the healthiest thing that you can eat.

Thai half and house

Ashish Rajan: [00:47:31] 20. Why do you need a body worn health right now? You’re like 20 years old. Right? So the Google, like you had middle of the night. I’m just curious at 11 o’clock in the night and wake up at 5:00 AM again, like no hanging over that. Isn’t that what twenties is all about.

Francesco Cipollone: [00:47:48] Yeah. And also eating clean and lean and, but jokes aside what it was trying to do for a little while, I was trying to give away meat and I love meat a [00:48:00] lot.

So I was trying to, you know, do a service for the environment if you want and trying to do Palm basting. And it went back on me

crying the, a bit, butAshish Rajan: [00:48:12] without digressing too much, I’ve been trying, vegetarian lunches for a few months, definitely helping out. So I’m not completely off meat yet, but I’ll start

Francesco Cipollone: [00:48:23] doing the impossible meat.

Ashish Rajan: [00:48:26] No, I could not make myself. I’m like, if I want to eat meat, I’ll just leave the real, the real deal.

Francesco Cipollone: [00:48:34] I mean, there is three or four variants. One is all full. one is okay. One is really good. So

Ashish Rajan: [00:48:43] maybe we should leave a comment on like, what’s a good one. So people who are listening and can check

Francesco Cipollone: [00:48:46] out the, I didn’t ask

Ashish Rajan: [00:48:54] you though, man. I think thanks so much for coming in. Thanks so much for taking a time out as well, and really happy that you’re [00:49:00] moving on to AWS as well. So, I’m sure. Next time round, when you come down to the show, you can have your AWS hat on is for the Google cloud hat on. And

Francesco Cipollone: [00:49:11] I’m going to be, I’m going to be really quiet about a lot of stuff.


Ashish Rajan: [00:49:18] I’m going to get censored Francesco. Now from this point onwards.

Francesco Cipollone: [00:49:22] PR.

Ashish Rajan: [00:49:24] Yeah, that’s fine. That’s fine. But thanks for once again, really appreciate that. And, for people who want to reach out to you, we can reach out to you. What are your social Smith to reach out to you?

Francesco Cipollone: [00:49:35] mainly I’m big on LinkedIn. I have all sorts of my name and my surname on, on LinkedIn.

or, Frank sec, Now this one

is it’s opposite view. So Frank said 42 on Twitter, or you can just search for the [00:50:00] cybersecurity and cloud podcast on iTunes and Spotify or www dot dot co dot. UK is my main website. Blog is in there. So a lot of stuff about actually called security. Especially on the pattern. So how do you evolve from zero to hero?

So I just published recently, at least have three article where you start from infrastructure as a service, all the way to function as a service. So how do you evolve your organization and what security controls to put up which stage? And it’s like 9,000 words. So it’s like almost a book or you can go on the cloud security Alliance.

That there as well, or YouTube, you can browse my name and you can find the podcast, the previous episodes or money at public engagement. specifically the last one where I actually give the top eight suggestion on how do you start on the cloud? We just discussed the [00:51:00] first stop for there is much more.

Ashish Rajan: [00:51:02] Sounds good. Good. Thanks so much for sharing that. And I’ll put that on the social

Yeah, it is. And, thanks again. I really appreciate that. I’ll let you get back to sleep, so thanks. Thanks again for your time, man.

Francesco Cipollone: [00:51:17] Have a great one and stay safe.

Ashish Rajan: [00:51:19] Thank you. You too, Ben.

Francesco Cipollone: [00:51:21] Thank you.

More Videos