HOW TO DO GOOGLE CLOUD SECURITY ? – THE 2020 EDITION

View Show Notes and Transcript

Episode Description

What We Discuss with Darpan Shah:

  • What makes you like Google Cloud over AWS? Vice versa?
  • Where does Kubernetes/Containers fit into maturity stages of Google Cloud?
  • Is multi-cloud in the same organisation a reality?
  • What does security in Google Cloud look like compared to AWS? – Basic security 101s differences, Auditing, threat management, EC2 vs project security examples
  • How is security managed and operationalising across multi-cloud AWS & GCP
  • Where can one start today with security on Google Cloud, if they already are on AWS?
  • Security controls across EC2 vs serverless vs containers in a multi-cloud world
  • Maintaining visibility of assets and secure configurations in a multi-cloud environment?
  • And much more…

THANKS, Darpan Shah!

IIf you enjoyed this session with Darpan Shah, let him know by clicking on the link below and sending him a quick shout out on Twitter:

Click here to thank Darpan Shah on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at [email protected].

Resources from This Episode:

Ashish Rajan: [00:00:00] Welcome. First of all, happy 4th of July.

Darpan Shah: [00:00:02] Thank you for having me.

Ashish Rajan: [00:00:04] First of all, it is a desert tradition and let me just make this better. So it’s not just our zoomed in faces. How about that? That looks much better, right?

Darpan Shah: [00:00:11] Looks better. Yeah.

Ashish Rajan: [00:00:13] Perfect. All right. First of all, cheers. Hypo happy for the July. Yup.

Yup. Coffee is bigger than mine, but yeah. Welcome to the show. DARPin and I’m going to start off with the obvious one for people who don’t know Darpan. Who is Darpan? And, will, can tell little about yourself to the audience who haven’t heard from you before.

Darpan Shah: [00:00:34] Sure. So while I describe myself in one word as hacker, and it tells them how to be like an insecurity that who like hacks, then let’s go to the symptoms, but hacker in the term that I can figure out things and I can work with any technology of tool that he gives me.

So I like working on different things, different medians tools, technologies, and I’d like to think bigger comes out, like without the manual, without the use of that, let’s see how to get [00:01:00] started. What can I do with it? Just play around and fumble it. So that control, I like being happy that you have to your things and just make something productive or figure ideally like just to make it, make it work.

Ashish Rajan: [00:01:13] Wow, dude, you definitely sound like the kind of person we should be talking to as well over here, because I feel like I’m a cloud has been a lot of hacking as well by AWS and Google. So I’m glad you’re here to demystify how a lot of people hack that or how they, I have hacked this. how, what was your path into cyber security?

Darpan Shah: [00:01:33] Sure. So in fact, my path do security will, it’s kind of hacking outset that said like Vega packer. So when I was doing my degree in computer science, I studied a lot of hackathons where I would go like for 12 hours, 24 hours or four full weekends or six hours. Where’s it go something and go there, make something out of like any technologies or like, you know, I would have, lot of companies are tans.

Like they’ll have the API, they will have the platforms, they will have their, some credits [00:02:00] and such that we just use it and try to make sense product you order. And that’s what I liked about it from those kind of realize a lot of things are not secure enough. Like when you open it up to like public, pardon me, can public API.

I’m not going to indicated an API and just, this is weird or people do with it and what can they do with it? So that’s what, like got me into some point you in the field of security, but at the same time I was specifically cloud because where I go and I’ll do hackathons or make something, because one thing was common.

It was like some kind of cloud involved I’ll it was AWS Azure or Google cloud. Right. And the reason that I was involved was because of the multiple services and multiple. Resources they have available what you can do on a single platform. So that got me more into cloud. And then I found an internship at a Washington post when I just like ran hands down in InfoSec role, did like my development and coding skills with security, all that together.

And I liked that it was like, you know, different challenges, like in security, we get new challenges every day. You [00:03:00] have new hats and attacks and you attack records, fast freeze. You have, you read Kimmy glutamine and all. So that’s what motivated me and brought me to the security. And then eventually I found my tool say cloud and security and combination of both.

And that’s where I’m right now in cloud security.

Ashish Rajan: [00:03:15] Wow. Very interesting. and it’s really amazing that he came from a development background, like a security development background as well, because a lot of the hackers that I meet, they tend to be more from the CIS admin or network security background.

and then there’s pickup programming as a do more bench testing or as the more, the deeper, so really interesting experience if you have, but I kind of. It’s really interesting how you mentioned where I’m talking with API APIs and which is very relevant for the cloud space as well. What does cloud security mean for you?

Darpan Shah: [00:03:46] So when I see like cloud and the security, like together, I see more as like opportunities to, you know, like. Create different segmentation or layers, or get more granularity, securing different layers of my tech stack. [00:04:00] So I just like that, whether it’s my physical servers or networks and such, so it’s more tense.

Do you know, protected and put controls the same time, prevent some, someone else can access it at the same time, it opens the Gates for, you know, malicious users are attackers and hackers. I’ve seen the constant like back and forth, but then it’s similar set of policies and rules we do on premises. But at a wider level and broader level on cloud.

So that’s what I see consider the cloud security picture.

Ashish Rajan: [00:04:28] Awesome. Awesome. And I definitely want to get into the crux of, your, some of your cloud experience and just want to quickly say hello to Paul and dr. Abdullah. Thanks for joining in guys. Darren and I are definitely looking forward to answering questions as well as they come through.

Now, the first question, and, I’ve been dying to ask you this, how is security different? In cloud in Google cloud versus AWS. Like, I mean, you don’t have to go into too much detail if you don’t want you. But I think even from basic perspective, like how different is [00:05:00] it?

Darpan Shah: [00:05:01] I would say different as an it’s not much different.

The underlying concept remains the same, but how you implement that. That’s what changes. So there is a main crux or main concept with IAM access management. Those are not the same across the platforms, but how you implement it and how do you connect it to other services? That’s what the difference is being made.

And at Deepak layer stack, I would say now the full perimeter of. Your physical server or like a VM and such, and then you have your application on top of that, and then you have containers and then you go and do the functions of service. Are there Orlando’s required functions. Each of those layers securities differ.

The security implementation differ the underlying crux or the concept remains the same across both platforms. I would say, across any platform and an it as the main justice, you know, getting ILM rights and getting the visibility right. And getting your logs correctly. And then you are pretty much the King if you [00:06:00] figure those out

Ashish Rajan: [00:06:01] properly.

Yep. That’s a great point. And it kind of shows you the. Value of the basics of cloud cyber security as well, because it respected the flatform. They, the parameters might differ, but as long as the basics are covered, you should still be able to irrespective of whatever comes next after public cloud, you should still be able to go, Oh yeah, I can apply to this.

Or I can understand this. I don’t really have to. figure this out or something. Right. I really appreciate that as well. So if we go a bit layer deeper, right? Cause I think we would have people like, for example, for myself, I think I’ve been working on the AWS space for almost six, seven years now, dabbed into Azure, bit of Google cloud security architecture, but.

I feel like I don’t know anything about Google cloud. It just feels like I am trying to talk, or trying to learn a driver or car manual, I guess every time I open up Google cloud. And I honestly, it’s funny maybe because I haven’t spent enough time on it [00:07:00] to go beyond the security layers of it, but it seems like you’ve gone through the technical layer as well.

What are the basic security things that you recommend for people in Google cloud that they should have? Like, I think for me, That’s your problem. Extend that a bit. Like for me, the examples of AWS, I should know Clark trail on CloudWatch and all that. I’m sure I’m preaching to the choir here keen to know your thoughts on Watson equal and in Google cloud space.

Darpan Shah: [00:07:26] Sure. So, yeah, like that’s you mentioned the points like anybody, like proud is how it logs in such if you’re doing AWS and Google, the good news is none of those things are turned on by default. You don’t have to go and do those manually. So that’s one of the reasons I feel like sometimes we in Google cloud.

So because you have this logging and monitoring integrated that when you start using the service, it automatically turns on logging for you. And I’m telling you, you logged all the APRs, all the access, authentication, authorization, all that stuff. So at the basic level, like, you know, if someone likes you or someone new is getting started within Google [00:08:00] cloud, the basic they need to understand is the network differs compared to AWS in terms that yeah, the network clarity, Google is a global network.

So when you create a new VPC, you pretty much creating it for the all regions across the globe, compared to AWS, very clear regional. And as a result, the basic underlying crux, we have the concept of the firewall or security groups in AWS. So in AWS, those are bound to VPC and bound to the sub-net, but resonance, Google they’re bound to read whole like VPC network.

So when you create those VTCs right, and you create those firewalls groups, right. So you can apply that to anything within that network, but to get started, I would say things correctly, it where I am. So you like who are, who might be giving your time into access as soon as the secondary permission scrappy.

So that those rights. And then, set your natural boundaries on every permissions correctly. And you’re off to a good start to begin with.

[00:09:00] Ashish Rajan: [00:09:00] Interesting. So it does the same concept of the VPC. What’s an equivalent of a VPC and Google cloud.

Darpan Shah: [00:09:05] It’s called BPC. It’s like underline the network, but then the network, you have the VCs the same terminology.

Ashish Rajan: [00:09:11] Right? Okay. Cause I’m like, Oh my God. Super confusing. Oh, there you go. I think Paul just mentioned a GCP firewall tax, a little win here.

Darpan Shah: [00:09:18] Exactly. Yeah. Right. So you can, yeah. Tags. Yeah. So it’s just like labels,

Ashish Rajan: [00:09:25] but they are right. Right. So it’s the same tagging as AWS, but I guess GCP firewall, I imagine.

Is it AWS security groups equally?

Darpan Shah: [00:09:35] Yes. But then also that’s in the smart in Google users is when you create the firewall and you can pretty much tell it, like, where does this fellowship should apply to. So any of her tags, do you have instances I tagged with cloud cloud one or maybe a bad example? I’ll say it fish one or my doubting are my compute engine and my firewall.

I just say registered firewall should [00:10:00] apply to you or anything that matches the tag, which is like cloud or a sheet, or they’ll keep. The problem we’ll go and apply to those and sensors servers within that.

Ashish Rajan: [00:10:09] Okay. Bye. Bye. Sorry, a quick, quick pause there for a second. Cause Paul McCarthy is our local American Ozzy, so I’m happy for the July to you as well.

Fall. If you’re watching this, He’s a, yeah, he’s a local American definitely for happy 4th of July for him as well. That’s why he’s awake so early as well. it’s a really interesting one because the more I talked about this and I was like really interesting to see the difference between AWS and Google cloud seems like there’s some things which are by default.

In Google cloud. However, in AWS, it seems to be, you kind of have to maybe because AWS came in first and they would still learn to figure it out themselves. What other things are there, which had by default and our security things.

Darpan Shah: [00:10:53] So one thing. On by default, those kind of blogging. So it’s centralized for you.

So

[00:11:00] Ashish Rajan: [00:10:59] how’s it. Logging is centralized already. Like as in, I don’t have to do a CloudWatch aggregation in one, one of her account.

Darpan Shah: [00:11:07] You don’t, how do you do that? Higher in an organization. If you want to do it, it’s an auto loss, a single place to like other projects or your SIEM, like Splunk or something. You can do it.

You have that option. But originally it’s like turned on. So this year has tagged driver logging and monitoring, which also used to support AWS. But then now GCP has moved out, like change the terminology and get it off, like stack driver and just how like logging and mining is an option. But then you’re logging.

When you go to login, you can see all your assumptions. So you can see you or DC compute engine log, all those like security center logs or authentication. Like I am logged all those into one single place. So that is turned on by default. The other thing. Mitchell has actually launched that we’ll go next, last year.

And I personally like it and it’s like one of the big thing I like in Google compared to AWS as the [00:12:00] policy intelligence that they have. So, you know, when you create, I am permissions and roles, you don’t know what you want to go to user except permissions. So Google has figured that out. They give you a recommendations that what you should turn on and what should turn off for certain users, they do it based on their machine learning capabilities.

Pretty much. Wow. It can be with the recommendations. So that’s one thing that’s on by default as well. The recommendations

Ashish Rajan: [00:12:26] where it sounds like a lot of the cloud security engineers may not have a job in Google cloud. So I guess they’ll hate cause none of the cloud Google cloud engineers, not, not, not Chris, but I think some of the ones that I’ve spoken to, some of the responsibilities and cured is like defining, I am permissions for AWS because it could, it can get so complex that the security guard, the security team has to take over that.

I am permission to need you. You would think it should be something that anyone can do, but can get quite, quite, quite complex quite quickly. So it’s amazing that figured that out.

Darpan Shah: [00:12:56] Right. And I think it’s all thanks to their machine learning capabilities [00:13:00] that they have gained since years and years of expertise and experience there.

Ashish Rajan: [00:13:05] That’s awesome. And so anything else? What about, threat management? AWS has, AWS. I was going to say they have a few components. Now they have Macy from machine learning for, for, I guess, data leakage and sensitive data. Is there an equivalent in

Darpan Shah: [00:13:24] yes, they do. I were so overlying or I would say it’s all part of one central thing called cloud security command center.

Okay. So you have to go and enable those separate components that you want. So it’s not on by default. You have to enable those APS,

Ashish Rajan: [00:13:43] everything else do you fall by on, but not this one. Why not? I’m just kidding random, but it’s a good, it’s a good thing to there though. Sorry, you got into Neiman. I digress.

Darpan Shah: [00:13:51] Yep. So a lot of those things like a security feature, in fact, so like not anyone like any developers, just go in and pry out your big query or any of the API directly.

[00:14:00] You have to enable them specifically ready to start a project. And then if you start using them and just fraud detection, in fact, you mentioned AWS has guard duty and Google cloud has similar, but it’s called it’s part of the command security command center, but it’s still in beta that they have there.

It’s not like fully GA.

Ashish Rajan: [00:14:19] Yeah. So what’s the difference between say the AWS security hub and the security command center in a Google cloud. I mean, it’s already, it has been fully functional in Google cloud versus an AWS, which is still in beta. Is that, I mean, apart from that, is there any difference?

Darpan Shah: [00:14:35] So security hub in AWS is more kind of aggregator of different sources that you have.

Like you have different like AWS configure SSN, when he gets all those findings for you in a single pane of glass.

Ashish Rajan: [00:14:49] That’s right.

Darpan Shah: [00:14:50] Some security command center within like Google that itself, the functionalities like this crack detection, I guess, container detection. It has, BLP all, [00:15:00] those are part of the command center that can enable.

So it’s not only the aggregator, it’s also the enabler for that. So that’s the main, one of the major difference for the single pane of glasses.

Ashish Rajan: [00:15:10] Oh, right. Interesting. I find that. what about, because there’s the transition between say projects ever says, so Google has projects and AWS has, I guess you create whatever you want.

If you do serve a whatever. Right. And in terms of. The way it’s differentiated between the two for the tread management, or is there an endpoint security component as well, and, or it’s not relevant in Google cloud,

Darpan Shah: [00:15:38] so it’s not as much relevant, but this, this, they do have that they do have like similar concepts, what you will find in AWS for end points there, how the rack secured a scanner, which pretty much goes in scans or.

Oh grabbed applications, but as you are entering, your servers are running compute engine instances or any of your app. And in sense of similarly, it will go and I can just candles and [00:16:00] allow our alert of the vulnerabilities that is found. You just give it an end point, like our URL, your CDP end point, and we’ll go and practice, scan it and tell you, what does William abuse for that?

Like, like cough type scripting, SQL injection, and waddle things, scan someone, exploits them. It will go and tell you that. So Google head of her robust capability, I would say similar to what AWS terms of inspector the inspector is more like for the virtual machines and instances and goes and scans their OSS there.

Ashish Rajan: [00:16:31] Correct. Interesting. We’ve got a question from dr. as well. What are the wonderful tools of cloud computing at the runtime memory level in terms of confidentiality and integrity? Manipulation? It’s an interesting question.

Darpan Shah: [00:16:45] Yeah, there’s this is very important question. It sounds like it’s like runtime memory level.

So. A lot of like one time a level is it stays like how you encrypted. So encrypted storage. Okay. Go instances of running as well as how [00:17:00] you’re communicating within your applicant station from your storage or your compute layer to and serving end user. So a lot of things or relies on encryption is all like how encrypting it, but also for the health system.

Are you are alerted, what are the exists and something like guard duty or security scan, like command center. How do you, do you get them? Or how do you address them for it? And AWS also has a specific advisor. You do that. It will tell you, Hey, this is how you should do. Yeah, I’ll just, or open windows.

Something runs this way. It can go and access this space. I instance, are those specific stores, the bucket you want to allow them to do it. So the recent service AWS interiors for that was Amazon detectives. It can pretty much show you all the paths where certain things are going and who’s accessing it.

It’s on a single pane or like on one single dashboard, right?

Ashish Rajan: [00:17:53] Oh, is that some still in beta? Isn’t it or it’s not GA yet?

Darpan Shah: [00:17:58] Not GA now yet it was introduced [00:18:00] about laughter it’s been six months. Oh,

Ashish Rajan: [00:18:06] yeah. And I guess your point about mitigation. Cause I think dr. Abuelas followed up with another one. And how would you mitigate them?

It’s more the alerts you get from the system you would be able to, I guess, triage it and work on. Is that the answer? Like, how would you mitigate them?

Darpan Shah: [00:18:21] So that as well as when you do like those encryption, you only give like a specific users of public services access to it. So, and I’m just wondering if we do another point or good thing or Google cloud is, I guess it’s comparable services accounts.

Where you can actually create those access keys as a private key and ID for your services on premises, as well as your other Google cloud services as a job functions or your storage a bit very well when they want to go and talk to your compute layer or go and talk to other services, they have to go through their own private key and ID.

We also communicate through that. So that way, the way confidential. Well, the main pin in that is cause the end to end traffic is [00:19:00] encrypted. And sometimes when you don’t have visibility or keys to let you see and decrypted for it, depending how you manage or how you create those keys, you manage your own keys using like secret manager or the cute things, or you let Google map magic for it.

So those are some ways you can mitigate those confidentiality.

Interesting. And, with the, I guess anotherAshish Rajan: [00:19:21] layer to the runtime memory is the whole concept of there. You know how, I guess your point is EBS volumes, which is a long stories that you attached to a server, but then there are these random, I guess the North, like there’s this one memory that are used for, can you get access to the Google cloud?

Darpan Shah: [00:19:41] I don’t think so. You can have like X, I think someone, if I remember correctly, someone did find that vulnerability or found the issue when they will kind of go to cloud shell and the association, for instance, they will actually take metadata and such. And they actually, I don’t quote me on it, but I think this happened like, [00:20:00] Totally.

You’re like, I cannot guarantee that it happened, but I think that

Ashish Rajan: [00:20:05] interesting, I think to your point about, I guess getting a shell access, it, it definitely. Yeah, I, it, it’s definitely a, it brings me to another point about the whole model of batching access into AWS. What’s the access to, because I know that like in layman terms, the way I imagine AWS infrastructure is more like, Oh, okay, I’ve got to, an API endpoint.

What’s C equal. And on the Google cloud side, like, what am I accessing? Am I accessing a server? Or am I accessing, it’s only serverless.

Darpan Shah: [00:20:41] So you have options to do bullets. So like if it’s server less, that you won’t have access to actually go and access that new the server either because there’s no server involved.

And then if there is one, but you know, you don’t see it, but when you are doing just a regular instance or compute engine instance, your option to do SSH, [00:21:00] and you can directly go directly from the console, which Google started doing it. And then AWS followed their Mark with their systems manager, as well as the instance connect.

So even with AWS, technically you don’t want me to the bastion anymore. You can control access that you have access to the instances based on the icy conditions within your IAM itself. So you can connect me IP conditions, as well as the permissions that who can do use instance connects to connect your instances directly from the console without having needs to like remembering keys and, and your computer to that server.

They new apply updates and patches through SSN directly.

Ashish Rajan: [00:21:37] Oh interesting. Oh, cause I was going to say I’ve known of the SSM method. A lot of people have gone away from the passion model to start doing assistant neutralize. It was instance connected. It’s well known that it’s interesting. And that they’ve learned it from Google, which is pretty interesting.

So to your point, there’s an, almost like an audit as well, because that used to be a challenge for me back in the day when Bashan was there, I had no access. I mean, I, sometimes it was hard [00:22:00] to know if it was DARPA or if it does sheesh, who’s accessing it because people would be sharing SSH keys and you’re like, yeah, Who is this?

Like, is this, I mean, and if you have a bigger team across enterprise that becomes even more like needing a needle in a haystack kind of situation. So that’s pretty interesting that they’ve gone down that route where you’re able to audit as well as to who’s accessing, but the dust, the last thing, obviously it seems like you’ve seen different maturity levels on both AWS and Google.

How do you, I guess, cause Cuban Andes is there on both AWS as well as Google cloud and it is a Google technology. And so I, I guess as people are moving more towards containers is the. Cost efficient, changing for security and dumps off. what’s what’s for studying are better. And, what stands out for you?

So have you been working with faded with Foghat or more with humanities or I guess EKS or Cuban? [00:23:00] What’s your preference? Do you have a stand on that?

Darpan Shah: [00:23:03] Sure. So very good question. So yeah, in fact, I started, when I started working with Kubernetes was hired on into any Kubernetes on top of . Like having my own implementation of Kubernetes orchestration.

Yeah. Because like you care for is not an actual thing until like two years ago until like, I think 2018, mid 2018, or so I remember precisely I was working on a specific project and yeah. Implementing or on Docker containers and managing like, and using like Docker hub and doctor additions and such for that.

But, and then you guess was in beta at that time. So it’s not like production ready. And then became GA and then we tried to move to it. And then last year, I think 2019 capability came for, that’s not easy to, but also private on it. So I would say I personally have played around and the workload on both target as soon as you see too, because I think one just uses like more control.

For example, in [00:24:00] ECQ, I could get to be able to associate, I can see my instances and maybe do some kind of like scanning if I want to do. On top of what AWS, just for me and such, we get that requirement and be able to do it. They’re fighting it. We don’t necessarily get all full controls over it. And it’s like, kind of like a managed service on AWS.

So yeah, I’ve seen like both kind of like deployments and work get on with

Ashish Rajan: [00:24:23] it. And what’s the equivalent on the Google cloud side then.

Darpan Shah: [00:24:27] So moving cloud has like GKE, which they have. There have been, I think this started with we’re natives, as there, as you mentioned, it’s something that they own itself. So GK wasn’t very accustomed to mentation and now they came up with like, and post as well.

So, and post on GK is pretty much that, but allows you to bring in different platforms and different applications, but convert them in and modernize them using Kubernetes. So they are developing and you have access to it. And that’s why you, I would say GK even cost wise and then charge them more for clusters [00:25:00] and only 500 for the cluster VM being used or the compute engine deployed.

Whereas on gas or AWS, they charge you for like cluster along with the VMs that you have spins up for you because they are two different layers. Like ECAP is on top of your VMs are easy to instances. Compared to TK in there. So, yeah. And then I would say just pretty fun part about and close there. So, and total introduced like last year and it goes to GA last year, kind of however, that has been widely used now, or people are, are companies trying to adopt it more because you can bring your applications from AWS, from on premises, from any other.

That’s from outside of Google cloud to GCE or Google South easily using GK on top of animals. You won’t have to convert your application in by ourselves. You don’t have to containerize it. You won’t have to worry about any of those and post takes care of you. So it’s kind of a managed service, but it’s pretty much built on [00:26:00] top of GKE.

And even Istio you have your service mesh capabilities and such do your networking.

Ashish Rajan: [00:26:06] You’re saying that if I have built something on AWS, I guess w what, what’s the use case? I get your point from between AWS and Google cloud, where I can bring it across to enters.

Darpan Shah: [00:26:18] yes. So if you have some, let’s say match it up plication, like you started deploying like AWS, like five years ago, and you have this giant application now and you want to modernize it and get rid of the monolith and actually containerize it, get all the benefits of a cluster and such.

And at the same time, you’re also evaluating DCP as your other cloud provider, because. You’re already a multicloud shop per se. And you want to be able to not do this manual work herself or have someone else do it for you. Then you can actually import that to and using and post in GCP. So, Oh, I think one of the reasons for Amazon hybrid cloud deployments, because I can.

Google realizes it. And again, it’s not [00:27:00] nothing official. Don’t quote me on it, but the realize that one of the needs are coming emerging growth is multicloud and hybrid cloud deployment and sticking to like one single platform, one provider.

Ashish Rajan: [00:27:11] See, that’s, that’s always interesting. And I think I always ask this to my guests as well.

Do you really think multicloud is a thing that people should be embracing?

Darpan Shah: [00:27:19] I would say so. Yes, definitely. They should be embraced multicloud. And I think it’s the same philosophy that goes when we do hybrid cloud. That expand from your on premise data center to cloud. I mean, you have like separate platforms for your H and D R purposes.

Let’s say that’s how some people get started with cloud. Traditionally. They want me to do art, Kevin disasters, the same thing applies to multicloud. Like you do your full applications and like serve your ends of traffic from one cloud, but store your Oh archives and your BR data in other platforms that you are not logging into one single vendor.

You are not relying on the track from being always available. [00:28:00] So in terms of that region goes down to spec provider, always go and spin up the other provider and other platforms.

Ashish Rajan: [00:28:08] That’s interesting, but I always find that as a challenge as well, because a lot of people would say that well, it’s great that you’ve made most of it.

If you’re locking yourself onto one for wider, And you’ve done everything on AWS, but the consummation of all of that cord, a GKE or something on Google. Maybe and, and toss something that you mentioned maybe that can help, but that’s a pretty big task, right? It’s still Lord as EVs. I’m just going to put my, put my code in and just understand it and just create an equal and Google cloud.

Darpan Shah: [00:28:41] Alright. Alright. So I think. That’s that’s an element of time, just that I have seen companies do. And, you know, I might have a face that in my book, previous work or previous role, I would say yeah, 40 from one cloud to another, the migraine. And that’s when, where the things off should you take this opportunity to actually modernize the application?

Go [00:29:00] serverless. I should you rely on us for the technology that a cloud provider has? What is that knowledge? It goes down. What does that Xolair or the concept again? What would be an option serverless you like cloud functions? You do Lander, which is like broader agnostic, but it’s common language or Python, Java, and then one layer, the containers and your Kubernetes cluster in such that you actually deploy separate containers, micro services, and then spin up anywhere, any, any platform.

And you’ll be good to go.

Ashish Rajan: [00:29:31] Oh, right. Okay. Also, so your point, the kind of layers that you can have for a multicloud, almost like an agnostic approach is, goes, I guess the first preference is to go serverless, which for your, either according in August bytes and node, java.net, whatever, I guess the only thing you would probably be differentiating is the kind of API calls being made.

And the end point you’re talking to whether it’s Lambda or I guess goopy functions, [00:30:00] and then another layer, if you can’t do that, then a layer below that is go containers where you can rebuild a package, which doesn’t matter where the package is hosted. As long as the office matches, it doesn’t really matter at that point.

Darpan Shah: [00:30:13] Exactly. Yeah. And I think a lot of like, even if you look at some of the compliance or regulations, when. When you are trying to get those specific requirements set up, they have a requirement that you should host your platform or host your application, such a way that it’s divided across different platforms and not relying on one single thing does imagine you like or companies within the country and you all use the same provider.

And as the provider goes down, all four of you are down. That’s spread across and. Make sure you are on different platforms, different providers, and with the increase in this cloud and hybrid regulators looking at that too, they want to make sure that you’re always available because eventually this will affect you like all industry.

[00:31:00] Ashish Rajan: [00:31:00] Yeah. Apart from that, like say, I know it’s a costly exercise and probably a lot of the bigger enterprise group people can do this. I find it really, the reason I’m smiling is because every time I talk about. Disaster recovery in AWS or, and use that as a reason to go, but you should go multicloud because you have the money and you can afford to be a multiple clouds.

People you’d like, but AWS would never go down. And you’re like, no, if I think it’s true, his free would deny this, but sure you can trust. For all your eggs in one basket and let, just go hail Mary every time you just put something in AWS, AWS would not go down, but it’s, it’s a very interesting what you mentioned.

I love the approach of transition as well, but you know, I think, something that Chris used that asked us on one of the comments yesterday, when we were kind of Blackbaud the show and I want to bring that as well, because it’s great. We have one multi cloud basically. Gone down the path of doing serverless or EKS, or [00:32:00] I guess in CA in this case, GKE as well now as a security deem, like how so am I going to manage?

It sounds like I need one person. It was really good at Google cloud. One person who’s really good at AWS or an, or I need to have a team member who’s done. It’s like, how do I manage this?

Darpan Shah: [00:32:20] Sure. Yeah. And that’s one of the challenges I would say, look, there are challenges and not just any challenge, because thing is to manage that you may not need people with specialties in both clouds of what’s wider, but what if you bring those logs or bring those challenges to a single platform?

Right. And then you only hire a person. I have a person right on the platform. So something like your seem like, you know, use like Splunk or something like Sumo logic or anything where you’re actually typing all those logs from different providers to that one single platform. That way you only have to manage that one single plane or single control plane, you see them.

And a lot of like SAS companies do say, as all, I’ve taught by providers who specialize in [00:33:00] GRC governance, risk and compliance. That’s what they are heading towards as well. All their services. That’s already across multiple clouds and same thing. They’re trying to aggregate the results from most of the clouds and bring into your single pane of glass.

So I know you use like something like Tarbuck all your peers, not cloud. Or let’s say DV cloud or phew or anything. All those tools and applications, that’s what they are doing. They help you bring all the visibility, the one single pane of glass for you. Regardless the platform there’s Kubernetes there, Google Azure, Oracle, or even McCloud, I think since went, Alibaba is growing quite.

Megan Asia,

Ashish Rajan: [00:33:38] right? Yeah. Wait, so it’s your point. If you have say something like Splunk or a similar logic for log aggregation, I guess theme as well, and you have something like a prism, a cloud or shutter to the, I guess to those guys who have been doing MultiCare for awhile. I think Paul has something interesting in that space as well.

Paul Paul has a product Carthy who’s in the comment [00:34:00] section. He’s got a. Talk about security in Australia. He’s got something similar as well, but I find it really interesting that, it’s, it’s this like one part of the problem though, right? Because you’ve got visibility, but then, and I don’t know, big a question that yet she has kind of asked, said it doesn’t matter.

The cloud secure multicolored increased security risk and increased burden to maintain security maturity as well. And I’m going to add another layer to this. Like we’ve, we’ve spoke about. I guess the, the skills and the team. but just because we have Sumo logic and Prisma doesn’t really, you mean your security maturity has improved dramatically.

It just means that you’ve added more to your backlog, right? I mean, how, I mean, what’s the word, what’s an effective way that you’ve seen this being managed. And if you want to answer your question directly, I’m happy with this to start with that as well.

Darpan Shah: [00:34:54] Sure. So I would say this question, like, it definitely increases the burden for you [00:35:00] and makes it harder to make that are evaluated maturity model for your security success.

But then some ways I have seen me dig into that and like I do it in today’s world and how others can do it as well as. For that security or what are your designer create standards and policies for it at one layer of all the services. So for example, they talk about a DCE compute engine instances and in AWS instances, so you want to have that security policy.

None of my images are machines. Images should be public. So instead of creating this candor or a security control, just in terms of . Or just a GCE, how would one layer above it, such that I applied this policy and this should apply to both the clouds of what the platforms, but so this doesn’t like me to get the complete burden off of you that you need, those skills, people implement both, but then you have common set of standards and security.

She was applied that way at the one layer [00:36:00] above, and then you’d still need some, someone else to implement that. No security standards in those different clouds, which again, now can be mitigated or can be helped by when you use something like an impact to the school, like Terraform or bloomy, which are cloud agnostic, various sure.

Define certain policies and conditions before. And then how is that being applied in your CSED pipelines when you deployed that code of the infrastructure for that? So I think that’s one way you can do it one other ways.

Ashish Rajan: [00:36:31] Go on. Sorry.

Darpan Shah: [00:36:32] Yeah. So one other way is to take out the burden. I’ll make sure you evaluate the services that you want to use.

Either cloud beforehand. For example, you want to use ECQ or go back to GCE or land outside assumptions. You should evaluate like. Which one has more advantages or which one has like more burden involved. And based on that, pick a single service that you use from that provider. For it. For example, if you do a Landa, [00:37:00] you have to worry about your VPC network.

If you want to deploy it within a VPC or applies to the security group, memory, limitations, and such. But if you do cloud Google cloud cloud functions, you won’t worry about the. Well VPC network in it or our security groups necessarily, but in cloud functions. So you can always evaluate that way and then select the service for him.

Ashish Rajan: [00:37:23] So when you say policy, you’re talking about a general security policy in the organization that you’re not talking about an policy you’re talking about. I guess something specific. And I think you of need to have, I guess, come out, zoom out a bit and go, okay. For identity. And access management in, across irrespective AWS, Google and Azure.

You kinda, you just, this is the policy that I’m going with, but, and I guess to your point, it’s more right. The simplest thing. Oh, just had the least permission possible. It’s also about saying any developer. Should only have access to or should only have access to Lambda or should only have, is that the kind of [00:38:00] policy you’re thinking?

Darpan Shah: [00:38:01] Yeah, that’s the, in terms of like poly self thinking, like access internally or externally. So then how that layer right? The next year, if you just had to implement that policy that you set up at an org level or higher level. You don’t have to worry about or think about why would I do this certain way for this provider in

Ashish Rajan: [00:38:20] that way?

So, and I’m just going through the maturity model. So for people who may be listening in and probably starting off, cause I know a lot of head of security myself. Primarily NEDA BS, and suddenly some of the people in the organization they’re like, we want to do with cloud. Okay. we would have Google cloud, but who’s going to secure this.

So, and thank you from their perspective and for them to transition, across both AWS and Google, but sounds like, well, they really should be doing, it’s almost like zooming out of bed. Coming up with policies, which apply to both the cloud as an applaudable the cloud, not specifically, maybe not from a service [00:39:00] perspective, but at least from an organization looking at this as what does identity mean for me or what does network security mean for me?

And what would I expect? And now then you can go a layer deeper and then have roles or permissions or policies based on that. Is that the right way to can summarize what you just mentioned? Awesome. So once you’ve done that, and you’ve kind of started applying the policies, then you would get into the tooling space where, I guess seems like Splunk Sumo logic, or I think Paul just mentioned his company, as well as secure stack or Prisma cloud or Clark and former.

Do you, one of those guys, all of them, you just basically use that. To manage the policies that you have created so that you get alert on that instead of the generic policies that people would have on, on, on the, like a CIS or something, is that right? Or how would you approach it? Like, what’s your recommendation on it?

Darpan Shah: [00:39:55] So that’s the right path. Like those tools, they will like extract the word out of you and [00:40:00] they will be just in front of the policy, across those providers or across clouds, but then. If you just kind of think about the maturity level, then even before the policy, you want to make sure that you have those basic, like, let’s say top five things, right?

Like you have visibility across everything, whether deployed in the cloud or Google cloud, or would to AWS cloud, like you want to make sure, you know, what’s in there, what’s your plug in it, getting that. Right. And then inventoring it. More be the first like basic steps for it to get to targeted with those different providers in different clouds.

And then I would say, get into once, you know, what services you are using or what is in each cloud, then you can start doing the policy setting for that. And then you can go further and apply those alert rules and such in those third party providers or platforms

Ashish Rajan: [00:40:46] for it. Oh, interesting. And, this, this brings me to another question.

What do you feel people are not talking enough about in cloud security? and it, it, it, it’s really interesting cause I feel like it’s [00:41:00] really, we spoke our policies across multicloud. Some I’m just curious, is there something that people should, are not talking enough about it in the cloud security space?

Darpan Shah: [00:41:10] I would say insecurity space. When I seen like both ways, one people, people say like out is secure and they are just like, not worried about it. And the other variable. So seeing this like cloud is not secure and they do like customized controls and a lot of like, like, I would say a lot of development work on top of what’s provided to you already.

So one thing I’ve seen, like both ways, but more of that as seen is people not being any custom implementation work on those native services. For example, you mentioned cloud pillows, CloudWatch and such, right. So you get information from logs and such from it, but what are doing others a lot? Are you automating the analysis or animal section on the blog?

Are you piping it somewhere? And if someone else is looking at it, actually you have some that have like machine learning implementation, or some kind of like a scope or. I’ll say pheromone present mutation that only [00:42:00] looks at specific logs in certain time. So even those services, you get a like logging and monitoring from providers.

You still should be doing some work on top of that to validate that and analyze that, what information I got. So in just, I would say crossing the information is not what I’ve seen out of companies. A lot of teams doing yet. That’s what I think they should be heading the ones they do it. They would have to get it across the border and across cloud easily, because then they, no, what am I getting out of the logs or what am I getting out of these specific control for it?

Ashish Rajan: [00:42:33] Oh, so to your point, the first step to visibility is to be able to already use the existing set of logs from these cloud providers to visualize what, what are you really doing with this?

Darpan Shah: [00:42:44] Exactly. Yeah, you don’t want just turning them on for the sake of a, Hey, someone told me logging is a best practice.

I’ll go and turn all my logs. You don’t do anything with them, right?

Ashish Rajan: [00:42:54] Yep. Yeah. I think I agree with you a hundred percent. There’s no point of collecting terabytes of logs when you’re not even [00:43:00] doing anything with it. it’s an interesting question from dr. Abdullah as well. probably the last question for them before we move onto the next round.

if an investor wishes to open up their own. Cloud computing data center for a local market is open source the only way, or are there any possibilities from the well-known cloud providers who run the whole cloud brain on premise? What are you thoughts on that?

Darpan Shah: [00:43:22] That’s a good question. So I’m not sure if you like feminine of adult AWS came with outposts.

Ashish Rajan: [00:43:28] I did. Yep. Yep. They did.

Darpan Shah: [00:43:30] So they’ll pretty much ship their whole like server rack or their device. Through your on from ISIS or whatever you want it physically. And then you get the same capabilities of cloud on locally for our local market, as you mentioned. So that’s one way to do it. So other ways do I need to have like some kind of, let’s say a 5 cent donation or like even a single server or anything that you connect that with the cloud and you can actually use the sooner services directly on your server or like on physical locations.

Right. [00:44:00] So with outpost, does it for you? There’s like a, I’m not remembering the name, but there’s one of service that also lets you do part like mr. Running on cloud, it bends to your on premises and you get the same capabilities for it.

Ashish Rajan: [00:44:16] perfect. Perfect. And I think it’s really interesting because to draw about the last point on from mice is always going to be relevant. and I think the example that doctor blood’s going for is one of the topics we’re going to come up with soon. Is it versus OT? The whole concept of the industrial, space has always been.

I guess there was some writing on it as well, but no one kind of looks at their security from a different lens, but they have been trying to get into cloud as well. Imagine your energy company trying to go on cloud. The last thing you want is the electricity running out of your house, right? Like you don’t want to be losing on a city or, or basic functions like gas, so water or something.

Right? Those guys. Yeah, we wanted the cloud is like the next level. And I kind of imagined like, I mean, [00:45:00] I guess I’m pretty sure we have the compute one day or maybe we have it already, but it would be really interesting when those guys move over and you’re like, Hmm, I don’t want if it’s running on cloud and you’re not doing disaster recovery across multiple cloud.

And you’re like hoping every guess. The likelihood of all the cloud providers going down at the same time, maybe low, but still you probably want to have, I guess, be careful with it. So, I know it sounds like you and I can keep talking you what ADA was in Google cloud forever, but unfortunately we do have a limited time as well.

So I do want to maximize and get to know you a little as well. So I’ve got some fun questions, not too many, three, so,, we won’t take long for that as well. First one is what do you spend most time on when you’re not working on plowed or technology?

Darpan Shah: [00:45:53] That’s a, that’s actually a hard question for him.

That’s like, I spend pretty much like eight to 10 hours of day doing those words, [00:46:00] creating like slides and presentations, almost like a painter. So I still paint people on clouds and like write down, like, come to the cloud and see that. So a lot of time doing that, but I said, I’m not doing it. I watch movies where it’s some books.

I still have how I need, like, how do you partner again? And again, also watch movies for that also, mrs. Quarantine and downstairs. I’m more into like Netflix these days. So like watching those and like doc just came out with that.

Ashish Rajan: [00:46:30] Awesome. Awesome. And I think, wait a shot. I mean, I definitely want to shout out your training.

So what are you at? Are you training cloud?

Darpan Shah: [00:46:37] So I’m a, I just became a Google cloud authorized trader. So like I can deliver it with like annual planning partners and she cloud, but also like help develop too certifications or don’t want to get any. And I just want to get started in there to help that as I mentored full of people on journal, like it, and.

Just how to maybe their career and such in terms of preparation and such. So [00:47:00] just try to divide my week and month, according to that.

Ashish Rajan: [00:47:03] Wow, man, do you have that up your sleeve and you didn’t mention that on the lounge, like that’s pretty awesome. I’ll encourage anyone. Who’s watching this, across the stream to reach out to you, man.

I think it’s pretty awesome to do real, to help other people as well. I mean, you can obviously, prioritize and not, you don’t have to help everyone. Everyone has limited. 24 hours in a day. So last thing you want to just like, just doing this, but thanks for sharing that. And I’ll definitely encourage other people.

Is there a name for, I guess we’ll probably get into your socials a bit later, but is there like a website or something or can people just read, how do they reach out?

Darpan Shah: [00:47:38] Talk to me on LinkedIn or just email me like hello at dot com or just message me on LinkedIn and such a happy to set up.

Ashish Rajan: [00:47:47] Sweet. And it’s a good segue into my next question as well.

What is something that you’re proud of, but is not on your social media? Like LinkedIn or Twitter?

Darpan Shah: [00:47:57] I would say Twitter. I don’t use Twitter as much, so it’s not like. [00:48:00] I don’t have anything in there outside

for LinkedIn. I would say I don’t have like mentoring initiative or what the work I’m doing on LinkedIn anywhere yet. But I do plan to, I eventually put that up there once it’s something solid, but then also, like, I’ll say I had this one ability, like when I was young, Or something, I could spell anything like work with example, your name is Ashish.

kind of what you wear. Like any long word he gave me and such. So I have like pretty much like wide media coverage across the globe and all that. So that was a phase when asked to do those things, I can write through her, read, reverse, speak river, first thing, then everything in English. Yeah. That’s what, I don’t have anything.

Social media anywhere.

Ashish Rajan: [00:48:48] Oh, wait. So you can read it everything, but not as in like knowledge, it’s like saying, I guess, reverse reading in a slow way, but you can actually like your brain [00:49:00] can process the whole thing. All like, if you want, if you’re reading a book, you can just go it completely in one. Go.

Darpan Shah: [00:49:07] Oh, I would say no reverse has in the words, for example, it’s like what?

She’ll copy. So I can say like eff leu, tib, like process that whole reverse understand the meaning and such. Wow. Okay.

Ashish Rajan: [00:49:19] Wow. That’s pretty cool, man. That is pretty cool. well, final question. What’s your favorite cuisine or restaurant that you can share with the audience? Sure

Darpan Shah: [00:49:32] I’m in. So like, I kind of like Indians who grew up eating in incidents.

So like specific like the Jaffe food and in, in us here. And it’s not many things that I find it as good, but there’s one restaurant in New York called Watson. That’s where I find like really good. And I’ve been in multiple times in like last one year. I’ve been to New

York.

Ashish Rajan: [00:49:51] Wait, is that? Oh, I mean, And I might sound ignorant, but I’m going to still say it’s, Tabler like a favorite.

Darpan Shah: [00:49:59] Yes.

[00:50:00] Ashish Rajan: [00:50:01] Oh my God. I would love to have that. I heard about it so much, but I’ve never had it. So it sounds like, yeah, I’ll definitely I’ll, I’ll take you up on that invite. thanks so much for taking the time, man. I really appreciate it. I learned so much about Google cloud and I’m sure the, the comment section lighting up here on LinkedIn definitely makes me feel that a lot of other people caught some insights into it as well.

Really appreciate taking the time out. And before we close, we can people reach out to you. And you mentioned Twitter is probably not a great, a great place for hanging out with you. So where can people reach out to you? You mentioned the email as well earlier.

Darpan Shah: [00:50:35] Yes again, my email is hello at dot com. I hope it’s easy to remember email there or just messaging on LinkedIn.

Awesome.

Ashish Rajan: [00:50:43] And I’ll add your connection or your LinkedIn thing onto the show notes. When I put the episode on the website and when it goes into the podcast as well, but this was, this was, this has been really good, man. Thanks so much for taking the time out.

Darpan Shah: [00:50:56] I’m happy to help. I hope you want to.

Ashish Rajan: [00:50:59] Oh, thank you.

[00:51:00] I’ll I’ll. And for everyone else, who’s been watching this. We’ll see you on the next broadcast. Next Sunday, 8:00 AM. Eastern standard time or 6:00 PM, Saturday Eastern standard time. Thanks again everyone. And we’ll see you next episode. Thank you