My Authors
Read all threads
So, earlier today, Google published a whitepaper on 🌟BeyondProd🌟, about how Google does cloud-native security. Here’s a summary thread /1
As much as you’ve been ask “what is cloud-native?”, I’ve been asked “how do I secure it?”. Google deploys billions of containers a week, and does so securely /2
BeyondProd is not a particular tool, but a model. It’s a realization, like in BeyondCorp, that corp security doesn’t end at the perimeter /3
Service trust should depend on code provenance and service identity, not the location in the production network, like IP address /4
The first big difference when using containers is due to scheduling. You can’t rely on IP addresses or host names for security. You need service identity /5
Since containers are meant to be redeployed when a change occurs, you need an easy way to manage rollouts - and this also gives you a choke point /6
You can actually verify and enforce what ends up in your environment, at deployment time. That’s kind of awesome /7
btw, there’s another whitepaper on this that came out today: Binary Authorization for Borg cloud.google.com/security/binar… /8
Once you know what’s running in your environment, you can restrict how services communicate and interact, based on the service identity, and more strongly isolate workloads /9
Google published a paper about two years ago on interservice communication: ALTS cloud.google.com/security/encry… /10
For developers, the best part is that these security controls are built directly into the tools they use - basically, it’s DevSecOps 💁. You can address security issues earlier, when it’s less costly, and do so in a standardized and consistent way /11
You can’t make a change to cloud-native (containers, microservices) in your infrastructure, without also changing your dev practices. (You’re missing the point, and missing out on the security benefits.) /12
TL;DR: Moving to a cloud-native infrastructure let Google meet stronger security principles. BeyondProd assumes no trust between services, isolation between workloads, verified deployments, and centralized policy management /13
Read more in the whitepaper: cloud.google.com/security/beyon… /14
If you want to do something similar yourself, there’s a list of OSS and Google technologies in this blog post to guide you: cloud.google.com/blog/products/… /15
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Maya Kaczorowski

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!