As a Cloud Security Engineer at Google Cloud, I get asked questions about Key Management Service (KMS) all the time as clients are… — As a Cloud Security Engineer at Google Cloud, I get asked questions about Key Management Service (KMS) all the time as clients are migrating to the cloud and have to figure out how to map controls from their data center into the cloud. This two part blog is meant as…

In this tutorial, we’ll implement a common solution to a problem that GPG typically solves, but do it all with Tink. — For those that haven’t heard about Tink, it is a very powerful library for using cryptographic primitives. This library is used within Google and is maintained by a small team of incredbly smart cryptographers to incorporate best cryptographic practices. In this tutorial, we’ll implement a common solution to a problem…

TL;DR: Downloading service account keys poses a serious security risk to your organization because they are long lived and not… — TL;DR: Generating and distributing service account keys poses severe security risks to your organization. They are long-lived credentials that are not automatically rotated. These keys can be leaked accidentally or maliciously allowing attackers to gain access to your sensitive GCP resources. Additionally, when used actions cannot be attributable back to…

A long time ago in an internet far far away, the Okta plugin for Vault was the only way to use your Okta credentials to get into Vault. It… — A long time ago in an internet far far away, the Okta plugin for Vault was the only way to use your Okta credentials to get into Vault. …

RSA is an asymmetric cryptographic algorithm that you are probably using right now to view this article over HTTPS. It was designed by Ron… — RSA is an asymmetric cryptographic algorithm that you are probably using right now to view this article over HTTPS. It was designed by Ron Rivest, Adi Shamir and Leonard Adleman, who developed the algorithm in 1977, naming it after the first initials of their last names. …

TL;DR there is a fairly new attack campaign using the Kinsing malware targeted at container platforms like Docker and GKE. This post will… — TL;DR there is a fairly new attack campaign using the Kinsing malware targeted at container platforms like Docker and GKE. This post will show you how to protect your infrastructure with Google Cloud’s Anthos both on prem and in the cloud. Last Friday, research from Aqua Security came out showing…

Deploy HashiCorp Vault with Terraform on Google Cloud adhering to security best practices and least privilege — TL;DR Use this guide when deploying Vault with Terraform in Google Cloud for a production-hardened architecture following security best practices that enable DevOps and the business to succeed! Overview HashiCorp’s Terraform is a tool for provisioning and managing resources through structured configuration files, an approach commonly called infrastructure as code (IaC). Security…

Before you go shopping, let’s take a look at what you already have at your disposal to protect your data in the cloud. — Companies are re-examining their cloud security program this week. We’ve seen some great recommendations including updating your processes, auditing and trimming system permissions, and building security into CI/CD pipelines. These are a few of our favorites. Other experts suggest you should buy bolt-on products for heuristics, anomaly detection, and data…

Automate Google Cloud VPC Service Controls to protect your cloud workloads — TL;DR Together we’ll explore VPC Service Controls through an example of a common use case of VPC Service Control perimeters, deep dive on some key concepts, and learn how to automate administration with HashiCorp Terraform. BigQuery Example Let’s start with an example. Say we have the following architecture, where we have a…