HOW TO BUILD SECURE ENVIRONMENTS IN GOOGLE CLOUD

Darpan Shah
Darpan Shah
Cloud Infrastructure Engineer of Google Cloud

▪️

August 23, 2020

About This Episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

HOW TO BUILD SECURE ENVIRONMENTS IN GOOGLE CLOUD

August 23, 2020
Season 1
Darpan Shah

Darpan Shah

Cloud Infrastructure Engineer of Google Cloud

About this episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

Episode Description

What We Discuss with Darpan Shah:

  • Where does a Startup starting in Google Cloud start for Security Foundation?
  • What is Project?
  • What is an Organisation?
  • How does Identity and Access Management work in Google Cloud?
  • How do you scale the architecture from startup to an Enterprise?
  • And much more…

THANKS, Darpan Shah!

If you enjoyed this session with Darpan Shah, let him know by clicking on the link below and sending him a quick shout out:

Click here to thank Darpan Shah on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Recommend a topic

Partner with us

Join the team

Share

Facebook
Twitter
LinkedIn
Pinterest
Reddit
WhatsApp
Email
Skype

Transcript

Ashish Rajan: [00:00:00] Hello, everyone morning to everyone in Australia and evening to anyone joining us from the U S welcome to another episode of Virtual Coffee with Ashish here we demystify cloud security every week, the different guests, this time we are demystifying Google cloud. Last week we had Azure security, one Oh one, we spoke about how do you.

Simplify from being a startup to enterprise. How do you design yourself this time? We have Google cloud and I’ve brought back another guests of mine who is got, he’s got a secret hanging on. And then in a few months I’ll let him announce it publicly whenever he’s ready for it. But I wanted him to have this opportunity to come and give us an unbiased opinion on Google cloud.

So , without further to do with me to bring him onboard.

Darpan Shah: [00:00:49] Hey

Ashish Rajan: [00:00:49] Darpan! How

Darpan Shah: [00:00:52] are you?.

Glad to be back on the show here.

Yeah, I

Ashish Rajan: [00:00:56] was going to say welcome back. It’s always good to have, I guess my guests [00:01:00] to me, and I’m going to do a quick audio check on folks joining in. Hello everyone. Hello, Kalyan. Who’s joined in. hello, anyone else? Who’s please feel free to say hello. it’s helps me do two things.

One check my audio and that people can hear us and two, it’s always good to hear people from, I guess who are joining into heat, listening on the goop, security. I’m going to start with the obvious one, while people say hello. and I know some people may already know you Darwin, but I think it’s good refresher because you’ve kind of grown to, to a bit large number.

So it’d be good to, for people to know as to who is our part for people who haven’t heard from you

Darpan Shah: [00:01:36] before. Sure, definitely. So, yeah, previous going out on the shore and just myself as a hacker and up who like made his way to like hacking around and actually learning things. And trying to figure out where my up, like, figure out my way up few, the Oxy letter, as well as in the career era, growing my skills and such.

But right now, I would say just in the context of our today’s topic, I’m a cloud security [00:02:00] professional, working as a cloud, working in the cloud industry space for like outside six or seven years now, and have been recently focusing on cloud security architectures as well as a migration and meeting the overall cloud environment within our organization secure.

Ashish Rajan: [00:02:15] Not yet.

That’s awesome, man. I think, I think one of the reasons I have always have been, I loved talking to you anyways. I think your knowledge too. It’s a Google cloud has been really interesting for the audience. And as you can see, some people I’ve really enjoyed your conversation before then. Thanks for confirming Kelly on the audio is good and Rama is seeing you for the second time.

So it’s definitely a hybrid to see you for the second time I was going to ask as for the obvious question and I don’t cause my own definition of cloud security is evolving after so many episodes. So it’s kind of good to hear from you. What’s your update, I guess 40 over is, you know, Google cloud.

It’s not, I’m not going to say Google cloud security. What’s your version of cloud security [00:03:00] or to start security.

Darpan Shah: [00:03:01] So when I see like dermis cloud security, I just see it as opportunity to secure my environment more with more granularity and in a more finer, detailed level. It’s the same security level and security practices that we do onto myosis or our traditional infrastructure.

But we get like broader opportunity to apply like full customization and controls to our, how do you say and our ID infrastructure, but also we are responsibility, Florida security gets shared. So I wouldn’t sound like, kind of like gets half but 50. But at a different, different kinds of calculator I use or different public cloud or private cloud, I use, I get to do like less work, but also also meaningful work the law, I would say it’s less work in terms of it just acts like it, make it more interesting that eventually I ended up doing like more work it’s a more overhead, but it’s fun than what you would do finishing on the yes, that’s it.

So that’s my original security in cloud. [00:04:00] And when you go with like, you know, like, Go in terms of like hybrid and multicloud, which I have been working on with like AWS, Google and some private cloud that just makes it more interesting and more challenging. I would say.

Ashish Rajan: [00:04:15] it’s interesting. And I know we haven’t really gone and touched on hype, but we do want to touch on where does one start?

Really? I think, and this is for people who are starting off in Google cloud security or someone like myself who is primarily working on Amazon cloud to some Azure in there. But Google cloud is this unknown place. So where does one start when talking about security in Google cloud?

Darpan Shah: [00:04:41] Sure. that’s, that’s a very interesting question.

And I would say one of the question I come across the most when I talk to people about like my multiple experience or am I spending different clouds? Tell it, how does AWS compared to Google and vice versa? Like, what do you think is more secure, more better? And my answer is the same. Both are secure, [00:05:00] but they’re only as secure as you make it.

So if was tied to the Google cloud, I would say on cloud it’s, the concepts are similar and the fundamental starting point is same as across fighters, AWS or Azure or Oracle cloud. The fundamental lies in the IAM. Yeah. An access management service that all the copywriters provide because that’s where you control, who gets access to what resources and how do you approach and certain resources within your project and who knew, shared with it?

So the starting point would be the, I need an access management and starting with that. And I think that is like a project level concept. So I think we should take a one step back on that. And it’s of like, wait, how do you make it secure? It should say like, what’s the starting point in the cloud itself, but the Google cloud, I would say.

And that may help you answer the question better. Yeah.

Ashish Rajan: [00:05:50] Yeah. I think that’s a good idea. And I wonder if you have, if you have something prepared beforehand for this.

I’ll let you share your screen. Okay. I think [00:06:00] we’ll be because this goes into the podcast as well. We’ll just try and explain as much as possible, but I’ll Anchorage people to kind of come in to, I guess, onto the YouTube video so that they can, see this. Sorry. I, so now we have, what are we talking about?

Are we, what are we looking at?

Darpan Shah: [00:06:18] Cho, as I said, let’s take a step back. So when you create your new first like project, or I would say what in AWS, when you say first you account, what do you get? So the basics line, how do you get started with that? So in Google cloud, the first thing you need is a Google account.

As long as you have a Google account, you can start with your GCP project or we will not project. And I must agree that the project that’s what you essentially get. You get there one project when you start it and I need the project, you get all the resources. So everything gets like perimeter or the control within that project that you’ve created for it.

So I think it’s an interesting and fundamental to understand that what is the project and what are the [00:07:00] limitations in it now I can make it secure. Because this project would essentially be our vast radius in terms of any security event or security compromise, or even within yourself, you want to share across your resources and your services, a product is the boundary that you get within.

Right. So I think it should start with how do you isolate your resources within the project first?

Ashish Rajan: [00:07:23] Also, if I’m, if I have this correctly, is this the same as what we spoke about? Say subscription or AWS accounts in. AWS. Is that what the Equinox project is?

Darpan Shah: [00:07:33] Yeah, exactly. Right. So international accounts for Azure, your subscriptions for Oracle cloud, we have tenants in the car.

Ashish Rajan: [00:07:41] Yep. Perfect. Thanks for clarifying the Oracle cloud as well. Cause I’m seeing their name pop up here and there quite often. So it’s good to kind of hear that side as well as to what happens on that side. So in Oracle cloud, rich tenant,

Darpan Shah: [00:07:53] Right. It’s kind of, so I think, yeah, that’s why I like to do off security as well.

Like I should have mentioned this earlier, but I get to work with the [00:08:00] different corridors and always like learn different things. And when you see like cloud security, you have to understand the fundamentals and concepts of all these different clouds, but at the same time, be able to apply them wherever needed and do the connect them.

So it’s very important to notice different cloud providers in the space out. So for any security professional, just starting on cloud,

Ashish Rajan: [00:08:22] That’s that’s pretty good. That’s good value, man. All right. Let’s get into the projects then. So it just shows me as an individual starting. Is that right? Or as the

Darpan Shah: [00:08:29] story?

That’s great. So as an individual, one to like log into Google cloud, or just go to like cloud dot, google.com and log in, this is what you will see in the first. But now when we talk about security getting started, essentially, if you’re a startup or company just starting with cloud, then this is what your environment would look like.

Ideally. So you, as a small startup company, you know, you will have a domain or you have your identity within G suite. So one essential thing I should mention is everything starts in Google cloud with Federation, [00:09:00] like every user who logs in, they don’t, there’s no concept of users or local accounts within Google cloud as everything is federated.

So it is your G suite account, Google account, or any other cloud entity provider that you haven’t

Ashish Rajan: [00:09:15] started externally. Oh, that’s interesting. so, wow. Yeah, cause that’s, that’s a really big plus I think for Google cloud, because a lot of people kind of come back to the whole Federation piece in AWS and Azure.

I mean, this is the you’re starting off with, with this, by the way. I totally forgot this and I apologize. Cheers. Totally, totally forgot my coffee. And I like, Oh, that’s a good, good. This is probably a good time to bring you a Google cloud mug. Perfect. Okay. Okay. I was going to take a sip over it. I’m like, Hey, wait.

I think I’m forgetting something like, Oh, that’s what I’m forgetting. thanks for that. And everyone for reminding me. Thank you. Alright. so we are a startup we’re federating into Google cloud. I [00:10:00] example.com in your slide. It’s like, there’s like that really top level hierarchy. Is that right?

Darpan Shah: [00:10:05] Correct?

That’s correct. So that’s one thing I like about Google cloud. You start with Federation from beginning itself. So all your permissions are all your user management is external. You don’t really manage your users within Google cloud entity. So that’s the security feature you get out of the box, which I haven’t really seen in other cloud providers, I would say.

Ashish Rajan: [00:10:25] Yeah. Yeah. I think it’s always an exercise. And is that, and maybe, I’m not sure if it’s the right brain turn to bring this up, but is that because Google cloud is a startup friendly? Yeah. Everything because I’m thinking, and this could be my opinion, but AWS and Azure, because they target a lot of enterprise and a lot of enterprise usually have identity already.

So they have something where the other, they have Azure 80 Octa or Bing or whatever. Right. And that’s usually across the whole organization. I wonder if that’s one of the reasons why, but, so for example, I mean, [00:11:00] I guess maybe you can bring it back if I already have a domain now, or if I already have an identity provider, then can I still bring that in?

Or am I just locked into my example? Dotcom has to be hosted on G suite.

Darpan Shah: [00:11:14] Absolutely. And bring that in. Even if you have like your little Microsoft 80 connected, are your directors managing Microsoft or sure. Whether we can also bring that in, we can do like fully hybrid. We can connect that 80 or that domain to the Google cloud.

And your question about like startups. So I think all of them promoters are like aiming for startups. Like probably getting their product towards startups, but as well as enterprises. So Google, like a, I think when it began or like when they started, they were aiming for startups and like smaller companies and stuff, because I guess we all know like Google was kind of late to the game.

So they fairly, like, I would say around 2010, 2011, if I’m not wrong, like that’s when Nixon started. They’re like cloud provider and their offerings for it. [00:12:00] Whereas in Alaska versus 2006, Around and such. And then Microsoft already started, we’re working on their Azure products like internally and such, and then they make public.

So for different customer knowing or different like tracking domain, But then I mentioned expanding like all the same customers or similar target range, I would say that’s my opinion on that question.

Ashish Rajan: [00:12:22] Oh, interesting. Okay. And maybe so maybe, is this a good time to move on to the next client then?

Would it be more.

Darpan Shah: [00:12:33] So, let me explain this, like how would this work in a startup? Pretty much. So like how it worked for an individual company, when you are in neutral user, you just log in and you get your first project created for you automatically. And then you create for the pots, but we in a startup like your isolation and your security pretty much starts at the organization itself.

And when you start and bring your domain, Or did you split identity? That’s when your security starts that your perimeter, as you see here is become just [00:13:00] larger. It’s not bold organization or company rather than just one project that we have as a neutral user. And after that, I knew how the different projects and then you have resources.

So this is really create your isolation. You could isolation all your security basics within your first project and then at the source, but then you expand it to other projects as well. So retina, if you see here on screen three different projects so any, any changes or any misconfigurations happening in debt would not necessarily affect your customer?

I mean, our party environment, whereas neutral. Yeah. So just getting started as a, just the I’m going to hackathon and you can hack myself and create an API. I wouldn’t be worrying about the small little projects and motorized deletions in that case. But for smaller companies, that’s what your typical hierarchy would look like in terms of your security wise, because all your security policies get carried over and inherited it from your couple of organization and then your projects, and then your resources in [00:14:00] cloud.

I think this is a good starting point for someone and someone just getting started with cloud in a professional manner outset. So that would be kind of a startup or a small company environment. And you will be working at.

Ashish Rajan: [00:14:12] So to your point, if I thought I wanted to make up an example here, if I’m going to start out by just I’m at that top level hierarchy.

So setting the right foundations, I guess eventually any startup would come across as conversation where either they’re a, B to B or B to C or however, they will be able to start off by saying, I have my example.com. That’s my main domain. And then within that, I’ve got projects for each environment to keep them separate from each other.

Like, so the resources are locked in. For lack of a better word, the blast radius. I’m going to keep throwing that word in there. That’s the blast radius is limited to just that project for all the resources in that project. Is that right?

Darpan Shah: [00:14:52] Absolutely. So that’s your way, how you control it for that. and then again, you can apply like [00:15:00] security policies, just like your, I am an AWS or even Azure.

You can apply the similar policies at the resource level in Google cloud as well. So those online concepts can be over across cloud providers. Great.

Ashish Rajan: [00:15:12] Oh, right. Okay. So the, the catty, I didn’t realize they were cutting over. Okay. That’s good to

Darpan Shah: [00:15:16] know. It’s a pretty soon it’s exact same concept, but just different terminology internally and different ways than you applied that.

But for any security professional, I would say since we’re doing this basic fundamental scores, like our phenomenal scrap like session, and even just getting started with Google cloud and already know AWS or Azure. They should be able to, they should be able to know what open the under security and apply the same principles here.

I would say

And then if you want to move over, you can see enterprise or corporation. You can see something that you can actually follow something like similar hierarchy, way of blast radius. You can actually isolate and decrease of last status [00:16:00] as needed. Yeah. So here on the screen night, how like your same organization

Ashish Rajan: [00:16:06] question?

Yeah, no, I was going to say, I think I dropped off and came back in, so I, everything was okay. I just hit the back arrow and just jumped, brought back in. You dropped off, but don’t worry. I think people got the, yeah, we didn’t even realize it just, I think it’s might be big. Well, I think, I don’t know. cause G suite had that go.

They went down. thanks to audit boast here, I guess. they’re still expensive. I don’t think a lot of issues with their services. I wonder because it’s definitely behaving differently. Anyway, I’ll go back. And so to your point, we’ve spoken about startup and small and medium sized businesses and how you’re able to transition from AWS and Azure skills into GCP.

Then what are we looking at now? What is this enterprise?

Darpan Shah: [00:16:51] So now here we are adding, like, when you’re in bigger enterprise per organization, let’s say you have like thousands of employees and hundreds of projects, then you can actually. [00:17:00] Increase the bast radius. Like we can actually decrease that with more granularity.

So what you have to see here is like on the screen, I have a digital layer called folders. So you can actually organize the projects within these folders, such that anything, any policies you apply or any compromise that happened on security side or anything in the project, it gets applied Nexium to the full level that’s in here.

So in our organization, in a startup, you met necessarily how all the different teams you might have just like engineering. Yeah. And then you have your management team just like to hide LTS, but then for an enterprise, because there are like multiple, like sales, HR hearing, multiple themes there. And that’s where you can organize projects into folders per team.

And then your isolation becomes at the team level and you see those folders, it increases isolation at the team level, but also you initialize the relation with the project and the resources individually. So that’s where we go, started the hierarchy and the starting point for enterprise, this would be a [00:18:00] suggested or like how it would evolve as their team grows outside.

Ashish Rajan: [00:18:05] Oh, so folder is an equal amount of organization in AWS. Okay. Suite and manage. But is this the same as managed group in Azure?

Darpan Shah: [00:18:18] Right.

Ashish Rajan: [00:18:20] Perfect. Cool. Good. Yeah. Yeah. Fairly similar. I mean, I guess different names, but the same purpose, I guess between say scalable. That’s how I see this.

Darpan Shah: [00:18:31] It is in fact yes. And that’s where like, that’s why when I try to recommend it to all users, that’s what I try to recommend that as you scale, as the teams grow your projects evolve over time, you should also involve their hierarchy and the exercise of access policies based on the scale that you go.

So that’s how I would say wouldn’t do in an enterprise, but then also things to note here, which I haven’t really like, I would say Google has been. Faster to the [00:19:00] market with things actually deploying the policies and creating the access advisors or accesses at the folder level or other organization that will directly, compared to something that maybe limited give to the project.

So, for example, I am, it’s not just the millennial project, but in Australia I am policies based on the folders directly. So that’s how, like Google has been evolving and catering to all the larger and scalable teams

Ashish Rajan: [00:19:26] outset. Interesting. And I think, the exact same question that I had someone in the comments also had it, if you can see on your screen, I think you just asked it’s the, just like what we have for edibles organization.

I think the answer for that was, yes. We have a question here from dr. Rob delays and other regular to the show as well. I’ll repeat the question. I don’t know if you can already see it in a screen. How can this be useful to a B2B bank payment processing gateways with an ERP and their cybersecurity? I guess the question is also in a way that.

If you were to think of this in an architectural perspective, you’re probably covering the layer [00:20:00] above this. Is that right? Or is it more thinking more from the odd thing? Like, I mean, I’ll let him clarify the question, but would you want to take this question?

Darpan Shah: [00:20:08] Oh, sure. Yeah. Well, I think I know when he’s aiming towards like sharing and allowing access to other businesses within your business, so right.

You’re talking about like one layer above. In the sessions to be rocking on the practice level and the organization level. But, I think they go one layer deeper. We can actually separate these security isolation into different layers. One is the API layer or this, the network layer or the network perimeter.

So when a doula mentioned, like, we want to allow like other customers or as a B to B clients to come in your systems, that’s when your macro player would come into play. So when we talk about network isolation, so. I guess I believe stepped back in the network as well. So networks within all the clouds.

So is there an unfamiliar or those are not networks are familiar like Brooks isolated within the cloud, by the tone DPC, that’s a virtual private cloud [00:21:00] that you get within your one project or in a bless account or as versus Christian. So that’s where your network isolation can come into play within the same project.

And let’s say you have the facility network or a BBC within your own project, or in this case a project, then you can definitely share that across other business units or other clients by allowing them network perimeter access to come in. So there’s even like firewall rules, or you can allow your security groups in AWS or Nichols.

If we talk about AWS terms, Or Google, we have the firewall rules on the route tables. So when we have the B2B clients, we can cater to them using those network parameters that we set up for them, as well as allowing only list village access for that. And then we’ll talk about this village and the little bit further, how does Google like step up their game with, I am in this village, but I hope like this answers like lock up the last question for you.

Like follow up [00:22:00] questions.

Ashish Rajan: [00:22:01] Yep. Perfect. I’ve asked him as well. So he’ll probably come back to us as well. Yeah. That’s a great way to answer it. And I think that’s, what’s really calling our for people listening again, because we are going into Google cloud security, one Oh one. They’re calling out the different layers like you, and I would know the layers and some people may not know the different layers.

Like to your point, we went right on the top of the organization or. Which is kind of like similar in most cases, then we have folders underneath that. Then we have projects underneath that. And then underneath that we have resources and that’s kind of where we go into further segmentation for, we have Netflix segmentation, we have, I guess, environment segregation.

And then we have, I guess, subnets of segregate segregation as well. Like there’s so many layers to what at that point, isn’t it. Right.

Darpan Shah: [00:22:48] Right. So there’s network subnets. Now those are again, full network segregation, as, as firewalls. And again, like with B to B and specifically like, with financial clients, as I’ve seen, [00:23:00] like in the financial industry for quite some time now, there are silos and there are like oftentimes walls across business units and teas.

We’re not allowed to share certain things across each other. They have the right to legal and compliance, but they are strict compliance rules to follow through either it’s the government mandate or the industry mandates are their own compliance. They want to follow at that time. Those isolations at different levels come into play and see that how you can connect certain things.

So even a network layer, we how the concepts of appearing and then sharing, or the API layer, we have the read only access. So like, And interacts and custom layers and such. So all those different layers, like we can definitely talk on, like, I would say in the future, we can go in detail about if, do a one or two or one session and we can speak much in details about that.

Ashish Rajan: [00:23:48] Yeah. I think there’s a follow up from Rama and yet as well, he said, so this question is similar to what we know about shared VPC. And when we were talking about.

Darpan Shah: [00:23:57] Yes, and just, it is similar, [00:24:00] but Google has an added functionality called UPC service parameters. So you actually control your VPC, service controls and parameters and the organizational layer. So that sort of things you do. I find that which projects will be able to share their networks with other other projects or with other clouds.

So any policies and I am, then you’re defining the organization. That’s gets inherited at the bottom here. So in the project, the project cannot override what set by the organization in that terms. So that’s definitely like, yeah, we used to sharing in period and he also called BBC service parameter and the service UPC service control, internal security specifically for that.

And that’s where also interesting, like I find it interesting, which are, I haven’t seen any AWS. Or my experience as well as maybe you eat those UPC service controls and perimeters and security layer, you can actually control that which user has access to which networks specifically within your projects and across projects, rather [00:25:00] than just like API is or setting them generally by names for it.

Then you can access this VPC by this name, but here you can specify what net, what firewall those are the bank and all that gets gated or, and headed across projects.

Ashish Rajan: [00:25:16] If I am bored thing to think. Cause it’s a, as an example. And so probably a, probably a great distinction between Azure and AWS and Google cloud at that point where you’re able to.

So if I were to walk through this scenario and if I’ve heard this correctly, but maybe you can walk us through a scenario on the cell Polly. No. So I, the I’ll keep a simple goal in mind. I need to deploy a web app. And if I think about, but I want Darpan the developer to be able to access the, I guess, the infrastructure for it in that context layered out.

Okay. We have example.com. That’s our main level hierarchy than we have of I guess, engineering underneath that. And then we’ve got examples of as a sub project, a [00:26:00] project underneath that folder. And within that I’ve got given resource, but to your point, there’s a VPC lair. And the, my access to that VPC lab, or, sorry, not my access, but the developer DARPA’s access to that VVC layer is based off my, I am group, my G suite group.

Is that right? That’s

Darpan Shah: [00:26:17] correct. So it’s based off with G suite group as well as your policies dependent disclosure allowed itself. So if I can, if I say at the engineering level here, that Durbin should not have access to this tune engine resource in the Dell project, but only in past project. So even if you assign them, go assign someone, the assigned Darwin, and I am permission within this example of Dell projects to access the resource, you will not be able to do that for that.

So your policies that you inherit that gets precedent, that you can define actually. So I wish I had like a slide for it. Like, I didn’t like anticipate this one, but, another, you mentioned like as Durban and developing a [00:27:00] web access or a website that only want certain users to be visible or see only from my corporate network and not like external, but then let’s say it’s Ashish.

Ashish is a new, new one cloud new on Google cloud. What he does is he goes to this example of Dell project and opens up the same security group or what you call a firewall rule in Google cloud two zero, zero, zero alarm, everyone access from the world today. So that’s where the secure, we can control that at the art layer.

So, and there was an addition there. If I define a policy that anyone would within this project or any one organization can only allow my property signer range to access this particular site or a firewall rule that will take precedence or anything else that you define within your project. So you wonder if you made a mistake as a new person on the team.

That mistake would not get a black, it would not cost my company billions in breach or any like unintended access for it because I’m guarding the [00:28:00] organization layer. My security was strong enough and security professionals configure those policies and the, the air Iraqi for that. So that would get carried

Ashish Rajan: [00:28:08] over or you interesting.

And I think it doesn’t have similar challenges, AWS, where. In AWS is obviously a limit of STPs that you can have, like the service control policies that you can have on each of these AWS accounts. Is there something similar in terms of hard limit or I guess, how do you plan for. The limitation around the cloud service provider in, in AWS, you group SAP together, and you kind of go like that, but is that a similar approach to this as well?

Or I guess because it’s Google, there is no limit to how, how, because my thinking at that point is like, Oh, if I’m an enterprise, I’ve got hundreds of users. I’m looking at that going as a hundreds of policies as well. That’s not just, I’m going to have to, if I was to go with your diagram, if I only have three divisions, but those three [00:29:00] divisions, each one of them could have a hundred thousand people in debt.

Right. Right. Or I guess I’m thinking of Apple, but whatever. But I think you can imagine then within that layer, there’s like hundreds of policies based on the roles of the teams. Right. Is there a recommendation for, I am like that in Google cloud, I guess.

Darpan Shah: [00:29:20] Yes. Yes. There are definitely. So who works out, there are two different things.

There’s a concept of Cortez that you get for a project or per resource, and there’s like limits that you get. So they’re like two different concepts, but like quarters are what are allotted in the beginning or for your personal resource in your project. And then there are limits, which are kind of like hard limits, but you Gabby exceed or you cannot extend that.

So with regards to , there are no straps like quarters or like set policies in the beginning for the limits, but I’m sure I. But eventual change and more of users adopting the cloud. There are always like changing those limits or increasing those limits, I would say. But to [00:30:00] get around that you mentioned there are a hundred thousand users within specific team or departments, and that’s where you can use this hierarchy.

So let’s say there’s a way we had those different folders. We had the engineering and sales teams. Now, what it can do is if there’s a limit to a specific folder, then you can create another folder within that folder. So that way your policies or your limit now got doubled pretty much. So Gill have one high level policy on this for their eight here, but then you can give like one more detailed policy or one layer deeper, let’s say 50,000 users from a hundred thousand

So the limits are pretty much double, so you can have folders that.

Ashish Rajan: [00:30:42] That’s very interesting, by the way, if anyone listening, I, I mean, I did not even had this slide in mind, but I’m glad we Gordon to this, that you already had a slide prepared for this. That’s so cool. and I think that kind of answers my question about the Nestle group as well, because.

I imagine when you have a hundred thousand people working for you [00:31:00] and different departments, different teams, the complexity of enterprise is one of the reasons why people used to go for I’m going to go for a ping or an Okta or whatever, because I just cannot be bothered. I just want to go in active directory, give you a group and move forward.

But sounds like, and I kind of love the example that my, one of my previous, I guess Nick had given about. It kind of shows you if you have the right security foundation or I don’t want to call it security foundation. This is just basic foundation, I guess. If you have the right foundation from the beginning where you have an example of that org and within that you have folders.

And then, then you go into projects. You’re already setting up yourself for success. When you say become the next Facebook or Apple, I guess you don’t have to worry about scaling. Like actually out of curiosity, if I’m listening to this and I’ve already started on the product, I mean, I guess a part of just doing projects and.

I’m looking at this going, Oh, I never made a [00:32:00] folder before. So can I now create a folder or does that mean I have to, it’s complicated because you have multiple projects and can’t be brought into one single folder anymore.

Darpan Shah: [00:32:10] Absolutely. You can actually go and pay the folder. Once you are like Oregon, the products, we create different folders because, you know, in organizations there’s constant like reorg within the organization, that how the structures changed.

So projects change across teams, teams change across projects. So again, any tab and it can move products anytime. And what happens at that time? Let’s say I move project three from project.to, from all the B to further aid here directly. My I am policies were automatically changed from other vehicle polar ape.

So inherit my policies directly from father a is going to for their B that’s one thing you to keep in mind about your permission, then security. When you move, those projects are organized.

Ashish Rajan: [00:32:55] So for Libby would always have priority over four day or inheriting

[00:33:00] Darpan Shah: [00:32:59] it. I would say yes in terms of inheriting it and in terms of policies for that, because here, like, see what you said, the a hundred thousand users in total and and 50,000 still directly in any one folder for that.

So when, when I have project three in my folder, B. In folder B I go the additional like permissions or additional, like, I am policies that everyone here and three and four inherits. So when I moved three from , that inheritance is no longer there for the week. So I don’t have the added policies or added restrictions there anymore.

It’s everything straight up from folder eight that I get.

Ashish Rajan: [00:33:42] What about relationship between different projects? And I’m thinking more, say, for example, I think to a doctorate, the last question and dramas collared earlier, if I have two business units and they weren’t talking to each other, and obviously, I guess I may share some users.

I may not share [00:34:00] some users. How, like, how does. For the a and if imagine for the B was, I can separate for, let’s talk to, if you go back to your previous slide where you have, I guess different four lists created for the each division can one for the doc to another folder at a network level, or is that yeah, that one.

and so that started going.

Darpan Shah: [00:34:24] Yeah. So by default answer is no that they cannot talk to each other. So any projects in full like mine, the other one cannot talk to button folder B. Yes. You do something like PPC sharing or B here at the project level, but that’s only allowed and possible if you’re alive in those permissions and the folder level.

So if I’m saying my folder here, that it’s, our folder can go and talk to anybody else in the engineering folder only then they’re able to talk anyway, able to initiate those spearing and sharing connections, and that all can be defined at the VPC [00:35:00] service controller or service spectrometer that can be defined at the organization layer at the very top layer that you get.

So everything pickles down from top to the bottom there.

Ashish Rajan: [00:35:11] Interesting. So, and I’ve got a question here from Kellyanne, which is probably a good, good time to bring this up as well. His elsewhere. I w I would love to know the future opportunities in Google cloud and future growth of Google cloud, but I’m going to add another layer to it.

It. Before you asked that question, if you’re gonna, if I can ask you having worked in the AWS space and Azure space and Google cloud space, what do you see? Because we’re doing the unbiased version. What do you see as the, as, as, as the space where it has gaps at the moment?

Darpan Shah: [00:35:47] sure. I would say so the breadth of services.

Google cloud, like doesn’t have as much like a widespread of stuff right earlier. The services that AWS has, or AWS was the first to the [00:36:00] market in London, six with equity, how that first movers advantage. And because of that, they’re able to move to that wide scale and. Like for example, they have satellite service called the ground station like NASA and like others, like potentially use AWS to come into the satellites and control those and how the print flight control and integration mechanisms on cloud with them.

But Google doesn’t necessarily have all those wide variety of services, but Google has depth. That’s what I feel like. So if you see, like Google has all this data, we all know Google user fee services and such and exchange collect your data unless you specifically say no. And like denied that. So Google has all the data and because of all the data, they have the expertise in their analytics, machine learning and AI, because that’s the same services Devin using internally for a Google search for your Gmail, Google maps, that same infrastructure, same service, same capabilities are being shared to the Google cloud customers.

[00:37:00] Oh, you want to move? It was late in the market. I think they’re catching up. And they were like moving very fast and in certain skills are, for example, security, like security is like in both with Google, with every product for that. So there are something called security command center, which is like pretty much a central hub for all security services, which is the machine learning underneath that automatically to give you alerts and right.

Maybe on sending notifications along with showing them on dashboard when something is wrong or something was misaligned within your policies, or they have something called IAM recommender policy intelligence. So I think that just brings me to my point. I mentioned earlier for this building, so we all know that we should be list filtering or IAM permissions give only what’s necessary and such, but you know, we are all human.

We may not know like how much is necessarily, what is list pillaging? And with Google with cloud, we get the functionality, but they’re all interdependencies within probation. So actually want a new VPC share, [00:38:00] but it also need to have permissions to list and describe certain resources to share. So when it’s a human, you like, it will take us a long time to figure it out.

Google has a service called policy intelligence, where we recommend you and what permissions you should assign yourself based on the usage. So yeah, all the groundwork for us, like about like piping logs, like fucking audit logs, but the, I am permissions usage of who is using what role, what’s your role then?

For example, our data was admin and there’s a data reader. Google will know like what permissions I need as a recap, as a leader. And using that permission. So it evaluate a certain time for 90 days and will tell you, Hey, do we want this permission from, DARPin add this permission to Ashish it we’ll show you that.

So I think Google is catching up in all those code, like the showing all the data and services. Similarly with the big data and data intelligence. Google is like, moving ahead. In terms of Azure, I would say. As I described to a lot of customers, a lot of enterprises [00:39:00] have using active directory on premises and their whole user management part is done.

Yes, like active directory, shared folders and for security groups. So Azure has the set of market base already, which they’re under cater. And so they have that advantage as well. And that’s so all three copywriters, or even like Alibaba or good cloud, they have their specific target audience. They are targeting cute, but at the same time, they also trying to expand their target audience with the new services and new offerings.

So I only see them each as competitor, but they’re all like growing in their own space and they’re developing in this cloud market. That’s just my retail.

Ashish Rajan: [00:39:37] That’s really interesting. And I hope, hopefully that answers Glenn’s question because I think what are you really, if I were to summarize this. Each one of these cloud providers have picked a lane they’re sticking to the lane.

They’re going to grow in that lane and get really popular in that lane. I think, be a bit more specific to the example. People love AWS for IAS. They love creating infrastructure because you get to that granularity. We [00:40:00] have the infrastructure and Azure has placed itself as a platform, the service provider, which is amazing because there are all these platforms that it can.

Tap into, and you don’t have to worry about the infrastructure, which is really interesting model as well. And now we have Google cloud where you’re just using almost two point using a lot of SAS services. Although also you have options for doing IaaS and PaaS. Is that right? They have all three of us. I mean, when I say obviously, cause I’m thinking, does Google, does Google cloud have an ISS option?

I’m assuming

Darpan Shah: [00:40:34] yes, it does pass as well.

Ashish Rajan: [00:40:39] Oh, so they all have options enough options for each other. It just said they have their strengths. Like the Google cloud strength is big data space as there was with sucking on the day. and my data, your data everyone’s data and it’s okay. And Google Azure is more from a platform perspective.

I think they had the whole, what’s [00:41:00] that called Sentinel and other products that they have, which is just like a. Almost like a massive theme solution available as a service and AWS on the other hand have similar, but you’re like, Oh, I’ll probably use it for infrastructure. I just want to define what my, if you’re doing this, this is going to be like, or, I mean, there are Landers and Equinox as well.

Do you see that? And I think that, I don’t know, it’s a hard question to answer, but do you feel like that, is there still a knowledge gap in terms of Google cloud, per se, in terms of how can something be done and harder? Someone approached us if, I guess you’ve done certifications for Google as well, so it’ll be kinda get some insight into it for people who are starting off today.

And I think I’ve kind of goes into Kellyann’s question as well. That sounds like there’s absolutely a lot of opportunity in Google cloud. They have carved their own lane. Where do I start today? And what, what would make me credible enough to get that job for [00:42:00] Google cloud, I guess?

Darpan Shah: [00:42:01] Oh, sure. So that’s a very good question.

And I like your summarization as well. That how you like compounded that. So yeah, I would say Google has some knowledge gaps, which they’re trying to actually fill. So one recent example, there was Google cloud. Next slide going onto the last six weeks that, good call it there. I would do in person. So when I saw virtual and spread across six weeks, so there are a lot of new announcements as well.

So. And one thing to try and get. It was every domain that they had, they made sure that they were targeting and how to start to, how do you start in security? How do you start with big data or how do you start with just general IAS? So in that Google is trying to catch up and if you’re a security professional, just starting to Google cloud, a Google startup, a release of Google cloud security best practices center.

That’s what they recently released just like two weeks ago when they announced that Google cloud next. So that single page lists all the resources, all the fundamentals and basics that you need to know when selling Google cloud, the white paper, [00:43:00] there is like 55 or 60 pages of white paper, which lists all the fundamentals that you should be knowing.

And how does Google handle that security internally or externally? And basically what on is Instructure? Like I shortened my slide earlier. This regiment tear from core four, you actually go and deploy that same orientation structure. Securely based on the best recommendations and how it caters to your organization for them.

The Google has gaps and in this catching up, but it’s catching up fast. That’s my opinion on there. That’s it?

Ashish Rajan: [00:43:30] It’s pretty good. And I think I might take the link from you later on for putting it in the show notes as well. I think it would be definitely valuable for people starting off today. I find it really amazing that a lot of these cloud security providers have started asking or starting sharing information about security as well.

I was going to ask, we kind of spoke about a lot of things, about a lot of services where people use it for, is there something that people are not talking about in this space, but you feel like, I think having worked in [00:44:00] different cloud providers, do you see it as a, I mean, we kind of spoke what the gaps and that go with are covering these gaps.

Is there a, I think a problem in the Google cloud secure of like a Google, not just Google, but cloud security space that people not talking enough about.

Darpan Shah: [00:44:17] So I think I mentioned this earlier, when I was on the show as well. And I would read that since I haven’t seen much changes the customization of security controls.

So like this, all this cloud products give you this out of the box security services, but there are not enough teams and organizations doing custom controls on top of that. So be able to pull in that data and be able to remediate that oppor remediation of security breaches that you have. So that’s not none of God enterprises and not focusing on that.

When you say you’re moving to cloud migrations and such, they focus on just moving the assets from one cloud or on prem to cloud or from one cloud to other, but they’re not focusing on security from starting. And [00:45:00] how do they do a custom security controls that maps anywhere you’re on premises or any of the cloud providers as well?

I think there’s like a knee and there are a lot of like open source efforts going on. But I think that’s not enough that needs to be keep on happening outside at a much greater pace. And I think Google is very keen to catch up on it. So they are using all this open source tools, but just like a Google.

So for setting the course, every provider that they use, or they provide to our users, that’s based on open source, anyone can go and write rules against it and can use it in their organization and also can do it back to Google’s or best directory proportionally. So using more open source tools and customize controls is what’s missing from, I would say enterprise customers using cloud these days.

Ashish Rajan: [00:45:46] Interesting. I’m just trying to liquidate as that’s a good way to come to the end of the show as well. Just go to one more question, actually. That’s yeah, yeah. To come off from Rama, I heard AWS has more eyes granularity to, we know what is different [00:46:00] between AWS, UCB and Azure in that perspective. And also from a security perspective, I think you’ve kind of answered it, but if you want to, if you feel we’ve missed something in that question and you answer that.

Darpan Shah: [00:46:11] I would say, yeah, AWS has been an oddity in IAS because they offer less down for just like container service, ECS or UC gas, which are kind of managed, but also gives you the ECQ on ECS option, like your custom controls and give you full power along with the possibility of that pattern of service. Google has GKE.

And other like compute engine or app engine instances, which has kind of IIS, but then on as strong on AWS. Right. So I agree with her Rama with you on that point, for sure. But we will just catching up and another, the security perspective you mentioned. It was a perspective, Google, I think Google and security perspective.

And so on, I guess my B, because let’s just put it this way. When was the last time you heard that someone’s Google [00:47:00] cloud storage bucket or like something within Google cloud got breached or your data was being accessed in there compared to something within AWS? The Google has security built in different layers and defense in depth is like by default provided to you with Google was tasked with that.

That’s what I see, like see in my experience so far, AWS isn’t catching up. So if you see the evolution of AWS S three, since it launched in 11 six in the beginning to right now, all the STD buckets is to public, upon creation in the beginning. And now, after a couple of incidents in the last year and a year before, this new thing came up as the public access blocks.

So by default, the public access is turned off now and there’s like multiple layers of access box or access list taking a black bucket. So it’s continuous development solution insecurity as well with IAS or paths, or even some of the SAS offerings that each of the provider provides. So I think as of now, my belief is that Google is like mulling security from [00:48:00] first and itself and giving you access to like something like free security center or free network intelligence, in there, compared to AWS and Azure, I would say Azure has Sentinel policies.

so that’s another, my favorite sentiment parties within Azure. In fact, we were thinking about like using Azure, just for the Sentinel policies and be able to send off our AWS logs to Sentinel value and analyzing such. So central is also really good to nature that I like for that. So each one also pros and cons and each one has like room for improvement.

I would say, across those providers, Alibaba in the other hand, right? How a little about has some, I would say legal improvement. but I haven’t had much hands on experience Alibaba as much yet. So when I really want to speak anything on that, but it also has some neat.

Ashish Rajan: [00:48:48] Well, you can never bring Oracle in there because you have done some work with Oracle cloud as well.

You can never bring some Oracle cloud in there as well. What does that compare to this?

Darpan Shah: [00:48:56] So Oracle apps in general, it is a, so [00:49:00] they’re, you know, on premises, they’re the leaders in database like Oracle database itself. So they’re bringing that same model and save the toy sprint what they’re on prem, but also being that you cloud in that sense.

So they’re layers is also like, I am, is fundamental in there, but they’re making it simpler. So Oracle, like if want to make something in, I am, I just wanted one single line that allow our ship to access this instance. That’s it. I just have one single line in plain English. I won’t have to go through different policies, different groups, nothing like that.

So Oracle is trying to make it simpler. We late to the market. It has an advantage of picking up to see what others missed and trying to improve upon that. And that’s why, what it goes to also users careful as their base infrastructure score, man, compared to other clouds or other clouds, how their own infectious code tools like God formation or Google’s deployment manager, but Oracle went full on, on terrible.

So

Ashish Rajan: [00:49:58] native,

[00:50:00] Darpan Shah: [00:50:00] all of them are like trying to catch up with each other based on how they came to the market. And what are the non for the best ingest specialties?

Ashish Rajan: [00:50:08] Yep. Smart, really smart. I think it’s a good segue. And hopefully that answers your question, Rama, but feel free to kind of come back to us. this is kinda like the last section of our episode, and I think you’re familiar with this, but I wonder if your answers have changed since the last time you’ve been here.

So I’m going to go to one by one. Where do you spend most time on when you’re not working on Google cloud technology or insert technology here?

Darpan Shah: [00:50:32] So you said, actually I just go out and take walks. So like being developed this like covert situation, I’ve been like home pretty much all day. take over an hour of a walk or just go running or maybe like biking a bit.

That’s what I’ve been spending my time besides with family and watching some Netflix shows.

Ashish Rajan: [00:50:52] Oh, there you go. That’s pretty awesome. And, what does something that you’re proud of, but it’s not on your social media? Has that changed?

[00:51:00] Darpan Shah: [00:51:01] I will say this hasn’t changed. So I don’t really like to talk about that as also like, having been mentoring students, people to cloud, enabling people to use credit factually and also provide training.

So on the side, like also do like a pride people are paintings on Google cloud on how to let start with cloud and such. So I strive to do that in our spare

Ashish Rajan: [00:51:20] time. Yup. Al I thank you. And what’s your favorite cuisine or restaurant that he can share? I know Colbert has made a, the restaurant conversation went interesting, but is there a, is there a favorite cuisine or rest for that you can share?

I

Darpan Shah: [00:51:34] would say it’s still the same as last time. Like I think in the last one month and a half, it doesn’t change. I still went out the food as my favorite cuisine and restaurant. I like is the one in New York called what then? That’s the food I had.

Ashish Rajan: [00:51:49] Nice. Have you been able to go back there since? No, not since Colbert.

I imagine.

Darpan Shah: [00:51:54] Yeah. Unfortunately I haven’t been there yet, right since left.

Ashish Rajan: [00:51:56] Fair enough. Hopefully we all get to go there soon, man. I think [00:52:00] that would be the ultimate for us. Yeah. And I think Ron was just came back saying, are we gonna cover network security from cloud security pics? I, yes, we are in, there’ll be a followup session, man.

Don’t worry about that. thanks so much for your time, man. I really appreciate that you took at them again. I know you’re going into a space that you might be limited in terms of what you can share, but let’s just try and I’ll let you disclose the secret when, when you’re allowed to talk about publicly, I guess.

Yeah. Yeah. I’ll look forward to having you again on the show, man, sometime soon, but thanks so much for taking the time and hopefully everyone else wants to got some value out of it as well and are able to kind of go, yeah, there, there, I really wish that the Google cloud also continues to evolve and people like us keep talking about it.

And I think the Google cloud security conversation will become a normal conversation as well. I feel like to talk about [00:53:00] Azure and AWS, they haven’t really seen Google cloud as a direct competition, or I guess there’s by slowly appearing that you’re like, Oh yeah, Google cloud, even working cloud for that matter until like a couple of months ago, no one was talking about archi cloud.

So I’m looking forward to having those conversations with you as well. Then

Darpan Shah: [00:53:18] for me, like personally, I would say with you, from what you, what you love cloud. So just say, I want to see them as an, each other separate providers, but go on like multi-cloud and that’s what Google is reading again, but Google and toasts and like big query only, and all those new multi-car features.

I think that’s where Google will catch up. That’s my hope ad set, please.

Ashish Rajan: [00:53:38] Oh, fingers crossed for that. so where can people reach you if they want to get in touch with you?

Darpan Shah: [00:53:43] I’ll reach out to me on LinkedIn or send me an email. My it’s like pretty simple. Hello at dot com. That’s my first and last name.com.

So our LinkedIn it’s, DARPin sharp, easy to find and our effective and scan.

Ashish Rajan: [00:53:58] Awesome. Alright, thanks [00:54:00] so much for your time again, and thanks for everyone who joined us as well. It’s always good to hear, feels Regulus as well. And we’ll see you guys in the next show and, I guess definitely I’ll hopefully see you soon then.

Darpan Shah: [00:54:13] Yeah.

Enjoying our content? Don't forget to subscribe!