View Show Notes and Transcript

Episode Description

What We Discuss with Antoni Tzavelas:

  • 00:00 Guest Intro
  • 09:44 Technical Skills for Google Cloud Engineer
  • 11:53 Building Blocks for securing GCP
  • 16:39 Deploying in GCP
  • 21:25 Learning GCP – Starting Point
  • 28:06 Anthos and CICD Pipeline
  • 29:39 GCP Digital Leader
  • 33:14 Implementation in GCP
  • 37:48 Auditing in GCP
  • 39:19 Security Tools for GCP

THANKS, Antoni Tzavelas!

If you enjoyed this session with Antoni Tzavelas, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Antoni Tzavelas at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Antoni’s Google Cloud Certification Training – https://training.antonit.com/

Ashish Rajan: There we go. 


coming in, man. I’m so pumped for having this conversation with you. You and I have been talking about. More feels like almost two, three years now. Yeah. I could not think of a better person to bring her 


Antoni Tzavelas: to the show, man. I appreciate that. Thank you so much for having me. 


Ashish Rajan: No. Oh, it’s a pleasure is all mine, man. 


All right. So. People who know your course and have done your course as well would definitely know a lot about this. So maybe a good place to start would be to have a good introduction about who Anthony is and how’d you get into this and what’s the context is bow tie. I and Google cloud. 


Antoni Tzavelas: Sure. So, How I started off, I originally started off in fashion and I was a fashion designer for a little over a decade. 


And the fashion industry imploded here in Canada. And I had to find a way to feed my family and make a long story short. A friend of mine told me how much money he was making in tech. And I was, he mentioned databases and you mentioned databases and salary and, and I was like, I’m in, where do I sign? 


So I went back to college [00:01:00] got a a one-year, And came out with a Oracle Tangi certification, as well as a sun Solaris Unix certification. For those of you who are old school? Yes. My first job was at city group and, I was in the sys admin world for a little over actually a little under a decade. 


And then I got laid off and I was really thinking to myself. What is it that I want to learn next? Because my skills were outdated. So I needed to learn something new. What skills can I learn? So that way it’ll bring me to the end of my career. And that’s when I chose cloud. Originally I’d started with AWS, because it was the prominent cloud at the time. 


I think they had like a, I’m guessing about 80% of the market at the time. And this was almost eight years ago and I’ve been working in cloud ever since four years ago. I decided that I was getting all these certifications because I really love learning. And. It got to the point where people were asking me, Anthony, how [00:02:00] did you get all these certifications? 


And so I spent time with them doing lunch and learns, doing study groups, showing people how to pass the certification, as well as, , really getting into this habit of learning of constantly. And since then I moved to Linux academy or I spent a year there and then I spent another year at slalom consulting doing live training. 


And for the past two years, I’ve been doing my own. Personal training, for people who are trying to get certified in Google cloud and I’ve created certification prep courses. Ironically right now I’m creating the new cloud security engineer and there was a new exam that was released early last year. 


And and I’m trying to fill the void of not having enough study materials to use in order to pass this exam. But at the same time for those people who have taken my [00:03:00] courses, they know how deep I go within each topic. , as well as I do, Ashish certification is amazing to get you into the interview, but you need to know your stuff in 


Ashish Rajan: order to get from the job. 


Antoni Tzavelas: So I’ve always had this mindset of, I really want to teach people more than just the certification and that’s always been my. And so, On top of teaching it, I’m learning it myself. A lot of topics I don’t know about. I don’t know everything. Anyone who says they do, 


Ashish Rajan: probably, they haven’t met you and I both problem most likely, but , that’s a great intro, man. I’m glad you’re going to brought up the course as well. That you’ve kind of built the whole Google cloud security certification, at least engineer part as well. But. I always get this question asked and I wonder what do you tell people when they ask you about workers, some of the technical skillset that you require for something like a Google cloud security engineer? 


Antoni Tzavelas: Oh, so it’s a great question. Coming from specifically a security perspective, Somebody getting into Google cloud. First of [00:04:00] all, you need to understand security from a platform perspective. So you really need to understand, Google, how they implement security because each platform, each cloud platform implements security a different way. 


So AWS would implement. Then Google cloud, same thing with Azure. And and so I tell people, understand, learn and understand the platform. First, once you start to understand the platform, then start to understand how to secure the platform at an identity level, at a network level, at a service level or application level and at the data level. 


And. I guess amalgamating all that together will really give you a sense of how to properly secure your environment, because you’ll know how to do it. At every single level. 


Ashish Rajan: About, I guess, knowing the platform, the site, as well as say, knowing the networking and D two is a data site, do you find there a certain building blocks within GCP that maybe [00:05:00] people can start with? And I think I w by the way, what is it is GCP or GC? I get people like, I’ll say telling Hey to GCP, right? 


Antoni Tzavelas: As Google cloud. 


Ashish Rajan: Yeah, I dunno. Sometimes I feel like I’m not too cool when I hear people say, how have you been using GC? And like, is STCP like, oh, it’s too long. They’re like GCP is too long. So that’s why I’m saying, do you see? Okay, fair enough. So so maybe, maybe we can also, oh, add on to some of the building blocks of what makes a, I guess if you’re doing security and GCP, are there specific services or, things that needed to think about from a foundational perspective within a Google cloud? 


Antoni Tzavelas: Yeah, that’s a great question. So first off organizational structure. So you want to know how to organize your I guess your whole environment. So you want to understand folders. You want to understand projects and you want to, to really take it to. Level where you want to structure it the same way that you structure your organization. 


So if there is a a dev ops team, [00:06:00] maybe you want to put them in a folder. If you have a marketing team, you may want to put them into a folder as well, and then break off into projects from there. And, , use projects as a separation of. , the different types of environments that you want to have. 


, second thing is the resource deployment. So you want to understand where you are deploying, how to deploy and do you want to do this in an automated way? In most cases? And this is where something like Terraform would come in, or, , using a get ops methodology for those of you who are unfamiliar, that is having your code, in Repo. 


And when you’re ready to deploy that code, it’s all done through, through that code. So there’s no. Hands-on specifically, and, there’s less chance of messing anything up with with having people hands in the pot. So, another thing is authentication and authorization. 


This is a big one, [00:07:00] because I personally believe that security always starts with identity. And, , you want to make sure that you’re giving proper access the C the principle of least privilege. You want to make sure that, , you’re using things like two factor authentication, even down to things like keys versus token. 


If there’s no need for a security keys for your service accounts, then why aren’t you using, , identity Federation and using short-lived tokens? that to me is super crucial. And and obviously the last thing that I see as a big building block is network. 


So you want to understand VPC, firewall rules, private, Google access. You want to make sure that you understand how your network works. You want to understand routing how you’re going to route. What is your next. Is it to your internet gateway or is it from service to service or is it just a , one instance talking to another, these are [00:08:00] base. 


These are the basic fundamentals that I usually encounter especially, , as I teach, I mean, you can. Get into compute, but I mean, compute is, it’s getting massive. Now there’s so many, compute services now that that it’s really becoming a bit overwhelming. 


Ashish Rajan: All right. Wait, so that’s an interesting one, right? 


Because it’s funny how. What you just mentioned as a building block for GCP ties in really well into the technical skills that you were referring to as well for, Hey we need to understand the platform, the identity, the network, the data at the same time, all this ties in really well into that. And maybe a good point because people who are listening in on the LinkedIn YouTube as well as on the Twitter spaces of the world, they maybe from background where. 


They may have never deployed something in any cloud environment. And I think from a building block perspective, a hundred percent on the money as well, I guess every application would require some kind of infrastructure as well as just kind of like what you mentioned by. How different would this be to say someone who [00:09:00] maybe you can take two angles. 


One is solving an angle of people who have never deployed into a google Cloud and the other, maybe from people who are coming from another cloud provider, which I don’t imagine it would be that different, but happy for you to kind of pick either or both. 


Antoni Tzavelas: That’s a tough one. When it comes to deploying, Eh, just like when you’re starting off, would you GCP , do you want to start deploying things to understand how things work? So I always tell people if you haven’t spun up an instance, go and do it, spin up an instance and try and access that instance. 


Usually you’ll be blocked with some sort of firewall rule , a port maybe, and even trying to. Trying to apply internet aware proxy. So, , only have access three specific IP or using a specific user. It’s a great way to learn, security and a great way to start understanding GCP and why they have the things in place. 


Ashish Rajan: Yeah, it’s just a good point because on a day-to-day [00:10:00] basis, a lot of security engineers would be tasked with doing something like that. I mean, I guess there might be a very common task that they’ll do it day in, day out. What about from a infrastructure perspective, doing security, are there other things that they should be looking at from security perspective within their GCP environment that they need to kind of think about or turn on or, I’m sure there’s some houses that as. 


Antoni Tzavelas: So you do want to understand when it comes to an infrastructure point of view. You want to understand the shared security model that Google has in place. So you want to know what you’re responsible for. So, , obviously you don’t have to worry about physical security. Google takes care of all that, but you want to understand things like , who takes care of that? 


You want to understand who’s doing the patching for my instances. You want to understand when it comes to services from a PAAS model, from a platform as a service model, what does Google take care of versus what do you take care of? And this is always a great place to start because it gives you a [00:11:00] point of view of, okay, I need to take care of this, this, this, and this. 


With infrastructure as a service, but when it comes to platforms as a service, oh, now I don’t have to take care of these things. And , that’s always great when you’re starting out. So you can understand. Why you would use, why you would lean more towards a managed service as opposed to a service that you have to take care of yourself? 


Because I, I mean, , nobody wants to sit there patching machines and nobody wants to continuously redeploy. Right? Yep. So another great thing to look at is, Google’s implementation of the zero trust model. And they call this beyond Corp and this this model enables secure access to applications and cloud resources, with an, I guess, an integrated threat and data protection model. 


So, , you’re looking at it from a security perspective of how would I do this if I was. And this is why beyond Corp [00:12:00] was put in place. So that way, Google could teach proper security posture, in a way that is. 


Ashish Rajan: That’s so that’s so cool, man. So beyond corp . Okay, cool. I’ll definitely check out people or at least ask you to check it out then. 


So we’re kind of going the right direction because now we feel we have built the building blocks. We’ve spoken about what kind of info to people would have to deploy. And we also have thought about. That were current technical skills people required as well. But from a, I mean, I know you’ve done so certification party yourself as well. 


So what’s I guess what some of the types of certifications that people can use to probably walk down their technical job part, but to what you said earlier with the caveat that, , it’s like, just because you haven’t done a certification, doesn’t really mean, , exactly what that needs to be done. 


And this probably links in really well to the question that’s been coming from Vineet . Which is learning. Google cloud fundamental is a good starting point. Any particular resources you would recommend. So, 


Antoni Tzavelas: When it comes to learning right now, I personally think that learning GKE is your best option. 


And here’s why is [00:13:00] because , every employee. Out there is looking for Kubernetes skills and with GK. You’re diving into a whole new world where there’s so many things to learn when it comes to GKE, , th they have their managed type service offering with autopilot where they take care of the nodes, but then there’s also regular GK where you will manage the nodes. 


You also want to understand things like Rback . So role-based, access control. Yeah. And that is different than IAM access. And so it gets a little bit more granular as well. You’re deploying containers. So now what type of containers are you deploying and how are you deploying. , and this is where things like a cloud repository cloud build a binary authorization comes into play, where, , you want to be able to do it in an automated way, but at the [00:14:00] same time, you want to make sure that you’re doing it securely. 


So, You want to understand? Am I taking, or is my somebody on my team taking containers that are just posted in in GitHub or , on Docker hub and just deploying it without even looking at the code? Or are you deploying something that was done internally? And this is where binary authorization comes into play. 


And for those of you who are unfamiliar with a binary authorization, this service from Google and it is open source, but Google has taken it and decided to, , put their own spin on things. Like they usually do which is great, but binary authorization ensures that only the trusted container images. 


That you have in your office, in your organization are deployed on GKE, as well, , you can use it on app engine or a cloud run for . And on top of that, you can, , with container registry, you can also do vulnerability scanning. So finding security vulnerabilities [00:15:00] before the container goes out onto GK. 


So. I mentioned a little bit more than infrastructure, but these services go hand in hand, especially when we’re talking about security here. And , when it comes to Kubernetes, because it’s very complex, you want to make sure that security is top of mind and doing it right from the start, right from the beginning is always the best way. 


Ashish Rajan: And what about certification? So I think that those services are definitely great and you can definitely start loving GKE as well. I highly recommend for board certifications. 


Antoni Tzavelas: So I’ve seen a lot of people try and jump into the professional cloud architect right away. Whoa, straight away, straight away, because they they’re like, Hey I have a, lot of experience in AWS. 


So therefore I’m a professional. No problem. And then they end up failing. And this is because there are very minute differences between services, but all of these minute differences add up. And so it becomes a different platform because. And people don’t understand that. So I always [00:16:00] recommend people to start off with the associate cloud engineer and understand the basics, understand, , how GCP works , understand, , compute engine at a deeper level understand cloud shell. 


And the fact that, , you can run commands right from your. You don’t need to do it anywhere else or, , just using the SDK. , it’s always great because you’re bound to break something. 


Ashish Rajan: Sure. Find a new network rule that didn’t know existed. 


Antoni Tzavelas: Well fans. So I’m starting off with the associate cloud engineer. 


I always recommend to then go to the professional cloud architect because there is a 60% overlap with the two exams. So on top of learning the basics, you’re now learning things like, and those things like, CI CD pipelines. You’re learning about dev ops. You’re learning, , more complex and a deeper level services that you don’t get to to really dive into with the associate cloud engineer. 


And [00:17:00] then from there you go straight into the, security, professional cloud security engineer. 


Ashish Rajan: Okay, well, actually, maybe a good point, because I just realized while we’re going through this, the might be people who would not even know what Anthos is or CICD pipeline is or devils United is talking about it as if like you’re talking about, I don’t know. 


I shouldn’t ask someone who’s more common, but so from for, by the way, so the question for what is Anthos and What is CICD and where does that? 


Well, at least so to level the playfield for people who may be listening and going Anthony’s is going on his own. Like, I don’t know. What are you talking about? 


Antoni Tzavelas: So Anthony is is Google clouds answer to Kubernetes anywhere now? Let me, let me explain when you have a Kubernetes, deployment on premise when you have a Kubernetes deployment in Azure or AWS, as well as GCP, how do you connect all of these? All of these Kubernetes cluster. The best way to do [00:18:00] is, is by using Anthos . So this allows you to be able to deploy containers anywhere, to be able to control how containers work, how your workloads work and gives you a centralized place where you can control at all. 


Ashish Rajan: Interesting. I’m not going to go into the whole Kubernetes things. So, but I definitely encourage people who may be listening in to go onto the podcast website, www.cloudsecuritypodcast.tv and it’s search icon top, right. Or somewhere on the screen, just type it in and just type in Kubernetes . 


We did a whole month of it. So if the new content over there, I’m not going to go into what is Kubernetes for this one what a question from Roger here as well. So it, thanks. Hold the GCP digital leader. Should that be skipped as a certification should be more than, is it before you kind of tell us what bike can we skipped? 


Antoni Tzavelas: Yes. So , the cloud digital leader or the CDL, , as we call it in the industry , is a certification that is the basics, the absolute basics, , what is cloud? Things like it, it’s more high-level. As opposed [00:19:00] to, getting deep into the actual services, any coding. There’s like, there’s nothing of that. 


This is more of , a certification that I would recommend to somebody who has no knowledge of cloud or you are in sales and you want to be able to talk to them. With your customers. This is a great certification for that. So with. If you’re planning on becoming an engineer or you’re an engineer in the space, then I would totally skip that. 


Skip to CDL and go straight to ACE. And that way you’ll get you’ll get everything you need without having to go through the CDL. I mean, it’s, it’s kind of the same when people look at the cloud practitioner for AWS, right? It’s, it’s a great starting point, but if you are a leader or you are in management or sales or marketing, and you just want to learn the absolute basics. 


So you understand what people are talking about [00:20:00] when you’re in the room, then , that’s definitely the way to go. Anything very technical. You want to look at the ACE. 


Ashish Rajan: Interesting ACE and above. So an order ACEs, the associate 


Antoni Tzavelas: cloud engineer, associate 


Ashish Rajan: learning. Sweet. So, okay. We have the basis covered. 


Would you say for people who are starting off today probably have not done a single. This could be a good introductory course for them as well. Absolutely. 


Antoni Tzavelas: Absolutely. It’s like I said, it’s, it’s really great for somebody who has absolute no knowledge of cloud. I mean, if you’re coming from another industry, like like fashion and, and you, and you have absolutely no knowledge, it’s a great certification that will guide you to understand. 


What is GCP, how it works and the benefits are around cloud computing. Cool. 


Ashish Rajan: Alright, GCP , a digital leader, payroll get, get on it. Cool. So maybe switching gears quite a bit I guess we’ve been talking about some of the basic foundational pieces so that we could level the playing field for everyone who’s listening in and let’s try and go a layer deeper over [00:21:00] the just for a bit and dumps off the kind of implementation. 


Cause a lot of people are. I guess they would know about implementation in AWS or at least an on-premise environment. They might not know what implementation looks like in say a GCP world. So I’m just making up an example here. If you have whatever project that you’re trying to deploy would have some infrastructure component. 


That’s an application components like, and obviously being a security fundamentals. as part of this conversation what do you recommend? How would you go about doing it and what are some of the things that people should look out for doing this in a Google ? 


Antoni Tzavelas: Yeah, that’s a great question. The great thing about GCP is the fact that everything is integrated. 


So if you take one service, it integrates well. Any other service, and they Google has done that purposely. And I think it’s absolutely brilliant. , if you’re looking to do something like, create a CI CD pipeline for those of you who are unfamiliar, CI [00:22:00] standing for continuous integration and CD standing for continuous delivery or continuous. 


Whichever you choose. So now when looking at things like that, you want to look at things like, having. a repo to start off with. So having maybe a GitHub repo, or you want to use a cloud repositories, and then it goes right into cloud build where you can build your container once that’s built, then it can be sent to, straight out to a. 


To container registry and in container registry, you can have binary authorization where, , if it didn’t come from cloud build, then it doesn’t get deployed. Right. , then going from there, you can then push it out to to GK. Maybe you want to do Jenkins type. For those of you who are unfamiliar, Jenkins is a a tool that is very commonly used for CIC pipelines. 


It does a whole bunch of different things. I don’t want to [00:23:00] get into it because, , we could spend 


Ashish Rajan: at that point Jenkins, but not cool. So you can use Jenkins if you like. 


Antoni Tzavelas: Yeah. Then on top of that, if you are, let’s say you are. In a highly regulated environment. So something like PCI DSS, or a HIPAA environment, you want to use something like if you are pulling in data from let’s say credit card. 


You want to be able to, store that data, but you want to be able to store it both securely and within compliance. So you would run it through something like a DLP, which stands for, data loss. Yeah, so this will discover it will classify and it’ll protect your sensitive data, by using different methods like de-identification methods masking tokenization. 


So, , people won’t be able to see that credit card data, but you will be able to, query. Like, let’s say, , Ashish has buy something [00:24:00] and the credit card data goes through. Well, now I can see how many times has Ashish used that credit card, but. Without having to, show that sensitive data. 


So either masking it or, even just removing it and putting a token there, and only when you have that key or token, can you actually have that data put back and you can see it. So these are , you can do as simple as you like. But you can do some very complex things and Google makes it easy to do that which is really, really awesome. 


Ashish Rajan: And maybe some of the things that I get asked quite often to your point about the regulated environment, PCI, the auditing equal and as well for this kind of activity. I think the perfect answer for the deployment pieces and the security pieces as well. I’m curious, , how I, because we do have a few auditors in our listener basis. 


Right. And for auditors, who may be listening in, what are some of the auditing capability that they can look at? Like what’s a [00:25:00] logging feature in GCP, like, 


Antoni Tzavelas: oh, cloud logging, cloud logging 


Ashish Rajan: it’s even called cloud, but cloud logging does audit as well as I’m just going to lay down here. It’s going to does audit as well as applications or just 


Antoni Tzavelas: audit. 


So if you’re looking for auditing specifically, you can use a. Of any sort. So let’s, do you want to use Splunk and you want to use Splunk? Let’s say on-prem, you can easily do that. You, you simply run a direct, connection from GCP to your on-premise environment and you can have, Splunk check either a a cloud storage bucket, or you can have the data just go straight , into Splunk using something like cloud pubsub. 


Ashish Rajan: Oh, yeah, we definitely had a whole consumer cloud pop sub on our first episode of, for this month of all going off security. So , definitely something to check out. Awesome. So we kind of go into, what are some of the other security services within GCP that people can look at, that they could be open source as well, because I think there’s always a limit to how much. 


I guess a GCP [00:26:00] provided order and Amazon provides, I was, can do by itself. I wanted some of the other tools or open source services that people have for sometimes dive into to do the security. 


Antoni Tzavelas: So when it comes to open source, because Google already uses a lot of open source, things are kind of built in, but there are some other tools on top of that. 


Using something like for SETI, and this this plugs right into GCP and that’s used for, inventory, monitoring, policies and policy insights, as well as enforcing specific rules that you want. So that’s completely open source. Another thing is cloud custodian. I’m pretty sure you heard about that. 


A very popular open source tool, that is a rules engine for cloud security and governance. Another one is chaos monkey, which is a Netflix tool and that works great to cause chaos in your environment and see where your Where your environment is lacking. If you don’t have any ha [00:27:00] capabilities, you’ll find out right away, 


Ashish Rajan: financially, test your boundaries on how effective and how reliable you think the system. 


Antoni Tzavelas: Yes. And one more that I wanted to to recommend is called GCP bucket. And this open source tool detects open and misconfigured, Google storage buckets. 


Ashish Rajan: Oh, wow. There you go. Yeah. So wait, so the whole misconfigured S3 bucket thing from AWS is a problem in GCP as well. Absolutely. Humans haven’t really changed as it goes. 


Antoni Tzavelas: No, and I’m, I’m actually waiting for, for Google to do it. I mean, they usually keep the user in mind when it comes to security. I mean, , having , encryption at rest and encryption in transit, by default, that helps out. 


, so you always know that the traffic within your GCP environment is always encrypted. That is awesome. , and , if you’re looking at sorry, there’s, it’s not an open source tool, but I did want to give it a mention, which is, It’s a confidential VMs. So this is not just [00:28:00] encryption in transit and at rest, but it’s encryption of data in use. 


So, it, I know it’s really cool. So the, the VM uses a specific CPU that has that allows, You to have the same performance without that performance hit, because encryption takes , a lot of memory to be able to, and a lot of compute to be able to to encrypt. So there’s a special chip that allows that inline memory encryption. And so you’re able to encrypt on the fly as you’re using your data. Absolutely. 


Ashish Rajan: Awesome. That’s pretty much what we had time for on this show, man. 


Where can people find you? And where can people connect with you to know more about. The Google cloud space and Google cloud security fundamentals that have any part of it. They shouldn’t hang out on video and on Twitter space as well. Cause you have, you’re hosting another one of these fundamentals later in the week 


Antoni Tzavelas: or next week. 


Yeah. With with Priyanka Priyanka Berkadia yeah. From 


Ashish Rajan: Google. Yep. Yep. 


Antoni Tzavelas: So people can find me on LinkedIn. I usually hang out there or I usually [00:29:00] hang out on Twitter. You can find me there under Antony’s cloud. Or you can just email me for those of you who are old school you can go to my website, Antony, training dot Antony, t.com and and yeah, you can shoot me. 


Ashish Rajan: Sweet. And I’ll put those links on our website as well, which see where the episode would become live. So, yeah, feel free to check out I guess the links on the website page, but thank you so much for coming in Anthony and always a pleasure having you and having a conversation with you. But I do appreciate you hanging out with us and sharing all that. 


Antoni Tzavelas: Thank you so much. No 


Ashish Rajan: problem. All right, everyone else. I’ll see you next weekend for, with another episode of Google cloud. I think we’re going to have a few more, so I’ll see you with another Google cloud security topic next week until then have fun and enjoy your weekend. 


Cya Peace