EP200 Zero Touch Prod, Security Rings, and Foundational Services: How Google Does Workload Security

Guest:

• Michael Czapinski, Security & Reliability Enthusiast, Google

Topics:

• "How Google protects its production services" paper covers how Google's infrastructure balances several crucial aspects, including security, reliability, development speed, and maintainability. How do you prioritize these competing demands in a real-world setting?
• What attack vectors do you consider most critical in the production environment, and how has Google's defenses against these vectors improved over time?
• Can you elaborate on the concept of Foundational services and their significance in Google's security posture?
• How does your security approach adapt to this vast spectrum of sensitivity and purpose of our servers and services, actually?
• How do you implement this principle of zero touch prod for both human and service accounts within our complex infrastructure?
• Can you talk us through the broader approach you take through Workload Security Rings and how this helps?

Resources:

• "How Google protects its production services" paper (deep!)
• SLSA framework
• EP189 How Google Does Security Programs at Scale: CISO Insights
• EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
• EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use
• EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
• SREcon presentation on zero touch prod.
• The SRS book (free access)