EP200 Zero Touch Prod, Security Rings, and Foundational Services: How Google Does Workload Security
Guest: Michael Czapinski, Security & Reliability Enthusiast, Google Topics: “How Google protects its production services” paper covers how Google's infrastructure balances several crucial aspects, including security, reliability, development speed, and maintainability. How do you prioritize these competing demands in a real-world setting? What attack vectors do you consider most critical in the production environment, and how has Google’s defenses against these vectors improved over time? Can you elaborate on the concept of Foundational services and their significance in Google's security posture? How does your security approach adapt to this vast spectrum of sensitivity and purpose of our servers and services, actually? How do you implement this principle of zero touch prod for both human and service accounts within our complex infrastructure? Can you talk us through the broader approach you take through Workload Security Rings and how this helps? Resources: “How Google protects its production services” paper (deep!) SLSA framework EP189 How Google Does Security Programs at Scale: CISO Insights EP109 How Google Does Vulnerability Management: The Not So Secret Secrets! EP176 Google on Google Cloud: How Google Secures Its Own Cloud Use EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil SREcon presentation on zero touch prod. The SRS book (free access)