All of your data needs, solved: a cloud-native data platform

In today's world data is king. It is everywhere, collected seemingly by everyone, yet so many industries lack a good data platform. And it gets even more difficult when you take into account the privacy aspects of health data.

This talk will touch on 2 aspects of building a modern, flexible and secure data platform:
1) how to enable innovative, AI-driven products when dealing with highly sensitive data, and
2) when the market gives you all the tools you can imagine, how do you pick which ones you use? And marry them together?

Data engineers are from Mars, Platform engineers are from Venus

When DevOps emerged around 13-14 years ago, it aimed to bridge the gap between Developers and Operations. Today - it is safe to say that devs and infra/platform people understand each other reasonably well.
Now it’s time to make the case for data and platform engineers.
Does “We need access to prod” mean the same to both sides?
Can data products be truly tested and have a lifecycle?
How do you build a partnership between the teams who provide data infrastructure and those who work with the data?

Go Serverless! But is it secure?

I am a big advocate of serverless products instead of "traditional" ones. Cloud Run instead of GKE, Fargate instead of EKS, Pub/Sub instead of Kafka and Aurora instead of RDS. You get lower costs, less infra to manage, no need to worry about networking... But what about security? Can you really make sure that your serverless workloads (or data) are safe?

In this talk, we will go through several serverless offerings in the areas of data & compute, and look at their vulnerabilities and security options. We'll cover topics like:

- How serverless architecture changes the attack surface
- Vulnerabilities in serverless platforms and services
- Best practices for securing serverless workloads

By the end of this talk, you'll be able to:

- Understand the security risks of serverless computing
- Implement best practices for securing your serverless workloads
- Sleep soundly knowing that your serverless applications are secure

Prerequisites:
- Understanding of serverless vs "traditional" compute and data offerings
- Familiarity with AWS and GCP, how to design and build infrastructure
- Understanding of different layers of security in the cloud (what is the responsibility of the user vs the provider, what happens to data in use, how resources are provisioned onto the provider's hardware, what encryption and access control options exist).

Recording of this talk: https://www.youtube.com/watch?v=m9sLWY8ddvc

I've given several talks about securing data platforms in the cloud (for example, here https://datateamssummit.com/2022-2/multi-cloud-tight-regulations/ and here https://www.youtube.com/watch?v=P1bTBwlyPtU), and have also written blogs directly or indirectly related to serverless security (example https://medium.com/google-cloud/the-misadventures-of-one-cloud-function-edd8e4036e92)

If you can - doesn't mean you should: lessons from Terraforming clouds

We all love automation; the fewer steps needed to get something deployed - the better. Even if it means abstraction layer on top of abstraction layer - we all love our abstraction layers. Terraform, modules, wrappers and orchestration tools allow for an increasingly more sophisticated code - but where do you draw the line?
In this talk, we will explore the boundaries of infrastructure as code and look for the balance between abstraction and maintainability.

Recording of a short version of this talk: https://www.youtube.com/watch?v=OUPQ_pFD58A

Building a cloud-native data platform with security in mind

In today's world data is king. It is everywhere, collected seemingly by everyone, yet many industries lack a good data platform. Cloud technologies enable us to build robust, scalable, and easy-to-use platforms quickly, but one might wonder whether storing sensitive data in the cloud is safe. In this talk, we will explore the technical principles of securing a cloud data platform, look at examples in AWS and GCP, and discuss regulatory and compliance requirements.

I gave a similar talk at DataOps Unleashed: https://datateamssummit.com/2022-2/multi-cloud-tight-regulations/

GCP's Secure Supply Chain in practical terms: securing your containers

Typically, when we talk about security in containerised workloads, we mostly mean the runtime security. Occasionally, in-registry scanning of components and libraries for known vulnerabilities is brought into the discussion. But what about build time? What if a malicious actor compromised your CI? What if a rogue image is deployed, bypassing all the steps in your CD? And wouldn't it be better if developers didn't use vulnerable libraries in the first place?

All of these questions prompted Google Cloud to develop a set of tools known under the umbrella term "Secure Supply Chain". These have various scanning, verification, and cryptographic assurance services seamlessly integrated into GCP's CI/CD patterns for GKE (Google Kubernetes Engine) and Cloud Run. It all looks great, but it is a) a lot b) assuming that you use all of the GCP tools to manage your entire software lifecycle.

But what does it mean in practical terms? In this talk, let's look at specific services and their implementation "in the wild". You will learn how to set up Binary Authorization in an enterprise environment, how to enable and make use of built-in scanning capabilities of GKE and the Artifact Registry, and how to manage the security posture of your Kubernetes and Cloud Run deployments.

You can find some of my recorded talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL This is a new talk, it will be purely technical and go through details of configuration for parts of the Secure Supply Chain and their integration with CI/CD (probably Github Actions), GKE Security Posture dashboard and real-life applications of these security tools.

Balancing tight security with fluid devex, powered by GKE

The most secure server is one that is disconnected from the Internet and unplugged. And the most convenient environment for devs is where they have admin access to production and the freedom do what they want. How do you marry the two?
Let's look at a real-world scenario where we built a cloud-native fintech platform on GKE. The vision? A robust, flexible, and secure foundation that supports SOC2-compliant deployments and empowers developers to be as productive as possible, contrary to the typical for the financial sector blown-out processes and approval chases.
This solution is powered by Google Kubernetes Engine (GKE) and the cloud's niftiest security tools from the Secure Supply Chain toolkit.

First delivered as a lightning talk at Google Cloud Next London. This talk is based on a real-world implementation for a regulated startup in fintech. You can find recordings of some of my previous talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL

Les ingénieur(e)s de données viennent de Mars, les ingénieur(e)s de plateformes viennent de Venus

Lorsque le terme DevOps est apparu il y a environ 14 ans, le créateur avait pour bût d'éliminer le manque de communication entre les Developeurs et les "Ops" - les ingénieur(e)s systèmes.
Aujourd'hui on peut dire que les devs et les ops se comprennent pas trop mal - on trouve même de plus en plus souvent des équipes dev qui maintiennent leur propre infrastructure.

Maintenant, nous devons réfléchir de la même manière pour les ingénieur(e)s de données et les ingénieur(e)s de plateformes.

Est-ce que la phrase "J'ai besoin d'accès à la prod" veut dire la même chose pour tout le monde?

Les produits de données, peuvent-ils vraiment être testés et avoir un cycle de vie logiciel?

Comment peut-on construire un partenariat entre les équipes responsables de l'infrastructure, et celles qui travaillent avec les données?

Cette session peut être donnée en 25, 35 ou 40 minutes, en Français comme en Anglais. Voici sa première édition enregistrée: https://www.youtube.com/watch?v=wPXt8VmWtHI&list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL&index=1

Securing your google cloud: VPC Service Controls that don’t make you want to quit

If you have ever worked with Google Cloud’s security tooling, you will know how powerful it is - and how confusing it can be. One of these tools is VPC Service Controls - a sort of firewall on steroids, powerful yet so easy to overcomplicate. Perimeters, bridges, policies, Ingress/Egress - join me to learn the tips and tricks in working with VPC Service Controls. By the end of it, you will have the knowledge and the necessary tools to work with VPC SC even in the more complex scenarios.

This is an advanced talk aimed at cloud engineers working with, or looking into Google Cloud. Intermediate knowledge of GCP and a solid understanding of networking is needed.
You can find recordings of my other talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL