Secure By Design: Architecting your cloud ad AI workloads from the perspective of infosec

So you've vibe-coded your Super Smart AI Agentic App and are ready to set it free on the Internet. You are sure it will do well, it solves this amazing use-case, with such clever technology! You pick your favourite cloud provider, decide on a runtime - perhaps, Kubernetes or Cloud Run - buy a domain, ask Gemini to wire up a deployment pipeline. Happy days!

But here's the thing. You can't vibe-code security. Every single thing you deploy to the cloud needs to be secured. And it's a hard task! Even for cybersecurity professionals.

But fret not. Cloud providers, such as Google Cloud, have already put in the work to make your job easier. And in this talk, you will learn the fundamentals of securing your workloads, (almost) end-to-end.

But can you really run your app on 2 clouds at the same time?

We've all heard about this concept - you should run your app in more than one zone, more than one region, more than one... cloud? But how can this be done, without a major re-architecture of every component of every system?
Let me take you through a real world implementation, where the 2 clouds were AWS and GCP, and the app - a major platform that has to deal with images. We'll look into the infra, networking and DNS setup, how to configure data availability and consistency, and what happened when we actually switched dual run in production.
Whether you need multi-cloud for resilience, for serving customers with different requirements, or you just want to see who's mad enough to implement this - this talk is for you.

All of your data needs, solved: a cloud-native data platform

In today's world data is king. It is everywhere, collected seemingly by everyone, yet so many industries lack a good data platform. And it gets even more difficult when you take into account the privacy aspects of health data.

This talk will touch on 2 aspects of building a modern, flexible and secure data platform:
1) how to enable innovative, AI-driven products when dealing with highly sensitive data, and
2) when the market gives you all the tools you can imagine, how do you pick which ones you use? And marry them together?

Data engineers are from Mars, Platform engineers are from Venus

When DevOps emerged around 13-14 years ago, it aimed to bridge the gap between Developers and Operations. Today - it is safe to say that devs and infra/platform people understand each other reasonably well.
Now it’s time to make the case for data and platform engineers.
Does “We need access to prod” mean the same to both sides?
Can data products be truly tested and have a lifecycle?
How do you build a partnership between the teams who provide data infrastructure and those who work with the data?

Go Serverless! But is it secure?

I am a big advocate of serverless products instead of "traditional" ones. Cloud Run instead of GKE, Fargate instead of EKS, Pub/Sub instead of Kafka and Aurora instead of RDS. You get lower costs, less infra to manage, no need to worry about networking... But what about security? Can you really make sure that your serverless workloads (or data) are safe?

In this talk, we will go through several serverless offerings in the areas of data & compute, and look at their vulnerabilities and security options. We'll cover topics like:

- How serverless architecture changes the attack surface
- Vulnerabilities in serverless platforms and services
- Best practices for securing serverless workloads

By the end of this talk, you'll be able to:

- Understand the security risks of serverless computing
- Implement best practices for securing your serverless workloads
- Sleep soundly knowing that your serverless applications are secure

Prerequisites:
- Understanding of serverless vs "traditional" compute and data offerings
- Familiarity with AWS and GCP, how to design and build infrastructure
- Understanding of different layers of security in the cloud (what is the responsibility of the user vs the provider, what happens to data in use, how resources are provisioned onto the provider's hardware, what encryption and access control options exist).

Recording of this talk: https://www.youtube.com/watch?v=m9sLWY8ddvc

I've given several talks about securing data platforms in the cloud (for example, here https://datateamssummit.com/2022-2/multi-cloud-tight-regulations/ and here https://www.youtube.com/watch?v=P1bTBwlyPtU), and have also written blogs directly or indirectly related to serverless security (example https://medium.com/google-cloud/the-misadventures-of-one-cloud-function-edd8e4036e92)

If you can - doesn't mean you should: lessons from Terraforming clouds

We all love automation; the fewer steps needed to get something deployed - the better. Even if it means abstraction layer on top of abstraction layer - we all love our abstraction layers. Terraform, modules, wrappers and orchestration tools allow for an increasingly more sophisticated code - but where do you draw the line?
In this talk, we will explore the boundaries of infrastructure as code and look for the balance between abstraction and maintainability.

Recording of a short version of this talk: https://www.youtube.com/watch?v=OUPQ_pFD58A

Building a cloud-native data platform with security in mind

In today's world data is king. It is everywhere, collected seemingly by everyone, yet many industries lack a good data platform. Cloud technologies enable us to build robust, scalable, and easy-to-use platforms quickly, but one might wonder whether storing sensitive data in the cloud is safe. And the answer is - yes! In this talk, we will explore the technical principles of securing a cloud data platform, look at examples in AWS and GCP, and discuss regulatory and compliance requirements.

I gave a similar talk at DataOps Unleashed: https://datateamssummit.com/2022-2/multi-cloud-tight-regulations/

Balancing tight security with fluid devex, powered by GKE

The most secure server is one that is disconnected from the Internet and unplugged. And the most convenient environment for devs is where they have admin access to production and the freedom do what they want. How do you marry the two?
Let's look at a real-world scenario where we built a cloud-native fintech platform on GKE. The vision? A robust, flexible, and secure foundation that supports SOC2-compliant deployments and empowers developers to be as productive as possible, contrary to the typical for the financial sector blown-out processes and approval chases.
This solution is powered by Google Kubernetes Engine (GKE) and the cloud's niftiest security tools from the Secure Supply Chain toolkit.

First delivered as a lightning talk at Google Cloud Next London. This talk is based on a real-world implementation for a regulated startup in fintech. You can find recordings of some of my previous talks here: https://www.youtube.com/playlist?list=PLS3g1K3mnmajt5Eu3nNaAiMK3hXjVRRNL