Wednesday, April 10, 2019
Pradeep Biradar is a software engineer for Palo Alto Networks, working on the public cloud team. He recently wrote a detailed blog post on the Palo Alto Networks Live Community blog, sharing how to secure a Google Kubernetes Engine (GKE) environment on the Google Cloud Platform (GCP).
We spoke with Pradeep to learn more about his career, his thoughts on what cybersecurity professionals should keep an eye on, and dove into some of the specifics of GKE.
Please tell us about yourself – how long have you been in the industry? What drew you to your current work and what interests you most about the profession?
I have been engaged in the Information Security industry for the past eight years. I am proud to work for RedLock, a public cloud security analytics organization that is part of Palo Alto Networks. I work as a staff engineer for cloud security software and spend most of my time leading security research, so customers can make the best decisions possible.
Security is a business that is critical to all companies, regardless of the size of the organization. Security is hard and complex to decode. I enjoy that the work challenges me to decipher such issues and make customers’ and end users’ lives simple and easy.
The cybersecurity industry moves at a rapid pace. What changes have you seen in the last three years alone? Looking to the near future, what should cybersecurity professionals keep their eyes on?
The industry is going through a paradigm shift again, and in the last few years we have seen a drastic change from client-server, to virtualization and cloud computing. Cloud computing has brought agility to the industry, which has given huge flexibility to its users. This has tremendous security implications that need to be addressed to keep the environment safe and secure. At the same time, we are moving to Industry 4.0. With that, we are talking about left shift, containerization, and applications that are built and run in a serverless world.
While we are in this transition phase, machine learning and bots are taking over the world. Systems within the Internet of Things (IoT) will be interconnected to the autonomous world, and this is a drastic change that the industry is going through. Humans are challenged to make the right decisions along with bots, for which security is pivotal and crucial.
Why does the topic of Google Kubernetes Engine (GKE) interest you? What brought you to write this article?
Google launched the Kubernetes Engine in 2015. Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes has become cutting-edge technology for microservices and it is increasing in popularity. Now cloud providers are incorporating Kubernetes and are providing it as an important service. This includes Microsoft’s Azure Kubernetes Service (AKS) and Amazon’s Elastic Container Service for Kubernetes (EKS).
Kubernetes is growing in popularity, with 76,204 commits and 2,058 contributors (GitHub). It’s become an industry-leading container orchestration tool. This industry trend is what brought me to write about Google Kubernetes Engine on Google Cloud Platform (GCP) for the Palo Alto Networks Live Community blog.
Regarding your GKE article, why did you choose to head down the container route? What drew you to that technology?
Containerization allows development teams to move fast, deploy software efficiently, and operate at an unprecedented scale. Containers are lightweight and start much faster. It is built for the application within a consistent environment. Containers have become a de facto standard choice for deploying and delivering applications. However, container security is challenging with respect to authentication and authorization, auditing and logging, networking, node security, etc. Because of this, I thought it was worth writing a technical blog on Kubernetes Engine to help customers with container security on the Google Cloud Platform.
How would you leverage GKE in conjunction with Palo Alto Networks resources? Would GKE be able to programmatically integrate into the PAN-OS? Would you use GKE to deploy instances of a Palo Alto Networks firewall?
Yes, GKE can be deployed in Palo Alto Networks resources programmatically as a service. Google provides lots of UI, as well as CLI options, to do so. Palo Alto Networks extensively worked on Kubernetes’ engine integration. For those interested, you can read more about the Palo Alto Networks VM-Series integration with the Kubernetes engine here.
Would the creation of GKE be able to leverage the Palo Alto Networks library of APIs and other tools? Essentially, could you integrate into an existing security environment with minimal user impact, to keep all of the security in a 'single pane of glass' or as close to one as possible?
With respect to GCP and GKE, yes! GCP provides API to fetch Kubernetes data hosted on GCP. The Palo Alto Networks library could use the same API to fetch required data, just as Redlock is doing. I recommend this GitHub reference for library source code for VM-Series firewalls via Terraform.
Is there anything else you’d like Fuel for Thought readers to know about?
The security guidelines I have blogged about are now a Centre for Internet Security (CIS) benchmark for the Google Cloud Platform Foundation. I am proud to say that all GCP CIS Benchmarks Section 7 Kubernetes Engine guidelines are proposed by my team and myself. Now it is publicly out as a standard recommendation of Google Cloud Platform for GKE services. Of course, it’s important to note that the blog I wrote was specific to GCP with GKE service. Those security guidelines hold only for Google Kubernetes Engine of Google Cloud Platform (GKE service of GCP).
More to Explore
Check out these Fuel blog posts for further reading: