About the talk
Security and compliance are among the first topics that companies face when considering moving workloads to public clouds. Security blueprints are a set of documents and assets that customers can use to help them deploy and maintain their applications in a secure manner. Deutsche Börse, together with Google, discuss how customers and Google work together to be able to deploy workloads that must meet regulatory and compliant requirements.
Speakers: Christian Tüffers, Grace Mollison
Google Cloud Next ’20: OnAir → https://goo.gle/next2020
Subscribe to the GCP Channel → https://goo.gle/GCP
product: Security Command Center; fullname: Grace Mollison;
event: Google Cloud Next 2020; re_ty: Publish;
Welcome to the session Mazda security and compliance in Publix out. My name is a shout in the beginning. I would like to give you a short overview on Torch browser but we are so hot Market infrastructure. Provider technology. Our first fully automatic electronic trading system was launched in the late 90s. This one is operating on lowest latency networks and technology and together with our partners. We are one of the largest All of our Core Business applications are actually self-development
salesmen change applications. In addition. Your brother who is offering free trading services. So we calculate indexes. Like for example, the docks and the stocks, we also operate benefits for our customers. The post training area is dealing with settlement and custody services. And in addition, we offer better edit services, like, investment fund, Services management, everything of this suspect by our information technology. As you can see, we are really a core element of the European and Global Capital Market. And as such, we are not any of the
highest regulatory supervision not only by the German but also by regulations Luxembourg Switzerland and the UK. Gotobus group is using public Cloud as one of the main Technologies to drive award 2020. Publix out is fueling our foundations for other Technologies like for example, Rock and resources. In addition, we leverage Publix out for analyzing big data sets. Four of us for our customers and we also make use of machine learning capabilities. So that you can see Publix out is adding a lot of agility and Chihuahua mix.
But we use Publix. Also to improve the overall quality of our systems and this is achieved by standardization, and Automation, and additional possibilities. As a good example of a Coach reading platform called you 7 is spinning up every night. Hundreds of testing services in order to conduct some kind of random monkey test. And then based upon the behaviour of this, we can improve the overall quality. Of course, you have the gout also to reduce your overtime cost by standardization in automation. We are implementing so what
night is not hybrid Cloud strategy. As you can see on the lower right corner we are not Liberty. Only the Google Cloud platform and we team up with all the hyperscalers in the infrastructure-as-a-service and platform-as-a-service. And also for software-as-a-service, we work together with the market leaders. The Mighty Clouds strategy is important to us because it allows us to select really the best service for each use case. But in addition, it also prevents the vendor lock-in something, which is demanded by The Regulators. So whenever we move
workloads into the public Cloud, we have to provide us work on exit strategy attacks on France or they remove the workload from one PocketCloud into the other Publix. In order to do. So we implemented in hybrid approach, leveraging, technology container and coordinators and the different routes provide us. No, we know, of course, that this is not just on a quick switch, but in the end, it's sufficient that we can prove that within a certain time frame. We can move clothes out of one. Check out and move it back to normal. No, nits look into the security
aspects. This picture I guess it's very familiar to most of you. It's outlines the so-called shared responsibility Market on the lower part. You see the responsibilities of the security of the cloud this, but also, and also the it processes in the back things like extras management, Incident Management, or capacity management, On top of that, you have to Security in the Kellogg. This is our responsibility as a customer. So we have to make sure that we provide secure access into the cloud, we have to Define appropriate
roads, to find security guard, trade for Mike Shula. If you don't compromise on the high level of security, when we move into the public cloud, Typically, the lower part is tickets by looking at the sunset applications expense reports like the regular Tamara crystal clear to us. That only looking at this kind of certifications and is not sufficient exhausting. And one of them is that we need to have an unrestricted watch to order that we really can uncover. And look at the
detail, how to count our provider is implementing. All the required security controls, Know if you would do this alone, this would mean a lot of effort for us because as you have seen previously, we work with a lot of different routes is typically an engagement, which takes a couple of weeks or even months and it needs a lot of people in order to do so. On the other side is Automotive, or is it used in the same area so far? And speak him up a couple of years ago with the idea of a cold. The collaborative group is an open Forum at the Financial Service Institute jointly
together. Conducting audits with a child service provider This has been proven in 2017 the first time in a small a proof-of-concept. Then 2018 was the first large-scale audit conducted in 2019. Also, who kicks out that form was audited by the collaborative article about 40 different Financial Service Institute in what has mentioned. Any financial institutions can join King. For the security index, our part, we based our self on the iso27001 framework to 7. Where we put a lot of effort into
implementing security, controls to achieve the high level of security, which we are known for our so the focus demands I hear shade and light blue and cover things like Asset Management Access Control so we concluded without colleagues, that we needed 20 different initiatives in order to implement all the required controls to cover Dimension as a woman's, this is pretty much the makes of where we extend over the existing Solutions, Management Services as appropriate, for example, in the area of Key Management of Secrets management,
Sometimes also be identified that there's not available for science checking of containers, in Oakland A to set up. No answer can see applying Security in the cloud is a lot of effort is always new requirements coming from the regular out there. And on the other side order of the cloud service providers are always offering new services and new possibilities. Like what we found is that in the end is something which is the same for every client. So it's not only asked during the
confrontation during the security guard. Where is consecration? The road definition at Swan and I didn't we did discuss with Google here. Is that the Blind by default and rethink. This is also increasingly over security posture for Google. And this is why I became into closed discussion with Grace and thankfully now and over for her to continue. Christian, cold out, some folks, too many things from the 14 control to means in iso27001, with 90, to Luling, as well as being able to
Integrated Pain Solutions, to help with information. The controls. I'm just sharing has some 90 ways to help meet the requirements, which partner ecosystem, that knows her Health Solutions. Did I have a bump in spokesman responded to these challenges? Christian? Texas, how do we get security in the cloud for many customers? Who would have preferred business applications? How can we make efficient to address? How do we play distinguish Utah's, vote in the shared responsibility model. Secretion is right and it's
the same challenge for every customer and you can see the other customers walk through the same things. Christian is a what product to search for to the regulation on standing on its comply? With what do I need to do to retrieve my security posture, need to address our security posture. We responded with a compliance Rizzo Center is the way to find Google Cloud compliance offerings, by Regional industry with best practices and documentation to support your compliance reporting Nate's. You can gain access to Google
class. I can stations reports to confirm compliance with the variety of standards and regulations. Google, what does a Raichu security guidance to help customers deployed and developed with the security cuz mine's that customers can guidance and the ability for customers to implement the guard rails required Kristy McNichol. Say what by the are there with blueprint? Where the 6p or Internet service provider takes responsibility of in the cloud and search for Mind, Body Soul. So we do have to treat the flu pregnancy. Google Styles, definition of
a blueprint provides a package of documentation and assets which can be consumed, all stages of the customer lifecycle. The intended use is a government function and do security administrators. They might, you be interested in babysitting songs by some complexity of the use case. Google Play app is Tick, Tock, security, Blueprints and the compliance design things on. Blueprint, that more components in the workload post blueprints of the core components that are the walls. Which explains what controls you need and what you need to do and the house which of the
deplorable assets and instructions. The first compliance badges on blueprint published is PCI featuring kagekao. Republic spice, comprehensive guidance. Includes things like a quick star pre req, so you can configure your workstation and diagrams and they need to issue citations and helpful links. Office product specific. Blueprint collection is Broncos. The first and we're working on ball. It could you show overview rentals? It's not going to talk with you about the cloud application platform, which is basically has money to burn a cheat for GTA V.
Antelope has a Security First approached. It provides a noticeable and centralized workflow to deploy, comfy changes, which molecule security Admissions and operations. Team one allows you to enforce compliance and full-service MASH which is a key part of the answers platform a certificate management. Now, this is an exceptional, and if you don't know who these things I'm showing you, the key thing is that to be able to meet you, where you at the station to deploy a way that can be accessed from, you need to consider a number of things, such as where your services are
located. It makes me sick from the scripture to configure is the name of the security blueprints. To provide the street to guidance to help a customer secure that have two cases, takes a village, not to jump and has a valid ID is an issue to consider the fact that we didn't actually stop at Loop Rings or customers, want to know what do who clap for those compliant with a given standard the shared responsibility because I was bored out so they can fly. It's it's it's the security
code and analytics system for servicing understanding and remediate security and I trust the process known as I shouldn't. Note though it's not suitable. For it's not a substitute for certification or report or compliance of your products or services with any regular chili or industry. Benchmarks is a guy to help you through the security, security health analytics in the premium Terry provides these results. So here's an example of the security help when using the premium it's a single place to view. How are your mocking against requirements now from
housefull? Sorry about this child Foundation, 1.0 Maccabees have been reviewed by the Internet Security for a lineman. For the sea is 0.0 additional compliance certification or report has paid. You could take him at a screen will provide guidance as to what you need to do to remain a powerful tool to help you. So, I just want to come to bring it all together and talk about the use of Journey to use the these, these tools. I talked about you just heard what you could request to make it
easier. If I do the compliance with customers have many customers Journey Through the compliant Resource Center, showing how the various and maybe find a station. It was at this stage. What products, figuration? They need to be by using the compliance Max security health analytics, and the blueprints Operation security admin. The Dave's security questions need to be mad cuz she helped find blueprints to Chief out when they can figure their environment and its applications. So, if you want to
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.