Google’s BeyondCorp effort would probably be what we would now call Zero Trust, although I am surprised by how little name recognition BeyondCorp has when I talk to security people about Zero Trust. Perhaps there are subtle differences between the two, but if there are they aren’t obvious to me. I find myself reading the relevant Usenix papers for BeyondCorp, so I figure I’ll post a summary of what I got from each paper here.
The earliest of these papers are quite old now (2014), especially for something the rest of the industry is only starting to talk a lot about at the moment. I wonder if there is a viable business model in watching what papers megacorps like Google publish, and the implementing them as commercialized products before the rest of the market catches on?
Either way, here’s a summary of the various papers from the perspective of an interested bystander…
So, one of my kids is studying some business units at university and was assigned this paper to read. I thought it looked interesting, so I gave it a read as well.
While not being particularly well written in terms of style, this is an approachable introduction to the culture and values of Google and how they play into Google’s continued ability to innovate. The paper identifies seven important attributes of the company’s culture that promote innovation, as ranked by the interviewed employees:
The culture is innovation oriented.
They put a lot of effort into selecting individuals who will fit well with the culture at hiring time.
Leaders are seen as performing a facilitiation role, not a directive one.
I have a need at the moment to know where my users are in the world. This helps me to identify what compute resources to serve their request with in order to reduce the latency they experience. So how do you do that thing with Google Cloud?
The first step is to setup a series of test backends to send traffic to. I built three regions: Sydney; London; and Los Angeles. It turns out in hindsight that wasn’t actually nessesary though — this would work with a single backend just as well. For my backends I chose a minimal Ubuntu install, running this simple backend HTTP service.
I had some initial trouble finding a single page which walked through the setup of the Google Cloud load balancer to do what I wanted, which is the main reason for writing this post. The steps are:
Create your test instances and configure the backend on them. I ended up with a setup like this:
Next setup instance groups to contain these instances. I chose unmanaged instance groups (that is, I don’t want autoscaling). You need to create one per region.
But wait! There’s one more layer of abstraction. We need a backend service. The configuration for these is cunningly hidden on the load balancing page, on a separate tab. Create a service which contains our three instance groups:
I’ve also added a health check to my service, which just requests “/healthz” from each instance and expects a response of “OK” for healthy backends.
The backend service is also where we configure our extra headers. Click on the “advanced configurations” link, and more options appear:
Here I setup the extra HTTP headers the load balancer should insert: X-Region; X-City; and X-Lat-Lon.
And finally we can configure the load balancer. I selected a “HTTP(S) load balancer”, as I only care about incoming HTTP and HTTPS traffic. Obviously you set the load balancer to route traffic from the Internet to your VMs, and you wire the backend of the load balancer to your service. Select your backend service for the backend.
Now we can test! If I go to my load balancer in a web browser, I now get a result like this:
The top part of the page is just the HTTP headers from the request. You can see that we’re now getting helpful location headers. Mission accomplished!
I’m giving a MythTV talk at Google in the next week (although I can’t find it on the events calendar at the moment, I’ll update this post when I do) so I’ve been playing with MythTV 0.21 a little more than I have in the past. Its pretty cool.
I’m still writing the talk, so I don’t know 100% what it will cover, but I’m thinking it would be good to include some of the stuff from 0.21 as a teaser. Storage groups, the flash player in MythWeb, and the tweaks to the theme system seem like good things to include. Does anyone have other things they think are really cool in 0.21?
Oh, and I’ll have to cover guide data for the US, so it might be time to catch up with my MythTV email backlog once again.
Hopefully in you live near Silicon Valley you can come along to the talk and we can chat afterwards.
Like all sessions of the Open Source Developers @ Google Speaker Series, Michael’s presentation will be open to the public. Doors open at 6:30 PM at our Mountain View campus; guests should plan to sign in at Building 43 reception upon arrival. Refreshments will be served and all are welcome and encouraged to attend. Michael’s presentation will also be taped and published along with all of the public Google Tech Talks.
Kynan and I came along to the MySQL camp, and thru a quirk of fate pretty much ended up running it (the person who was meant to be running it got injured on the first day and had to go off to hospital). In return we wrote the Google Code blog post about the event. Pretty cool, huh?
While I love my wife and kids to distraction, the distraction bit is real. Then again, I’m sure they have a counter argument that I tend to end up deep in thought, and which point you could probably push me off my chair and I wouldn’t notice. Anyway, that’s mostly beside the point. What is relevant is for the first time in nearly a year (since 18 November 2005 to be exact, but who is counting?) I’m alone. All alone.
So, apart from watching the West Wing (which I haven’t seen before, and is fantastic), sleeping in, and going to a party tonight, I am coding.