230: If I Ever Own a Sailboat, I Will Name it Kafka… and Sail it on a Data Lake

Welcome to The Cloud Pod episode 230, where the forecast is always cloudy! This week we’re sailing our pod across the data lake and talking about updates to managed delivery from Kafka. We also take a gander at Bedrock, some new security tools from our friends over at Google. We’re also back with our Cloud Journey Series talking security theater.Stay Tuned!  

Titles we almost went with this week:

• Security and Delivery Within an Hour… Sacrilegious!
• Unlock Global Innovation with Sovereign Cloud
• Microsoft… What in the World Are You Doing?
• ⛵If I ever own a sailboat, I will name it Kafka. 
• And the Oscar for Security Theater goes to…

A big thanks to this week’s sponsor:

Foghorn Consulting provides top-notch cloud and DevOps engineers to the world’s most innovative companies. Initiatives stalled because you have trouble hiring?  Foghorn can be burning down your DevOps and Cloud backlogs as soon as next week.

General News this Week:

01:15 Microsoft fans… This isn’t going to be pretty. You were warned.  Microsoft Warns of Cyber Attacks Attempting to Breach Cloud via SQL Server Instance  Microsoft…The Truth Is Even Worse Than You Think Microsoft comes under blistering criticism for “grossly irresponsible” security

• In what has turned out to be a not so great week for Microsoft (and their customers) the software giant has released an urgent warning for SQL server instances running on Azure. **Insert meme of dog saying it’s fine surrounded by fire here**
• Microsoft has detailed a new campaign in which attackers unsuccessfully attempted to move laterally to a cloud environment through a SQL server instance.
• The attacker initially exploited a SQL injection vulnerability in an app, and then was able to gain access and elevated permission on MS SQL instance deployed in Azure VM. 
• The threat actor than attempted to move horizontally by abusing the server’s cloud identity, which could possess elevated permissions (least privilege folks)
• MS says it found no evidence that the attacker successfully moved.
• Considering the recent criticism by Tenable CEO who threw them under the bus for not fixing a major vulnerability for over 90 days, this warning and confirmation seems like a step in the right direction. 

04:37 Matthew- “I mean, also just the scale of these hypervisors, sometimes it just takes time. Like - you don't want to quickly roll out a hotfix to something, realize you caused another problem, and now you're playing whack-a-mole because you're moving too fast and not taking a step back and fixing the root cause of it.”

AWS - Kafka Managed Delivery

07:07  Amazon Bedrock Is Now Generally Available – Build and Scale Generative AI Applications with Foundation Models

• Amazon has launched the fastest GA ever, with Bedrock now being announced as Generally Available. Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from a leading AI companies including AI21 Labs, Anthropic, Cohere, Stability AI and Amazon, along with  a broad set of capabilities to build generative AI applications, simplifying the development while maintaining privacy and security. 
• In addition to bedrock being available, they are also pleased to say the Llama-2 13b and 70b models will be available soon as well. 
• Bedrock is serverless, you don’t have to manage any infrastructure, and you can securely integrate and deploy generative AI capabilities into your applications using the AWS services you are already familiar with. 
• Played with it and enabled some models including Claude, etc. 
• Bedrock gives you on-demand pricing and provisioned throughput; the on demand price isn’t *horrible* but it’s not great. (pricing is per thousand input tokens)
• More models will be coming, but just be aware of how much you’re willing to spend. 

08:34 Justin - “I  didn't have time to really research it, but even one model unit, which is the lowest amount, is $4,600. Now, if you say, look, I really want the Anthropic Clause2 model, which is supposed to be all the hotness, and I want the 100K model context length, and I want one of those, for just one month, it's $45,000. Yeah, so that was a little scary, which made playing with it very nerve wracking.” Come back next week for the link to Justin’s GoFundMe after his bill comes in.   12:43 Amazon MSK Introduces Managed Data Delivery from Apache Kafka to Your Data Lake 

• These show notes brought to you by Claude! (Insert picture of show note editor crying.)
• Here is a summary of the key points from the article:
  • Amazon MSK is AWS's fully managed Apache Kafka service. It provides key features needed to build real-time data pipelines and streaming applications. -
  • A new capability called Managed Delivery for Apache Kafka to AWS Lake Formation has been introduced. This allows data produced on Kafka clusters to be automatically delivered and structured in AWS Lake Formation data lakes. 
  • Lake Formation is a service that makes it easy to load data from various sources into a data lake stored on S3. Now with Managed Delivery, data from MSK clusters can seamlessly flow into these data lakes. 
  • Delivery is fully managed so no developers need to build or manage data movement infrastructure. The topics, schemas, and delivery configuration are defined through the Lake Formation dashboard. 
  • Data is delivered in bulk for performance and then transformed/structured in Lake Formation using built-in cataloging and data transformation capabilities.
  • This enables building data pipelines where data immediately lands in the data lake after streaming through Kafka, without having to develop ETL processes. The lake can then be queried with analytics tools. 
  • Managed Delivery handles security, delivery failures, monitoring delivery health and integrating with MSK cluster's managed access controls. 
  • In summary, this announcement introduced an integration between AWS MSK and Lake Formation to provide fully managed streaming data delivery from Kafka to data lakes with no infrastructure to develop/manage. 

13:55 Justin - “ In summary, this announcement introduced an integration between AWS MSK and Lake Formation to provide fully managed delivery of streaming data from Kafka. And I no longer have a job, so perfect.” 14:09 Ryan - “Hey, someone's still got to, you know, feed the data in and do the prompts!” 14:15 Justin - “I’m a prompt engineer now!”

GCP

16:26  Deliver and secure your internet-facing application in less than an hour using Dev(Sec)Ops Toolkit

• This is complete BS. Do. Not. Believe. It. 
• Google is announcing in preview the Dev(Sec)Ops toolkit for global front-end internet facing applications, which can help you launch new apps on google cloud in less than an hour.  This toolkit is part of the recently announced cross-cloud network solution.
• The toolkit provides an out-of-the-box, expert-curated solution to accelerate the delivery of internet facing applications.  A sample app included in the toolkit demonstrates how customers can integrate cloud load balancing, cloud armor and cloud CDN according to the provided reference architecture. As well as deploying applications via cloud build or third party tools like Jenkins or Gitlab.
• You can get started with this to configure your favorite CI/CD pipeline, clone the repository, and enjoy your google cloud hosted, global front-end, internet-facing applications. 

18:42 Ryan - “It's not really the fun parts of the application, right? It's plumbing. So it's kind of funny, because I love this for cloud engineers, because it's a great way to get started. It's a great example. You can see how it's done. You can deploy this in your own environment, which I think is pretty sweet.” 24:07 Introducing Google Cloud Firewall Plus with intrusion prevention

• If you have been following along at Google Next they announced Cloud Next Gen Firewall powered by PAN.  
• Now they are introducing Google Cloud Firewall Plus with intrusion prevention.  
• This is also by embedding PAN technology into the threat prevention and inspection capabilities for TLS and Non-TLS traffic providing transparent lineline protection for your Google Cloud workloads. 
• Cloud Firewall Plus adds a full layer 7 module supporting hierarchical firewall policies and tag-based firewall rules. 
• Cloud firewall plus joins Essential and Standard Cloud firewall offerings, and it will be billed based on the amount of data processed for threat prevention. 
• Palo Alto Networks - Get Ready for Google Cloud Firewall Plus, Network Integration Ease

28:41 Announcing Cloud SQL Node.js connector general availability

• The Cloud SQL Node.js connector is the easiest way to securely connect your node.js application to your Cloud SQL database. 
• I hadn’t really looked at these heavily, but the diagram caught my (Justin’s) eye, as it appears to leverage a secure tunnel natively in the connector to Cloud SQL. 
• Imagine that - a secure default!

29:14 Justin - “Thank you, Google, for having secure defaults, because that would not be secure by default in any other cloud. So that's why we're talking about it.” 31:08  Introducing Advanced Vulnerability Insights for GKE

• Detecting vulnerabilities in OSS requires a holistic approach and security best practices recommend scanning early and often throughout your development lifecycle to help maintain an effective security posture.  
• However, scanning in the CI/CD or Registry can miss artifacts and containers deployed to production through other mechanisms. Likewise, only scanning runtimes can pass over software supply chain vulnerabilities. 
•  To address this, Google is launching Advanced vulnerability insights for GKE. 
• Advanced vulnerability insights provides scanning and vulnerability detection in Java, Go, Javascript and Python language packages. It's built into their GKE security posture dashboard, and can be enabled on a per-cluster basis.  Vulnerability results can be viewed in the security posture dashboard and in the concerns tab with OS concerns, misconfigurations and security bulletins.
• During the preview there is no charge, but they plan to charge 0.04 per cluster-hour. 

32:11 Ryan - “I like how built into the native solution this is, these types of things. It's not turned on by default because there is a cost. I wish it was just sort of part of the thing and they weren't going to charge extra for it. But I understand. Everyone's going to make a buck. I get it. I just give cloud providers a lot of money.”

Azure

33:48 Microsoft Cost Management updates—August, 2023 Azure Container Apps is now eligible for Azure savings plan for compute 

• How is Azure saving us money this month… 
• For those super concerned about exporting reports from the cost management console can now be configured to use storage accounts behind a firewall. 
• I guess someone might embarrass you with your awful bill… but ok. 
• Service Fabric now offers you savings plan pricing. 
• Azure Data Manager for Energy and Microsoft Graph Data Connect now have pricing as they are GA. 
• In Cost Management Labs, you can now view your costs in multiple currencies. Lots of other goodies I'd like to see graduate out of labs…
  •  Looking at you Anomaly and Reservation Utilization alert rules and drill down smart views
• Azure Container apps dedicated plans can save you some money as well, and the new performance tiers for Managed Lustre 
• Azure Container Apps is now eligible for Azure savings plan for compute

35:29 Matthew - “ Azure is pretty good about posting, hey, these things are not gonna be charged for until … and we'll announce the pricing and terrifies me. That's why I'm afraid to use  hyper scale on Azure because it literally has a caveat. Like I was not charged for - we'll tell you in the future what we're gonna charge you for.” 37:02 Unlocking global government innovation with Microsoft Cloud for Sovereignty – public preview available today

• Microsoft is announcing in preview Microsoft Cloud for Sovereignty, with plans to GA this capability in December.  This solution will enable governments to meet their compliance, security and policy requirements while harnessing the cloud to deliver value to its citizens. 
• Since the inception of the cloud, government customers have faced limitations with digital transformation, particularly because of the need for controls to meet specific national and regional requirements.  
• Microsoft Cloud for Sovereignty is grounded in a repeatable best-practice approach that can be leveraged to assist with complex regulation achievements.  This solution features industry-leading data sovereignty and encryption controls, enabling governments to quickly create solutions tailored to help address regional and national requirements. 
• The offering includes:
  • Sovereign Landing Zone and policy initiative are now available on GitHub, which instantiates guardrails for sovereign cloud environments for customer workloads, enabling customers to leverage best practices for secure and consistent environments while supporting their efforts to meet evolving local regulations. 
  • Support for Italy’s ACN and Netherlands BIO regulation, which helps customers monitor, guard and report on compliance in Azure.
  • Transparency logs, available to eligible customers, provide customers with key operational activities of Microsoft engineers to support customer service and service reliability issues. 
  • Automated workload temples for Azure confidential computing and Azure lighthouse were examples of building workloads using these technologies for sovereign environments to speed learning and adoption. 

39:49 Justin - “I wish AWS was also following their footsteps on this, and I'm sure they will be, but they like to be last in these kinds of things. You don't think so?” 39:55 Ryan - “Oh, I don't think so. Amazon went left with GovCloud, and I don't think they're looking back.” 40:13 Microsoft Azure now available from new cloud region in Italy

• The Italy North datacenter region includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures. 

After Show

43:44 How leaders can reduce risk by shutting down security theater

• I will say that purchasing Mandiant might have been a really great thing for Google if these are the types of blog posts they're going to put out there. 
• They start their march against security, by pointing out the weakness of passwords as the only factor.  Guessable, crackable, phishable and socially engineered
• 41% of compromises in 2022 were blamed on weak passwords. 
• Solely relying on passwords as a form of identity authentication is an egregious form of Security theater but is so commonplace and notoriously bad. 
• Security theater: “Security measures that make people feel more secure without doing anything to actually improve their security” 
• Another example used, security questionnaires given to third parties. They take hours to design, administer and hours to complete… and yet they only amount to digital paperwork pushed back and forth across emails and spreadsheets with little value. 
• Google gives you a good litmus test to look for security theater:
  • Can you easily prove the control actually mitigates a relevant threat that you care about? 
  • Can you easily bypass the control with low effort and a low likelihood of the bypass getting caught? 
  • Does the control execution require perfect human performance to work? 
  • Is the control considered effective if the belief is that an adversary will fail to notice a weakness? 
  • Do you find yourself recursively justifying the control and saying, “we do it because it’s a compliance requirement!”
• Security theater thrives in the absence of evidence. Controls should provide value and measurably reduce risk. 
• Similar to passwords, porting legacy security controls and systems instead of building them fresh in the cloud is a great way to get more security theater. 
• Lift in shift in fact probably increases the risk you face from today’s threats because it can lead to increased costs, stagnated user experiences and time-consuming, mandated reporting. 
• As well as they become tech debt or difficult to work with in comparison to cloud API’s and controls. 

 Hacking Google Series  46:16 Justin - “One of the things I particularly liked about this is that it did attack compliance as one of the areas that security theater can exist. And so a lot of companies out there can have a lot of security frameworks and a lot of controls, and they check a lot of boxes, and they look really secure on paper, but they don't actually have a lot of security in practice. And so, these litmus test questions they gave are really a good indicator of how good your controls actually are, and I recommend you use them every day.” 49:41 Ryan - “ If you have an existing workload, there's a risk to the business, and there's an interruption to your customers. Where's the value in that disruption for checking that box? It needs to be evaluated in that context, in that specific context, and not just a checkbox. We turned on all the encryption. We said we turned on all the encryption. So you have to redeploy everything.”

Closing

And that is the week in the cloud! We would like to thank our sponsors Foghorn Consulting. Check out our website, the home of the Cloud Pod where you can join our newsletter, slack team, send feedback or ask questions at theCloud Pod.net or tweet at us with hashtag #theCloud Pod