Google Cloud Next '18 just concluded yesterday, and I would like to highlight a few talks I found interesting below. Before I get started, I just wanted to say how amazing it is that talks from conferences like Google IO, Amazon Re:Invent, PyCon, and of course Google Cloud Next are posted so quickly for people who cannot attend. It's always great to be in the audience and to have the one-on-one interaction that going to a conference affords, but I think the massive rise in video recordings of conference sessions is useful in bringing these ideas to a wider audience who do not live near silicon valley and can not afford the expensive rates to attend technology conferences. Anyway, let's get on with my picks.
Python 3.7 and Serverless
First up, there were several announcements involving serverless computing, which Google is defining to include App Engine and Cloud Functions. First off, Cloud Functions has (finally) exited it's long beta process and is now considered a GA product, complete with a SLA. Second, Cloud Functions has added Python 3.7 and Node.js 8 support in Beta. Finally, Python 3.7 and PHP 7.2 will be added to App Engine Standard 2nd generation (which currently only supports Node.js 8).
I think the App Engine announcement has gone a little under the radar, but the 2nd generation standard runtimes are a big leap forward. Although not available yet, you should be able to make use of a much wider array of python libraries and have far fewer restrictions due to the inclusion of the new gVisor sandbox which surrounds all 2nd generation runtimes. With faster start-up and scaling times compared to App Engine flex runtimes, App Engine becomes a much more compelling environment for long-running "serverless" workloads, although I still may be tempted to use the flexibility afforded by GCE in many cases.
Asymmetric Keys in Cloud KMS and Cloud HSM
I'm a big fan of Cloud KMS. I have used both Amazon KMS and Google Cloud KMS to secure secrets and keys. This week Google announced the availability of hardware security modules (HSM) in their infrastructure in alpha. I know that some of my clients have had an interested in HSM devices, and although I think it may be overkill it is nice that Google is offering these alternative to Google's own key infrastructure for those that want them. Another nice feature is that HSM keys are API compatible with KMS keys.
Another announcement, which you may have figured out if you looked at the KMS APIs recently, is that asymmetric keys will now be offered via KMS and HSMs. RSA 2048, 3072, and 4096 flavors as well as P256 and P384 elliptic curve asymmetric keys will be available. I am interested to see if Google will grow any utilities around Certificate Authority management around these new services.
Best Practices for Security on Google Cloud Platform
There are a lot of security controls in Google Cloud Platform, and it can be confusing to set up IAM permissions, manage your organization, and set service account permissions for various resources in your project hierarchy. This next talk gives a very detailed rundown of the available security features and how to use them. This is probably a video you will want to watch and rewatch as you figure out how you will organize your cloud resources and users.
How Google Responded to Spectre and Meltdown
I love it when Google pulls back the curtain to let us glimpse the internals of their infrastructure, and this talk on how Google responded to Spectre and Meltdown gives us a few interesting peeks. If you have detailed audit logs, you may have noticed a large number of cloud migration events near the end of 2017. It turns out this was part of their strategy to patch their operating systems for Spectre and Meltdown before the disclosure in the beginning of 2018. This talk discusses the discovery and how they brought together experts to help mitigate these processor issues both at Google as well as for the rest of the industry. The only drawback is that it starts to make you wonder how any smaller vendors can compete with the likes of Google, Amazon, and Microsoft.
A Compliance Deep Dive
This last talk may not be as exciting as the rest, but if you do compliance there are a number of tips from an experienced compliance expert. I have had a lot of clients leery of building on Google Cloud Platform because they think Google will access their data to build machine learning products. They absolutely will if you use their free services, but GSuite and Google Cloud Platform data are not mined for Google, and they produce no advertising based on these pay services. This video lays out their compliance obligations, touches on a number of items you can find in their SOC 2 audit (which you should get from Google if you deal with compliance) and can be quite illuminating for compliance laypeople like me.