The last 3 years have seen a major shift in how Hollywood film studios view public cloud usage. WIth an increased awareness and generally acceptance of the security and scalability these clouds offers to the VFX and animation vendors creating pre-release content, the focus has now shifted to ensuring best practices implementation.
Speaker: Adrian Graham, Google
5. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm
Nodes
Local
Workstations
On-premise infrastructure
6. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm
Nodes
File Server
Local
Workstations
On-premise infrastructure
7. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm
Nodes
File Server
Local
Workstations
License Server
On-premise infrastructure
8. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm
Nodes
File Server
Local
Workstations
License Server
Render
Workers
Render
Workers
Render
Workers
On-premise infrastructure
9. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
License Server
Render
Workers
Render
Workers
Render
Workers
On-premise infrastructure
10. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
On-premise infrastructure
Asset Mgmt Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
License Server
Render
Workers
Render
Workers
Render
Workers
On-premise infrastructure
12. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Data ingress/egress
13. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
Data ingress
Data ingress/egress
14. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
NFS File
Server
Data ingress
Data ingress/egress
15. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
NFS File
Server
Data ingress
Data ingress/egress
16. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
NFS File
Server
Cloud-based
License Server
Data ingress
Data ingress/egress
On-prem licenses
Read-through
Cache
17. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
Users
Cloud IAM
NFS File
Server
Cloud-based
License Server
Data ingress
Data ingress/egress
On-prem licenses
LDAP sync
18. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud infrastructure
Rendering VMs
Compute Engine
Assets
Cloud Storage
Read-through
Cache
Users
Cloud IAM
NFS File
Server
Cloud-based
License Server
Stackdriver
LoggingData ingress
Data ingress/egress
On-prem licenses
LDAP sync
20. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
On-premise infrastructure
21. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
On-premise infrastructure
Cloud
VPN
VPN
Gateway
22. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
On-premise infrastructure
Cloud
VPN
VPN
Gateway
Cloud
Router
23. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connecting to cloud
Render Farm
Nodes
Render
Workers
Render
Workers
On-premise infrastructure
Cloud
Interconnect
Cloud
VPN
VPN
Gateway
Cloud
Router
24. Proprietary + ConfidentialProprietary + Confidential
Proprietary + Confidential
Hybrid infrastructure
(better put on your glasses for this next slide…)
25. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructure
On-premise infrastructure
Asset Mgmt dB Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging
26. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructure
On-premise infrastructure
Asset Mgmt dB Render Farm
Nodes
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
Users &
Admins
Users &
Admins
Cloud Directory
Sync
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging
27. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Hybrid infrastructure
On-premise infrastructure
Asset Mgmt dB Render Farm
Nodes
APIs: gcloud, gsutil,
ssh, rsync, etc
File Server
Local
Workstations
Queue
Manager
Physical Cache
License Server
Accelerated
UDP Transfer
Cloud
Interconnect
Cloud
VPN
Read-through
Cache
Rendering VMs
Compute Engine
Assets
Cloud Storage
Users
Cloud IAM
NFS File
Server
Users &
Admins
Users &
Admins
Cloud Directory
Sync
Project data I/O
License requests
Queue Manager dispatching
Project database communication
VPN
Gateway
Cloud
Router
Cloud-based
License Server
Stackdriver
Logging
29. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Cloud Platform resource hierarchy
30. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Projects and access
Granting access Manage your organization's identities with G Suite.
Implement Google Cloud Directory Sync.
gcloud SDK,
Compute Engine API
Authentication is performed by the SDK itself.
Credentials are picked up by the API client libraries.
Automating
security checks
Implement Forseti Security to run periodic checks
for policy compliance.
https://github.com/GoogleCloudPlatform/forseti-security
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
31. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Controlling user access
Cloud IAM Create and manage permissions at multiple levels.
Service accounts Access Google services and resources programmatically.
Access scopes Set permissions at the resource level.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
32. Proprietary + Confidential
#NABShow
Identity & Access Management
Who
(principal)
User Service Accounts
Group Domain
Can do
what
Roles: collection of permissions
Authorization Tokens
On which
resource
Project VM, bucket…
Resource folder
Cloud IAM unifies access control
under a single system.
Create and manage permissions at the
organization, project and resource
levels.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
33. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Encryption key management
Cloud storage All data is encrypted at rest using either AES128 or AES256 encryption.
Data is always encrypted before it's written to disk.
Cloud KMS Store encryption keys centrally in the cloud, for use by cloud services.
Let Google manage your keys, or manage keys yourself.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
34. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Network security
Networks and
subnetworks
Isolate resources on separate networks to add an extra level of security.
Subnetworks are created automatically, one for each compute zone.
Firewall rules Rules apply to the entire network.
To allow incoming traffic, you must create 'allow' firewall rules.
External IP
addresses
Ability to disable the assignment of an external IP on instance creation.
The instance will then only be visible over VPN, or from within the network.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
35. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Disk images
Public Compute Engine offers many preconfigured public images.
Each OS image has been configured to work closely with
Google Cloud Platform services and resources.
Custom Use your own custom image, but ensure you comply with
security best practices.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
36. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Connectivity
Google Cloud
VPN
Regardless of how you're connected to Google, you must
secure your connection with a Virtual Private Network (VPN).
Direct peering Connect directly to a Google PoP. This is typically the fastest option.
Cloud
interconnect
Connect to Google using a service provider.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
37. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
File systems
Object-based Encrypted, localized, available worldwide.
Pipeline implications, however.
POSIX-compliant Known as Persistent Disk (PD) on GCP.
The security features of object-based storage, available as an NFS server.
Other filesystems Clustered or caching filesystems are also available,
however they are not under the management of IAM or
other Google security mechanisms.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
38. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Encryption
Storage security Security features are consistent across storage classes.
By default, Google manages encryption keys.
When is data
encrypted?
Both at rest and in-transit.
If using VPN (which you should), data is encrypted before leaving on-prem.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
39. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Transferring data
SDK and API gsutil, gcloud, rsync, ssh can be used, but we recommend
gsutil for anything less than 10Gb in size.
UDP-based Aspera, Tervela Cloud FastPath, BitSpeed Velocity or FDT are all options,
however they're all third-party services and are not managed by Google.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
40. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Logging
Stackdriver Can be used as a secure logging server for a variety of pipelines.
Able to ingest thousands of concurrent log streams.
Audit logging Monitor project-based admin activity.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
41. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Other considerations
Queue
management
Use the gcloud command to communicate with Google Cloud, rather than via ssh.
Consider running your queue system entirely on Google Cloud Platform.
Custom software There are a number of client libraries available for use by third-party software API.
Each library provides methods for OAuth2.0 authorization.
Licensing Use your own on-prem license server across a VPN.
Running a license server in the cloud.
Projects and
access
Controlling
user access
Encryption
key mgmt
Network
security
Disk images Connectivity File systems Encryption
Transferring
data
Logging Other
42. Proprietary + Confidential
#NABShow
Best Practices for Enterprise Organizations
Google Infrastructure Security Design Overview
Encryption at Rest in Google Cloud Platform
Securely Connecting to VM Instances
Google Security Whitepaper
Using IAM Securely
Configuring Imported Images
Further reading
43. Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
#NABShow
Questions?