Juli 2021 - Seite 30 von 49 - Cloud Computing Köln

DeNA Sports Business: Combating COVID-19 by analyzing device data with Google Cloud

Editor’s note: Today we’re hearing from Makoto Kimura, General Manager System Dept. Sports Business Div; and Yusuke Muto, Software Engineer System Dept. Sports Business Div at DeNA Sports. They share how Google Cloud has helped them to keep their events going while also keeping their visitors safe during the pandemic. The pandemic is forcing the cancelation or postponement of events in Japan and elsewhere – and requiring the organizers of events that do proceed to implement strict measures to protect attendees against infection. At DeNA Co. Ltd’s Sports Business Division, we aim to help visitors experience entertainment during the crisis while enjoying peace of mind. To support this objective, we have developed and released an operational status visualization system that checks whether Japan’s coronavirus contact tracing app COCOA is installed on smartphones used by event attendees. By visualizing the COCOA install rate, we can help event organizers educate those visitors who do not have the app to download and use it. To achieve the system’s required measurement capabilities, we turned to BigQuery, Google Cloud’s analytics data warehouse. We found BigQuery:Delivers fast write times even when processing large volumes of data Provides the flexibility to enable a range of query types; and Supports visualization through business intelligence tools such as Looker and Data Studio.BigQuery enabled us to expedite creation of an analytical environment so we could shift our focus quickly to developing sensor devices, while using a simple configuration to write data directly from each device using open source data collection software Fluentd. BigQuery’s pricing structure also meant we could scale cost-effectively. In addition, BigQuery empowered us to quickly build systems to obtain insights from data derived from the positioning and beacon technology we had researched and developed in-house for a long time.Our visualization system consists of three data functions:Acquisition through sensor devicesAggregation with BigQuery, andVisualization through Data Studio. The sensor device used to determine whether COCOA is installed on a smartphone is developed on a single-board computer capable of running the Linux SDK (Software Development Kit) and that can easily connect to WiFi. Each sensor device uses Fluentd to write data directly to BigQuery over the internet. Direct connection of each device to the internet means if one device fails, the remaining devices are unaffected. Data collected by each sensor device is aggregated into BigQuery – minus personally identifiable information – and visualized through Data Studio, with a dashboard made available to event organizers. Users can gain real-time insights into the number of COCOA-enabled devices, the number of COCOA devices in chronological order, and other important information. Real-time visualization of the number of COCOA-enabled devices is based on the aggregation and counting of COCOA installation information that has passed through two sensor devices – an approach that prevents one sensor device picking up distant radio waves and counting one piece of COCOA installation information as multiple items. Meanwhile, visualizing the number of COCOA devices in chronological order enables monitoring of the behavior of visitors from before an event starts to after it ends.Here is a diagram of the DeNA Sports Business operational status visualization system:Click tp enlargeBecause BigQuery is a fully managed service, we did not have to worry about provisioning resources in advance to manage the often unpredictable data volumes incurred during large-scale events. BigQuery also supported the rapid creation of dashboards in Data Studio and real-time visualization, which we believe could not be achieved with other services.We now plan to use various technologies to step up measures against the coronavirus, including IoT to aggregate various types of data into BigQuery and deliver visualizations through Data Studio. In the future, we would like to make the visualization system a tool for holding events in the post-coronavirus era and look forward to working with Google Cloud to make that happen.
Quelle: Google Cloud Platform

Announcing general availability of Google Cloud CA Service

We are happy to announce the general availability of Certificate Authority Service offered by Google Cloud (Google Cloud CAS). Google Cloud CAS provides a highly scalable and available private CA to address the unprecedented growth in certificates in the digital world. This exponential growth is due to a perfect storm of conditions over the past few years, achieving almost a flywheel effect – the rise of cloud computing, moving to containers, the emergence of pervasive high speed connectivity, the proliferation of Internet-of-things (IoT) and smart devices (see our whitepaper on this topic). See how easy it is to set up a CA with Google Cloud CAS:Since ourpublic preview announcement in October, we have seen tremendous reception from the market and innovative use cases for the service from our customers. Here are some notable examples straight from our CAS customers:”At Credit Karma, security is a top priority, and we always seek ways to improve our security posture. One area where we have been working with Google for more than a year now is the identity of our workloads and how we can leverage platform features to offload to cloud some of the time consuming tasks that our security and devops team need to run today. We are very happy with progress that GCP has made in addressing our feedback and we believe CA Service is a fundamental piece of building a strong identity story in cloud, by cloud.” – Jason Roberts, Security Engineer, Credit Karma“Commerzbank AG takes security of our data very seriously. While Google Cloud Platform comes with a high level of in-build security controls, we had to further enhance those by enabling the highest security standards for data transport. This requires to bring trust into GCP based on Commerzbank owned certificates. Google understood our needs and invested into capabilities with Certificate Authority Service, empowering us to rely on our trusted certificates and security standards while providing fully automated and scalable certificate handling. This enables us to use GCE, GKE, and other authorized services to deliver products and value”, Christian Gorke, Head of Cyber Center of Excellence, Commerzbank AG“Building a secure and compliant PKI system is known to be a complex and costly endeavor making it cost prohibitive for many regulated government transactions. With the help of GCP’s Certificate Authority Service (CAS), Vitu Authority Trust’s digital signature service became the first authorized government digital signature service provider to deliver a fully digital car buying experience in the United States. GCP’s Certificate Authority Service provided Vitu Authority Trust the highest level of compliance at an affordable rate, allowing Vitu Authority Trust to outsource the burden of digital certificate management to the cloud”, Arash Nikoo VP, Technical Operations, VituThe top three desirable features of CAS were as follows:The first and most desired feature in Google Cloud CAS by our customers is scale and availability. Scale in this case is measured as a) number of issued certificates per second and b) total number of certificates/CAs allowed per project. Availability is the SLA backed up time for certificate issuance, per region.When planning to build this product, we found that the most common problem from customers was around how to address machine and service identity within their cloud transformation. This was specifically problematic due to the more ephemeral nature of most cloud workloads relative to what customers do on premise with manual deployments (good examples are containers and microservices that are short lived).The scale required for certificate issuance creates huge demand and unpredictability to customers’ existing CAs which they often cannot support. Last thing they want is their identity infrastructure to be their scalability bottleneck as they dynamically scale out to support special events: in retail space, this could be Black Friday sales where thousands of nodes/VMs are spun to accommodate spike in sales and then rapidly torn down post the spikes, rendering all investments made to just support Black Friday useless.Another reason for renewed interest in scale was the move to a zero trust access model, which was expedited by COVID-19 and work from home requirements. The core need to open up device management across the internet created a new scale requirement for certificate enrollment to allow for securing the device over the internet. In addition to scale and availability, the second Google Cloud CAS key benefit for our customers was savings compared to the cost of building an alternative solution. Such an endeavour requires purchasing Hardware Security Modules (HSM), licensing the software, purchasing server devices, securing multiple redundant root key material locations, then hiring a specialized PKI/DevOps team to operate the system at scale (high CapEX and OpEX). Customers told us they only have so many projects they can take on, so they have to choose carefully. CAs and certificates are an enabler for their business and make a great candidate to free up resources that might have been used internally to solve the scale problem and reassign them to more business-critical tasks, while accelerating velocity of the projects that use the service. Google Cloud CAS is backed with hardware security (HSM) without any direct customer involvement with HSM purchasing, provisioning and management. We saw customers cancelling their HSM orders in response to cost savings provided by Google Cloud CAS.Security was the third commonly quoted reason for considering Google Cloud CAS. Cloud CA that seamlessly integrates with other cloud services provides the most secure solution for their cloud workload, while freeing customers from having to keep software, hardware and firmware up to date.Outside the usual suspects scenarios for CAS (i.e., DevOps), we saw a great reception of our strategy on relying on Certificate Lifecycle Management partners (Venafi and AppViewx as launch partners for public preview) to help modernize traditional IT and on-premise CA story. Customers really see the value of moving their CA to cloud to save on OpEX and CapEX, and see this as an opportunity to converge their CA story across both devops and traditional IT and achieve the perfect single pane controllability and manageability story. We heard many times that PKI teams were worried that they lost control of the modern DevOps team as they did not have visibility to their certificate operation. CAS can be the ideal way to fix that problem. Customers migrating to zero trust access models also found value in CAS.Since our public preview, customers have asked us to expand our partner ecosystem so that their desired partners can also work with CAS. We are happy to introduce three new members of our partner program: Key Factor,Jetstack and Smallstep (which brings in ACME support for CAS) who join our existing partners Venafi and AppViewx.We also had some interesting and rather surprising scenarios brought to us by customers which we initially did not think of as potential targets. Interestingly, most examples are from the IoT space. We saw small to midsize companies who are building IoT peripherals, like wireless chargers, USB devices, or cables reaching out with a need for certificates. They do not want to invest in PKI and CAs as it is not their core business and the economy of it does not make sense given their market size. CAS provides a perfect model to address those with a pay-as-you-go CAS is easy to implement, operate, administer and grow for their scenarios.These stories were really reassuring for us as we had made the right bets and features, though we acknowledged that there were areas of improvements. We are lucky enough to have a very vested and engaged set of customers providing us with great feedback and helping us identify product gaps. We truly appreciate it as their feedback made our product much better at GA resulting in a few nice feature additions. Before we enumerate all new features, it is worth to call out two new industry leading features of CAS in GA:CA rotation (when CA certificate is close to expiry) is hard and normally requires a disruptive flow to replace the close to expiry CA with the new one. Customers asked us to make the process completely seamless for them. In response to those, we are adding a new feature to GA called CA pool that allows for a group of CAs serving the same incoming requests queue. CA rotation can simply be achieved by adding a new CA to the pool and taking the old one out of it, without any changes to workloads or client code. Also, the serving CA in the pool is chosen in a uniform fashion allowing for increased throughput. More control over the certificate issuance policy was another commonly asked feature. With GA, we are enhancing our policies to allow per user group policies to be defined. Also, admins can define certificate templates that get applied to all issued certificates overriding (some or all) the parameters in the issued certificate. Below is a summary of the rest of the new features and integration that we make available as part of our GA:We heard about configuration as code and the importance of Terraform support for configuring and managing Google Cloud CAS. We listened and created aTerraform provider for Google Cloud CAS.We also heard of the huge demand for making sure cert-manager works with Google Cloud CAS. cert-manager with more than 1.6 M downloads per day is one of the most commonly used open source tools for automating certificate lifecycle management within Kubernetes environments. In response to this ask, we worked with Jetstack and created integration with cert-manager.io. We heard from customers that they love their Hashicorp Vault as a policy engine and would like to continue using it for this new service. As such, we built a Hashicorp Vault pluginthat allows it to be the source of policies and Google Cloud CAS being the certificate issuer. Customers also requested a guided way to set up the product, as such, we are announcing availability of CAS QwiklabIn addition to above features/integrations, we are also announcing the following updates as part of GA release:Pricing: Our pricing model offers a simple pay-as-you-go model. For large volume customers, we also provide subscription models to remove the ambiguity of billing when demand is non-predictable.SLA: Our SLA is now publicly available and offers 99.9% availability per region for certificate creation. More regions: We are happy to announce that CAS is available in many new regions, including São Paulo, Montréal, Frankfurt, London, Sydney, Mumbai, Tokyo, and many more.Compliance: CAS has been included as part of ISO 27001, 27017, 27018, SOC1, SOC2, SOC3, BSI C5, and PCI audits. We are also working to include CAS in our FedRAMP audits. Additionally CAS by default uses Google cloud HSM for private key protection which is FIPS 140-2 Level 3 validated.Google Cloud CAS offers a virtually unbounded quota for the total number of issued certificates at a rate that can meet any of modern scales backed by an enterprise grade SLA, making customer managed deployments very hard to justify. Start planning your transition to a cloud-ready CA platform that CAS enables.Read more about CAS in our whitepapers (1) (2) and activate it here.Related ArticleIntroducing CAS: Securing applications with private CAs and certificatesCertificate Authority Service (CAS) is a highly scalable and available service that simplifies and automates the management and deploymen…Read Article
Quelle: Google Cloud Platform