<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Identity-Aware Proxy on Brave New Geek</title><link>https://bravenewgeek.com/tag/identity-aware-proxy/</link><description>Recent content in Identity-Aware Proxy on Brave New Geek</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Wed, 24 Jun 2020 11:31:44 -0500</lastBuildDate><atom:link href="https://bravenewgeek.com/tag/identity-aware-proxy/index.xml" rel="self" type="application/rss+xml"/><item><title>Using Google-Managed Certificates and Identity-Aware Proxy With GKE</title><link>https://bravenewgeek.com/using-google-managed-certificates-and-identity-aware-proxy-with-gke/</link><pubDate>Wed, 24 Jun 2020 11:31:44 -0500</pubDate><guid>https://bravenewgeek.com/using-google-managed-certificates-and-identity-aware-proxy-with-gke/</guid><description>&lt;p&gt;Ingress on Google Kubernetes Engine (GKE) uses a Google Cloud Load Balancer (GCLB). GCLB provides a single anycast IP that fronts all of your backend compute instances along with a lot of other &lt;a href="https://cloud.google.com/load-balancing"&gt;rich features&lt;/a&gt;. In order to create a GCLB that uses HTTPS, an SSL certificate needs to be associated with the ingress resource. This certificate can either be &lt;a href="https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs"&gt;self-managed&lt;/a&gt; or &lt;a href="https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs"&gt;Google-managed&lt;/a&gt;. The benefit of using a Google-managed certificate is that they are provisioned, renewed, and managed for your domain names by Google. These managed certificates can also be configured directly with GKE, meaning we can configure our certificates the same way we declaratively configure our other Kubernetes resources such as deployments, services, and ingresses.&lt;/p&gt;</description></item><item><title>Zero-Trust Security on GCP With Context-Aware Access</title><link>https://bravenewgeek.com/zero-trust-security-on-gcp-with-context-aware-access/</link><pubDate>Mon, 22 Jun 2020 14:54:15 -0500</pubDate><guid>https://bravenewgeek.com/zero-trust-security-on-gcp-with-context-aware-access/</guid><description>&lt;p&gt;A lot of our clients at Real Kinetic leverage &lt;a href="https://blog.realkinetic.com/serverless-on-gcp-183fd811a706"&gt;serverless on GCP&lt;/a&gt; to quickly build applications with minimal operations overhead. Serverless is one of the things that truly &lt;a href="https://blog.realkinetic.com/gcp-and-aws-whats-the-difference-3b1329f0ffb3"&gt;differentiates GCP&lt;/a&gt; from other cloud providers, and &lt;a href="https://blog.realkinetic.com/why-google-app-engine-9c3d2f75dd02"&gt;App Engine&lt;/a&gt; is a big component of this. Many of these companies come from an on-prem world and, as a result, tend to favor perimeter-based security models. They rely heavily on things like IP and network restrictions, VPNs, corporate intranets, and so forth. Unfortunately, this type of security model doesn’t always fit nicely with serverless due to the elastic and dynamic nature of serverless systems.&lt;/p&gt;</description></item><item><title>Authenticating Stackdriver Uptime Checks for Identity-Aware Proxy</title><link>https://bravenewgeek.com/authenticating-stackdriver-uptime-checks-for-identity-aware-proxy/</link><pubDate>Tue, 29 Jan 2019 14:46:43 -0600</pubDate><guid>https://bravenewgeek.com/authenticating-stackdriver-uptime-checks-for-identity-aware-proxy/</guid><description>&lt;p&gt;&lt;a href="https://cloud.google.com/stackdriver/"&gt;Google Stackdriver&lt;/a&gt; provides a set of tools for monitoring and managing services running in GCP, AWS, or on-prem infrastructure. One feature Stackdriver has is “uptime checks,” which enable you to verify the availability of your service and track response latencies over time from up to six different geographic locations around the world. While Stackdriver uptime checks are not as feature-rich as other similar products such as &lt;a href="https://www.pingdom.com/"&gt;Pingdom&lt;/a&gt;, they are also completely &lt;em&gt;free&lt;/em&gt;. For GCP users, this provides a great starting point for quickly setting up health checks and alerting for your applications.&lt;/p&gt;</description></item><item><title>API Authentication with GCP Identity-Aware Proxy</title><link>https://bravenewgeek.com/api-authentication-with-gcp-identity-aware-proxy/</link><pubDate>Fri, 25 Jan 2019 11:21:53 -0600</pubDate><guid>https://bravenewgeek.com/api-authentication-with-gcp-identity-aware-proxy/</guid><description>&lt;p&gt;&lt;a href="https://cloud.google.com/iap/"&gt;Cloud Identity-Aware Proxy (Cloud IAP)&lt;/a&gt; is a free service which can be used to implement authentication and authorization for applications running in Google Cloud Platform (GCP). This includes &lt;a href="https://cloud.google.com/appengine/"&gt;Google App Engine&lt;/a&gt; applications as well as workloads running on &lt;a href="https://cloud.google.com/compute/"&gt;Compute Engine (GCE)&lt;/a&gt; VMs and &lt;a href="https://cloud.google.com/kubernetes-engine/"&gt;Google Kubernetes Engine (GKE)&lt;/a&gt; by way of &lt;a href="https://blog.realkinetic.com/http-to-https-using-google-cloud-load-balancer-dda57ac97c"&gt;Google Cloud Load Balancers&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;When enabled, IAP requires users accessing a web application to login using their Google account and ensure they have the appropriate role to access the resource. This can be used to provide secure access to web applications without the need for a VPN. This is part of what Google now calls &lt;a href="https://cloud.google.com/beyondcorp/"&gt;BeyondCorp&lt;/a&gt;, which is an enterprise security model designed to enable employees to work from untrusted networks without a VPN. At Real Kinetic, we frequently bump into companies practicing &lt;a href="https://www.onelogin.com/blog/the-death-star-a-lesson-in-cybersecurity"&gt;Death-Star security&lt;/a&gt;, which is basically relying on a hard outer shell to protect a soft, gooey interior. It’s simple and easy to administer, but it’s also vulnerable. That’s why we always approach security from a perspective of &lt;a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)"&gt;&lt;em&gt;defense in depth&lt;/em&gt;&lt;/a&gt;.&lt;/p&gt;</description></item></channel></rss>