Google Wiz

 

Today, Google has announced its largest acquistion to date, agreeing to purchase cybersecurity firm Wiz for a staggering $32 billion in an all-cash deal.

Wiz, a rapidly growing startup founded in Israel, has quickly become a majoy player in the cloud security speace.  It's AI driven solutions have attracted an ipressive clientele including 50% of Fortune 100 companies.

The timing of this deal is particularly noteworthy.  It comes after a previous attempt by Google to acquire Wize for $23 billion fell through in 2024 due to antitrust concerns.

This acquisition bolsters Google Cloud's security capabilities, positioning it more competitively against industry giants.

Cloud Goal

Humbled and honored to share the above cloud goal as 'Multi Cloud Engineer' between 2022 and 2024 with 3:4:3 learning passion

Details are available in the blog https://ganesansenthilvel.blogspot.com/2024/12/multi-cloud-engineer.html

Multi Cloud Engineer

In 3+ decades of global work experience/learning, blessed with few inspiring mentors to achieve with super six execution steps:

1. Passion
2. Plan
3. Prepare
4. Practice
5. Physical exam
6. Permit

If not, wouldn't be Doctorate.  Many thanks to uplifting disciplines from them.

As 'Embrace the journey consistently, where result comes effortlessly', 6Ps derived me to become Multi Cloud Engineer (MCE) with 3:4:3 ambitions.

Illustration: In any case, multi cloud expertise in 3 years with divisible of 4 quarters (year) and 3 months (quarter) with the capital of self-drive/motivation!

'Grab every opportunity that comes on your way' - work initiatives got into AWS and Azure hands-on product engineering, followed by self-practices of Google cloud.

Thanks for being part of this passionate consistent journey to move forward in 2025 AI era!

Happy New Year 2025 to everyone in the world.

AWS reInvent 2024

Last week, we had AWS re:Invent 2024 flagship annual conference 

This premier cloud computing event brings together the global cloud computing community for a week of keynotes, technical sessions, product launches, and networking opportunities. 

As AWS continues to unveil its latest innovations and services throughout the conference, session recordings are available in public at https://reinvent.awsevents.com/on-demand/?trk=direct

Container Orchestration

Container orchestration refers to the automated management, coordination, and scheduling of containerized applications. It is essential for deploying, scaling, and managing containers in large, dynamic environments.

 Key container orchestration platforms include Kubernetes, Docker Swarm, and Apache Mesos. Here are some of the primary benefits:

1. Automated Deployment and Scaling: Orchestration platforms can automatically deploy containers across a cluster of machines and scale them up or down based on demand.
2. Service Discovery and Load Balancing: These platforms provide mechanisms to discover services and distribute traffic across containers to ensure high availability and reliability.
3. Self-Healing: Orchestration tools can automatically restart failed containers, replace and reschedule them to maintain the desired state of the application.
4. Efficient Resource Utilization: They ensure optimal use of infrastructure resources by managing container placement based on available resources and policies.
5. Monitoring and Logging: Orchestration platforms offer integrated monitoring and logging capabilities to track the health and performance of containers and applications.
6. Configuration Management: They provide mechanisms to manage and update configuration settings for containers in a centralized and controlled manner.
7. Security and Compliance: Orchestration tools often include features to manage security policies, enforce compliance, and handle secrets and sensitive data securely.

Shared Responsibility

The concept of shared responsibility in cloud computing refers to the division of security and compliance responsibilities between the cloud service provider (CSP) and the customer. The exact division of responsibilities can vary depending on the type of cloud service model (IaaS, PaaS, SaaS) being used.

The given diagram indicates the level of responsibility from IaaS to SaaS (from left to right)

In a nutshell, the shared responsibility model delineates which security tasks are handled by the cloud provider and which are handled by the customer, ensuring a clear understanding of each party's role in maintaining the overall security of the cloud environment.

Cloud IAM

Identity and Access Management (IAM) defines who can do what on which resources

Although IAM for Google and AWS perform the same function, they do it in very different ways.

Google uses Service accounts to control service-to-service authentication; AWS uses IAM Roles and Profiles to accomplish this control.

Details are listed in the below table

Concept	Google Cloud	Amazon Cloud
Programmic Identity	IAM service account	IAM role and instance profile
User Identity	Federated and managed outside IAM	Identify profiles within AWS and EC2
Policy	List of binding for set of users by role	Documents based permission apply to cloud users
Permission Collection	User vs Role pairing	Managed policies
Predefined set of permission	Predefined roles	Managed policies

Cloud zone

Google and AWS both use regions as a way to provide cloud services to customers.

In cloud computing, a cloud region is a geographic area that contains multiple cloud zones, while a cloud zone is a logical data center within a region

Google uses zones to provide data center services and every region will have at least 3 zones.

Google Cloud and AWS both have points of presence (PoPs) located in many more locations around the world.

Concept	Google Cloud	Amazon Cloud
Data center cluster	Region	Region
Abstracted data center	Zone	Availability Zone
Edge caching	Points of Presence	Points of Presence
Min zones	Three	Two

Google Cloud uses points of presence to provide Cloud CDN and to deliver built-in edge caching for services such as App Engine and Cloud Storage.

AWS uses points of presence to provide the content delivery network service, Amazon CloudFront, and for edge caching services like Lambda at the edge.

System outage 7/19

What?

Yday, Microsoft experienced a global outage due to an issue with CrowdStrike's Falcon Sensor software, causing widespread disruptions and triggering the 'Blue Screen of Death' on Windows PCs.

Computers with Mac and Linux operating systems were not impacted, and CrowdStrike said the incident was not caused by a cyberattack.

Who?

CEO George Kurtz, said the system was sent an update, and that update had a software bug in it and caused an issue with the Microsoft operating system

Cybersecurity programs like CrowdStrike’s frequently and automatically update themselves to account for new tactics that malicious hackers have discovered. And there’s always a slight risk that any software update will be incompatible with other programs.

Why?

Logical system flow is depicted in the given diagram.

Where?

In computing, memory is organized as a large array of numbers, often represented in hexadecimal (base 16) for simplicity.

The patch attempted to read memory address 0x9c (156 in decimal), which is an invalid memory region. Any program that tries to read from this region is immediately terminated by Windows, as shown in the stack dump image.  Programmatically, it was caused by a NULL pointer reference in the code.

The affected code was part of a system driver, which has privileged access to the system hardware. When such a driver crashes, the operating system must immediately crash to protect the system, causing the infamous Blue Screen of Death (BSOD).

How?

CrowdStrike immediately published workaround steps for individual hosts and cloud environment at their portal https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

5 years ago, importance of null pointer handler was inked at https://medium.com/trimble-maps-engineering-blog/nullable-business-value-91c31df8f20d 

Wiz acquisition

Google said to acquire cybersecurity startup Wiz for $23 billions, marking its biggest acquisition ever.

Wiz was founded in 2020 by the ex-Microsoft Azure security team (Assaf Rappaport, Ami Luttwak, Yinon C. & Roy R.) They had previously sold their business Adallom to Microsoft for $320Mn in 2015 after which they joined. 

After seeing first-hand the difficulty large companies faced to manage cloud security threats, co-founders raised $100Mn to start Wiz "to secure everything you Build and Run in the Cloud."

💰Wiz Funding timeline: 

• Series A (2020) - $100Mn (led by Index, Sequoia, Cyberstarts)
• Series B (2021)- $130Mn @ $1.7Bn valuation (led by Advent International) 
• Series B extension (2021) - $120Mn (led by Salesforce / Blackstone) 
• Series C (2021) - $250Mn @ $6Bn valuation (led by Insight & Greenoaks)
• Series D (2023) - $300Mn @ $10Bn valuation (led by Lightspeed, Greenoaks, Index)
• Series E (2024) - $1Bn @ $12Bn valuation (led by A16Z, Lightspeed & Thrive Capital) 

If this deal goes through, at $23 billions, it will be nearly double Google’s previous largest acquisition (of Motorola in 2011 for $12.5 billions) 

ECS environment

In an Amazon ECS task definition, the environment parameter is used to define environment variables that are passed to the container at runtime. 

Environment variables are key-value pairs that can be used to configure the behavior of the containerized application without changing the application code. 

"containerDefinitions": [{

"name": "my-microservice-container",
"image": "my-microservice:latest",
"environment": [
{
   "name": "DATABASE_URL",
   "value": "mysql://username:password@hostname:3306/dbname"
},
{
   "name": "API_KEY",
   "value": "your_api_key_here"
},
{
   "name": "LOG_LEVEL",
   "value": "debug"
}]
}]

 

As said above, a list of environment variables to set in containerDefinitions/environment.

Purposes of Environment Variables:

Configuration Management: You can use environment variables to configure the application, such as setting the application mode (development, testing, production), configuring logging levels, or setting feature flags.

1. Secrets Management: Environment variables can be used to pass sensitive information like database credentials, API keys, and other secrets to the application. However, for enhanced security, consider using AWS Secrets Manager or AWS Systems Manager Parameter Store to manage sensitive data.

2.Operational Parameters: You can define various operational parameters, like memory limits, thread counts, or other runtime configurations that the application might need.

3. Service Endpoints: Environment variables can be used to specify the URLs or endpoints of other services that the application needs to communicate with.

4. Feature Toggles: You can use environment variables to enable or disable features within your application dynamically without changing the code.

TLS-1.2 Architecture

The architecture of TLS (Transport Layer Security) 1.2, is defined in RFC 5246. As defined in the given diagram, TLS 1.2 has 4 phases of execution.

1. Record TCP check

It serves as the underlying transport mechanism for TLS, which is responsible for encapsulation of higher-level protocols

2. Certificate Exchange

In mutual authentication scenarios, client and server exchanges and verifies certificates to generates shared keys.

3. Key Exchange

The communication is based on the chosen cipher suite. The client and server then generate a pre-master secret and exchange it securely.

4. Final Data Transmission

Both the client and server connect with encrypted derived keys, to confirm that the handshake. It enables to continue the client request and server response in secured way.

Source code is demonstrated using C# in github repo at gsenthilvel/tls-demo (github.com)

Ubuntu 24.04 LTS

Yday Canonical announced the availability of Landscape’s first LTS release. 

Today, it was required to upgrade/replace the end-of-life version Ubuntu 16.04.2 LTS at my work.  As sync, it's a great opportunity to explore the latest and greatest version Ubuntu 24.04 LTS

Landscape 24.04 LTS features a new versioned API, a new web portal with accessibility and performance in mind, and intuitive controls for software distribution. It comprises Landscape Server and Landscape Client. 

With a modernized backend and web portal in place, engineering teams can work efficiently, focusing on patches and new features.

Fact sheet is available at https://pages.ubuntu.com/rs/066-EOV-335/images/Landscape%20DS%20v3%205.4.2024.pdf?version=0&_gl=1*ux7hxq*_gcl_au*NDc5NjcxODM3LjE3MTQ3OTAwMDk.&_ga=2.140511158.548493742.1714790009-980279757.1714790009

This new version is not just faster, but also a fortress system.  Welcome to Noble Numbat!

ALB Keep Alive

Now, Application Load Balancer (ALB) provides flexibility that allows you to configure HTTP client keepalive duration for communication between clients and load balancer. With this feature, you can configure keepalive values to optimize client experience.

The HTTP client keepalive duration value specifies the maximum amount of time that ALB will maintain an HTTP connection with a client before closing the connection. 

The feature will allow customers to gracefully terminate their connections for deployment patterns like Blue/Green or rollbacks, migration of legacy applications, and while evacuating Availability Zones using zonal shift with Amazon Route 53 Application Recovery Controller. 

It is possible to set a value between 60 seconds and 7 days using a load balancer attribute as app clients’ keepalive duration, while the default value is 3600 seconds.

EFS throughput

Yday, Amazon Elastic File System (EFS) has increased the throughput per file system to up to 20 GiB/s of read throughput and up to 5 GiB/s of write throughput.

Amazon EFS provides serverless, fully elastic file storage that makes it simple to set up and run file workloads in the AWS cloud. 

This launch increases the maximum throughput performance for EFS file systems using Elastic Throughput by up to 2x, to 20 GiB/s of read throughput (from 10 GiB/s) and to 5 GiB/s of write throughput (from 3 GiB/s). 

With these higher throughput limits, it is possible to extend EFS’s simple, fully elastic, provisioning-free experience to even more throughput-intensive workloads, such as machine learning, genomics, and data analytics applications. 

AWS Global Accelerator

AWS Global Accelerator is a networking service that improves the performance, reliability and security of your online applications using AWS Global Infrastructure. AWS Global Accelerator can be deployed in front of your Network Load Balancers, Application Load Balancers, AWS EC2 instances, and Elastic IPs, any of which could serve as Regional endpoints for your application.

Since AWS Global Accelerator operates at layer 4 of the OSI model, it can be used with any TCP/UDP application. You pay the Data Transfer-Premium fee of AWS Global Accelerator (on top of Data Transfer Out charges) in addition to an hourly accelerator fee to improve the performance and availability of your applications. 

In a nutshell, Global Accelerator improves the security, reliability, and performance of user-facing applications.

AWS CF policy workflow

 

As outlined in the above diagram, response headers policies do not impact the origin-supplied headers stored in CloudFront’s caching layers. 

Headers configured in the policies are inserted after the response leaves the cache, and before the viewer response event that triggers a function if configured. 

If you have an edge function attached to the same behavior, policy inserted headers will be accessible in your function through the event object listing all the headers associated with the response. 

You can use that functionality by treating the headers generated through a policy as inputs for the function that will impact how the code is executed. This is similar to using environmental variables.

MIME type text html

 

What

Last week, we faced MIME type error after the hosted server upgrade.  

Loading module from “runtime.4c09d92ae7f4a186.js” was blocked because of a disallowed MIME type (“text/plain”).  Strict MIME type checking is enforced for module scripts per HTML spec.

By design, Angular web app is hosted using AWS S3 and CloudFront architecture.

Where

These issues were related to three build files namely main.js, runtime.js and polyfills.js 

Why

Due to recent server upgrade process, Angular build files were uploaded into AWS to render as text/html by default. 

How

Fix is to upload files to s3 and specify the content-type in metadata for js files explicitly as below:

aws s3 sync $DIST_PATH/ s3://$BUCKET_NAME/ --include "*.js" --content-type "application/javascript"

AWS IPv4

Starting 1st Feb 2024, AWS Free Tier covers for Amazon Elastic Compute Cloud, 12 months free, to include 750 hours of public IPv4 address usage per month. 

AWS Free Tier for Amazon EC2 applies to in-use public IPv4 address usage. Usage beyond 750 hours per month of in-use public IPv4 address will be charged at $0.005 per IP per hour as announced in this AWS News blog. 

There is no change in pricing for idle public IPv4 addresses that you allocate in your account but don’t attach to an EC2 instance. IPv4 addresses that you own and bring to AWS using Amazon BYOIP will continue to be free. 

Azure vs AWS 2023

With the recent learnings/working experiences, one question stroked my mind - Azure vs AWS.

An interesting article is available at https://www.simplilearn.com/tutorials/cloud-computing-tutorial/aws-vs-azure, based on last year 2023

In a nutshell, Azure and AWS are both well-respected members of the cloud domain. Azure holds about 29.4% of all installed application workloads while AWS stands at 41.5 percent.