Identity & Security

How Vuclip safeguards its cloud environment across 100+ projects with Security Command Center

#security
vuclips.jpg

Entertainment has never been more accessible. As our phones are now an inextricable part of our lives, there’s an increasing appetite for mobile video content, and that is what Vuclip delivers. Vuclip is a leading video-on-demand service for mobile devices with more than 41 million monthly active users across more than 22 countries.

Speed is critical to the viewing experience, and delivering crisp, no-buffer video streaming was one of the reasons we decided to migrate to Google Cloud in 2017. Now we have replaced our monolithic on-prem infrastructure with a microservices-based production environment that’s almost fully on Google Cloud. Most services run on Google Kubernetes Engine, which delivers effortless scalability and quick time to market for new features and updates.

With a huge footprint in the cloud across multiple companies, we’re a big target for attacks, from data breaches to hackers trying to access our systems illegally. We must prepare for these attacks proactively and mitigate them quickly when they happen. That’s why we decided to use Google Cloud’s Security Command Center (SCC) Premium to protect our technology environment across our complex microservices-based architecture.

Increasing security and time-to-market with Security Command Center

Before signing up to SCC Premium, we conducted a proof-of-concept with help from the Google Cloud team to experience its capabilities firsthand. What stood out to us was that SCC wouldn’t just help us mitigate attacks, it would strengthen our entire security apparatus by continuously identifying the weaknesses of our system and giving us recommendations on how to improve it. 

In the past, we had quite a traditional security model. Business units were responsible for their own security setup and received support from Group Risk, our company’s internal security audit team, to review developed applications before they could go into production. With SCC, it’s easier for us to detect findings and build the right security configurations into new services as we build them. We can configure policy based on SCC recommendations and act on suggestions quickly unlike earlier when everything was reported back to the Group Risk team for review. This has really reduced our time to market: going into production used to take at least a month, now we can do it in a week.

Centralizing visibility for continuous insights

With SCC Premium, we now streamline many security processes that used to require a lot of manual effort. In the past, we had to conduct regular vulnerability scans of our most critical systems, but with microservices running across more than 100+ projects it was difficult to deliver constant security checks on all of them. With centralized visibility, SCC enables us to monitor all of these projects continuously to discover misconfigurations and threats quickly, while making sure we’re adhering to our compliance standards.

Here’s what it looks like day to day: for every new and existing project, when new services are added to the system our policies require the SRE team to configure SCC into the setup from the beginning. That’s how we can make sure that every surface and every application stack is utilizing the platform to help us detect all alerts and suggestions. We integrate all of these notifications into our Pub/Sub alerting system, giving us centralized visibility over our security posture across multiple projects.

Every misconfiguration revealed with comprehensive alerts

Improved visibility enables us to keep an eye on our systems proactively. Let’s take IP addresses, for example. Whenever we set up a new system, we must configure a new public-facing IP address from the GKE endpoint. When that happens, we get an alert from SCC, informing us that a new public IP address is being set up. Right away, SCC identifies any vulnerabilities or misconfigurations, such as missing firewall rules. Having that constant visibility, as opposed to the spaced-out vulnerability scans from the past, we achieve a continuous level of security that improves our overall posture.

Mitigating threats in ¼ of the time

This comprehensive security posture inadvertently leads to an increased number of alerts from SCC. Not all of them relate to serious attacks that need to be mitigated right away. That’s why we have dedicated team members on a rotating basis, who scroll through the alerts to identify the most pressing threats and decide on further actions. If there’s a problem we need to mitigate, we can do it in about a quarter of the time it used to take without SCC. This is because we no longer have to identify issues and search for solutions ourselves. Instead, the issue is pointed out immediately in the alert.

A great side effect of these detailed alerts and recommendations is that our employees learn more about security-related matters. This experience trains them on how to improve our systems in the future and helps them prepare for more serious attacks.

Strengthening compliance for faster approval

Another area where SCC is helpful is compliance. Our baseline for new and existing services is the CIS Google Cloud Computing Foundations Benchmark, and SCC enables us to meet its requirements more efficiently with targeted suggestions. This facilitates the approval from the Group Risk team before we launch a service, they can see exactly how compliant we are with the CIS standard, further increasing our time-to-market and overall security posture.

Entertaining the world securely with Security Command Center

With SCC Premium, we’ve moved from a traditional security model reliant on intermittent vulnerability scans to a much more agile security strategy with continuous monitoring and centralized visibility and control. We’re excited to explore more of SCC’s features in the future, such as the ability to mute findings, which will help us to disable certain alerts we don’t need to be reminded of.

Our evolution with SCC hasn’t just made Vuclip more secure and compliant, it’s helped us to reduce our time-to-market, delivering our services faster without compromising on security. In a fast-paced media world, that’s exactly what we need to remain the video-on-demand service provider of choice and entertain people around the world.