No one can really predict their security accurately.
Say you maintain a bare-metal server in a data center that your company controls.
How much do you know about its physical security? The protocols for admitting new staff? Do you rely on your company’s physical security team and HR? Are any of those functions contracted externally, even partially?
How much do you know about the network security? Do you rely on a networking team? Is any of their work contracted externally? What about the link to the outside world?
How much do you know about the sourcing of the physical hardware?
How much of the source have you audited? How about firmware source?
GKE obviously introduces new factors and vectors, but it also simplifies many of these and adds elements of herd immunity. And it’s also the same as the rest: your system was built by many people, it will be used by many people, and it will be maintained by many people. You can spend all of your time verifying every link, or you can help them do something in the world.
Say you maintain a bare-metal server in a data center that your company controls.
How much do you know about its physical security? The protocols for admitting new staff? Do you rely on your company’s physical security team and HR? Are any of those functions contracted externally, even partially?
How much do you know about the network security? Do you rely on a networking team? Is any of their work contracted externally? What about the link to the outside world?
How much do you know about the sourcing of the physical hardware?
How much of the source have you audited? How about firmware source?
GKE obviously introduces new factors and vectors, but it also simplifies many of these and adds elements of herd immunity. And it’s also the same as the rest: your system was built by many people, it will be used by many people, and it will be maintained by many people. You can spend all of your time verifying every link, or you can help them do something in the world.