
Container Platform Security at Cruise - based2
https://medium.com/cruise/container-platform-security-7a3057a27663
======
georgewfraser
It seems weird to me that a self-driving car company is doing work on core
server infrastructure things like container security. Does the builtin GCP
stuff really not work for them? My impression has been that it’s really well
thought-out.

~~~
ownagefool
To be fair, the write up isn't much more that.

TL;DR

They use Okta for SSO, GCP for Service Accounts (automation), vault for
secrets, ca and tls, GKE generally, and this is how it all works.

That said, the article is good and the author has a good understanding of
what's going on. Typically, you need to know how something works before you
can form realistic opinion on whether or not it is secure. Too much of the
industry is full of blind trust from people that can get things working but
don't scratch beyond the surface of integration.

The author has likely had to understand this in order to explain it to InfoSec
assurance, compliance and audit departments, but I think writing it down is
really useful for people without the tech.

I think they could expand on why they use vault rather than the secrets engine
directly, but I suspect that was because of integrations, protability, and the
workload indentity functionality behing newer than their setup.

~~~
techslave
> I think writing it down is really useful for people without the tech.

writing it down, sure. but publishing it is useful for SEO and recruitment
purposes.

------
justicezyx
I do not buy the sentiment that self driving car company should leave
infrastructure work to cloud providers.

On the one hand, such work has realistic roi, for example, a little foraging
into infrastructure tech, allow outsized understanding which translate to
outsized benefit. I.e., to have a few guys to work out these details easily
help remove common simple defects for a large organization.

Additionally, staying connected with the industry is crucial. Nowadays, your
value to hackers can be increased 10x overnight depending on some luck events.
And the modern infrastructure is full of holes that a seasoned hacker can
easily crack. It’s just a matter of discovering the right entry way. And such
entry ways keep changing with the new tech.

------
mtgx
Self-driving car security is going to need a lot more than just following the
latest buzzword in the security community and thinking that's enough.

But if the Cruise team is keen on buzzwords that they can then brag to the
media about then maybe they should start using the "disconnected self-driving
car" buzzword instead, and then implement about a dozen more of Brad
Templeton's security recommendations for self-driving cars:

[https://ideas.4brad.com/disconnected-car-right-security-
plan...](https://ideas.4brad.com/disconnected-car-right-security-plan-
robocars)

Then I might just start believing that GM (or any other self-driving) cars may
end up with reasonable but still not bulletproof security in about a decade.

