With every new cloud project we take on, we are (and quite rightly so) asked how we view (cyber) security at vBridge BV.
We don’t make any compromises on that, but that is sometimes difficult to quantify in a conversation.
An example can clarify a lot..
- on February 22, the Istio project (service mesh used in conjunction with Kubernetes) announced a vulnerability in certain versions of their software.
- Also on February 22, Google Cloud writes in its release notes that new packages are available for Anthos service mesh (which is derived from Istio) with fixes for these problems.
- The same day this information was shared within our team and an impact analysis was done per customer.
- On February 23, an official blog post was published further explaining the risks induced by these vulnerabilities
- On the same day, the impacted customers were sent a comprehensive analysis detailing what this means for their clusters and what our suggested upgrade paths are.
All this within 24 hours after the first report appeared, and only a few hours after an official blog post about it appeared.
Luckily, the impact was limited, because we architect our cloud setups with multiple layers of security, and the other layers neatly shielded this issue from becoming a real risk.
That is also the answer to how we approach security at vBridge BV: a multilayer architecture, and a very aggressive approach if vulnerabilities do appear somewhere.