+ All Categories
Home > Documents > Google Cloud Platform Security Essentials… · 2020. 7. 28. · Google Cloud firewall applied to...

Google Cloud Platform Security Essentials… · 2020. 7. 28. · Google Cloud firewall applied to...

Date post: 29-Jan-2021
Upload: others
View: 1 times
Download: 0 times
Share this document with a friend
GCP Security Essentials Google Cloud Platform Security Essentials About This Course
  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    About This Course

  • GCP Security Essentials

    Importance of security on GCP

    Google takes great steps to secure their platformEnd user (you) shares responsibility for securing their resources

  • GCP Security Essentials

    What we will cover

    Foundational security and access management concepts of GCPIdentity and Access ManagementSecuring Network Infrastructure (VPC’s and Firewalls)Securing access to Compute Engine operating systemsSecuring access to data storageMonitoring and logging your GCP environment with StackdriverIntroduction to custom encryption

  • GCP Security Essentials


    Basic familiarity with navigating GCP consoleCreating, accessing, and deleting GCE instances

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    GCP Resource Hierarchy

  • GCP Security Essentials

    Top-down Hierarchy

  • GCP Security Essentials

    GCP Cloud Resource Hierarchy

    Three layers:• Organization – “root”• Projects – “primary folders”• Resources – “subfolders”

    Hierarchal/parent-child relationship

  • GCP Security Essentials


    Organization – entire company (@companyname.com):• Organization level roles applied to all layers – “global”

    Projects – the core organizational component of GCP:• Services in the same project have a default level of trust

    • Primary method of access control

    • Create/manage all GCP services

    • Billing, API’s, Roles

    Resources – GCP services (Compute Engine, BigQuery, etc.)

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    Identity and Access Management (IAM)

  • GCP Security Essentials

    Why Does this Matter?

    • All organizations need to manage access to resources• Prevent unwanted access• Security principle of least privilege

  • GCP Security Essentials

    What is Cloud IAM?

    • Managing who has what access to which resources

    • WHO = member• WHAT ACCESS = roles• RESOURCES = GCP resources (instances,

    projects, cloud storage buckets, etc.)• Projects = core organizational component for

    resource isolation

  • GCP Security Essentials

    What is a Member (‘who’)?

    • A person, people, or program:• Google account - individual ([email protected])

    • Google group ([email protected])

    • G Suite domain (@mycompany.com)

    • Cloud Identity domain (same as G Suite domain, without Google services)

    • Service account – program access ([email protected])

    • Every member represented by an email account • Email account =access method

  • GCP Security Essentials

    What is a Role (‘what access’)?

    • Role = collection of permissions• Permissions = what operations

    allowed on resource• Permissions not assigned to a

    member, rather permissions are grouped into a role, which is assigned to a member.

    • Role scopes:• Org/Project level - primitive

    • Resource/granular level -predefined

  • GCP Security Essentials

    Primitive and Predefined Roles

    Primitive – historically available GCP role before modern Cloud IAM implemented• Granted to entire project

    • Owner = Full admin access, including IAM management and billing

    • Editor = Modify resource states, but no IAM/billing management

    • Viewer = read-only access

    Predefined (or Curated)• Granular – applied to resource level (Compute Engine, Cloud Storage, etc.)

    • Example: Compute Engine Instance Admin

    • Can grant multiple predefined roles per member

  • GCP Security Essentials

    What is a Resource?

    Everything in GCP, including:• Projects• Compute Engine instances• Cloud Storage buckets• BigQuery datasets

  • GCP Security Essentials

    Cloud IAM Policy

    • Collection of IAM statements• Often used programmatically

  • GCP Security Essentials

    Policy Hierarchy

    • Like a file system• Parent-child relationship• ‘Child’ has exactly one parent• Policies inherited all the way down the chain• Parent policy overrules child policy (permissive)

  • GCP Security Essentials

    Putting ALL of it Together – IAM…

    Grants members (who) Users, groups, organizations, service accounts

    Various roles (what access) Primitive (broad) and predefined (granular)

    In a hierarchal format Parent overrules child

    To GCP Resources

    Examples:• [email protected] is granted Owner role to Project ‘My First Project’• [email protected] granted App Engine Service Admin role to App Engine

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    IAM Best Practices

  • GCP Security Essentials

    Principle of least privilege

    Use projects to isolate resourcesPredefined over primitive roles, when possibleGrant role by smallest scope

    • Compute Instance Admin vs. Compute Engine Admin

    Grant Owner role only if need to change IAM policy• Otherwise, use Editor

    Limit project creation with Project Creator role• Limit to those who are also Billing Account User

  • GCP Security Essentials

    Other best practices

    Thoroughly understand policy inheritanceUse groups when possible

    • Multiple need same access to same projects

    • Control who owns/manages group

    Only allow corporate account access• No personal gmail accounts

    • Can add outsiders via Cloud Identity account

    Service accounts• Restrict service account actor/user access

    • Don’t expose service account keys unnecessarily

    • Don’t delete service accounts still in use

    If same role needed across multiple projects, grant at organization or folder level

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    Firewall Basics

  • GCP Security Essentials

    How Does Networking Work?

    • Computers need to speak a common language to communicate• TCP/IP network protocol suite is the common language used• TCP/IP is not a single protocol, but a suite, or collection of standardized protocols

  • GCP Security Essentials

    TCP/IP Suite

  • GCP Security Essentials

    What Are Network Ports?

    • Protocols higher than level 4 of OSI model have a port number assigned• Port = ‘channel’• 65535 ports available for both TCP and UDP protocols• Examples:

    • HTTP = port 80

    • SSH = port 22

    • Not every protocol has a port number• ICMP

  • GCP Security Essentials


    • Gatekeeper of network access• Allow/deny based on conditions (protocol and/or port number)• Examples:

    • Deny access on port 80 (HTTP)

    • Allow access on port 22 (SSH)

  • GCP Security Essentials

    Firewalls on GCP

    • Conditional access based on port/protocol• Can allow access to/from some locations, and deny it to others

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    OS Security Best Practices and Acceptable Use

  • GCP Security Essentials

    OS Security Best Practices

    Disable insecure applications (e.g. Telnet)Protect local/custom credentials

    • Linux – custom private SSH keys/passphrase

    • Do not publish SSH keys

    • Windows – local account username/password

    Windows• Disable guest account

    • Disable print/file sharing

  • GCP Security Essentials

    Software firewall

    Traditional firewall protects network from outside threats, but leaves communication within network openGoogle Cloud firewall applied to each instance, including internal communicationSoftware firewalls often necessary for third party compliance auditsSoftware firewall best practices:

    • Document application – beware of overlaps with VPC firewall

    • Only allow necessary traffic (e.g. port 80 for HTTP access)

  • GCP Security Essentials

    Acceptable use and resolution steps

    You agree that your resources will not be used for illegal purposes• Spreading malware

    • DDOS attack

    Abuse resolution• Notification of violation of terms of service

    • Submit appeal (including steps to resolve)

    • Appeal confirmed/resolved

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    Securing Cloud Storage

  • GCP Security Essentials

    Cloud Storage most susceptible to leaked data

    Lapse in cloud storage security can have dire consequences

  • GCP Security Essentials

    Cloud storage security is in your control!

    No reason sensitive information should be exposedExposure incidents are 100% preventableSection objective = avoid accidental exposure

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    Encryption on Google Cloud Platform

  • GCP Security Essentials

    What is encryption?

    Process of encoding data, scrambling it and making unusable to outside partiesPlaintext ‘scrambled’ into ciphertextPaired with encryption keyPublic algorithm (AES), but with a secret key

  • GCP Security Essentials

    How encryption protects you and your data

    In transit – encrypted data is safe from ‘snooping’• Getting from here to there

    At rest – encrypted data cannot be ‘unscrambled’ without encryption key‘In transit’ and ‘at rest’ are two key terms

  • GCP Security Essentials

    Encryption on Google Cloud Platform

    Everything is encrypted by defaultThere is no “non-encrypted” option available

  • GCP Security Essentials

    Encryption in transit

    Encrypted by defaultDefault and user-customized options availableDefault = TLS using BoringSSL, issued Certificate Authority, ALTSCustomized = VPN (IPsec), managed SSL certificates

  • GCP Security Essentials

    Encryption at rest

    Protects data, even if attacker gains possession• Cannot unencrypt without keys

    Encryption is inherent in all of Google’s storage systems — rather than added on afterwardGoogle encrypts data at multiple layers in the processEncrypted data broken into chunks, and distributed across datacenter with unique keys

    • Key for each chunk is itself encrypted by another key (Key Management Service)

  • GCP Security Essentials

    Encryption at rest options

    Google managed keys• Default/automatic option, rotated frequently

    Customer keys in Cloud Key Management Service (KMS)• Customer provided keys

    • Managed storage/rotation

    Customer supplied and stored keys• Keys kept on-premises

    Automation vs. control

  • GCP Security Essentials

    Encryption options decision tree

  • GCP Security Essentials

    Google Cloud Platform Security Essentials

    Next Steps

  • GCP Security Essentials

    Next steps

    Thank you for joining us!Check out our other Google Cloud Platform contentPost thoughts/questions in CommunityRate us!