google cloud platform security essentials… · 2020. 7. 28. · google cloud firewall applied to...
Post on 29-Jan-2021
2 Views
Preview:
TRANSCRIPT
-
GCP Security Essentials
Google Cloud Platform Security Essentials
About This Course
-
GCP Security Essentials
Importance of security on GCP
Google takes great steps to secure their platformEnd user (you) shares responsibility for securing their resources
-
GCP Security Essentials
What we will cover
Foundational security and access management concepts of GCPIdentity and Access ManagementSecuring Network Infrastructure (VPC’s and Firewalls)Securing access to Compute Engine operating systemsSecuring access to data storageMonitoring and logging your GCP environment with StackdriverIntroduction to custom encryption
-
GCP Security Essentials
Prerequisites
Basic familiarity with navigating GCP consoleCreating, accessing, and deleting GCE instances
-
GCP Security Essentials
Google Cloud Platform Security Essentials
GCP Resource Hierarchy
-
GCP Security Essentials
Top-down Hierarchy
-
GCP Security Essentials
GCP Cloud Resource Hierarchy
Three layers:• Organization – “root”• Projects – “primary folders”• Resources – “subfolders”
Hierarchal/parent-child relationship
-
GCP Security Essentials
Levels
Organization – entire company (@companyname.com):• Organization level roles applied to all layers – “global”
Projects – the core organizational component of GCP:• Services in the same project have a default level of trust
• Primary method of access control
• Create/manage all GCP services
• Billing, API’s, Roles
Resources – GCP services (Compute Engine, BigQuery, etc.)
-
GCP Security Essentials
Google Cloud Platform Security Essentials
Identity and Access Management (IAM)
-
GCP Security Essentials
Why Does this Matter?
• All organizations need to manage access to resources• Prevent unwanted access• Security principle of least privilege
-
GCP Security Essentials
What is Cloud IAM?
• Managing who has what access to which resources
• WHO = member• WHAT ACCESS = roles• RESOURCES = GCP resources (instances,
projects, cloud storage buckets, etc.)• Projects = core organizational component for
resource isolation
-
GCP Security Essentials
What is a Member (‘who’)?
• A person, people, or program:• Google account - individual (admin@professionalwireless.net)
• Google group (DevTeam@mycompany.com)
• G Suite domain (@mycompany.com)
• Cloud Identity domain (same as G Suite domain, without Google services)
• Service account – program access (966515583731-compute@developer.gserviceaccount.com)
• Every member represented by an email account • Email account =access method
-
GCP Security Essentials
What is a Role (‘what access’)?
• Role = collection of permissions• Permissions = what operations
allowed on resource• Permissions not assigned to a
member, rather permissions are grouped into a role, which is assigned to a member.
• Role scopes:• Org/Project level - primitive
• Resource/granular level -predefined
-
GCP Security Essentials
Primitive and Predefined Roles
Primitive – historically available GCP role before modern Cloud IAM implemented• Granted to entire project
• Owner = Full admin access, including IAM management and billing
• Editor = Modify resource states, but no IAM/billing management
• Viewer = read-only access
Predefined (or Curated)• Granular – applied to resource level (Compute Engine, Cloud Storage, etc.)
• Example: Compute Engine Instance Admin
• Can grant multiple predefined roles per member
-
GCP Security Essentials
What is a Resource?
Everything in GCP, including:• Projects• Compute Engine instances• Cloud Storage buckets• BigQuery datasets
-
GCP Security Essentials
Cloud IAM Policy
• Collection of IAM statements• Often used programmatically
-
GCP Security Essentials
Policy Hierarchy
• Like a file system• Parent-child relationship• ‘Child’ has exactly one parent• Policies inherited all the way down the chain• Parent policy overrules child policy (permissive)
-
GCP Security Essentials
Putting ALL of it Together – IAM…
Grants members (who) Users, groups, organizations, service accounts
Various roles (what access) Primitive (broad) and predefined (granular)
In a hierarchal format Parent overrules child
To GCP Resources
Examples:• bob@professionalwireless.net is granted Owner role to Project ‘My First Project’• my-first-project-172354@developer.gserviceaccount.com granted App Engine Service Admin role to App Engine
-
GCP Security Essentials
Google Cloud Platform Security Essentials
IAM Best Practices
-
GCP Security Essentials
Principle of least privilege
Use projects to isolate resourcesPredefined over primitive roles, when possibleGrant role by smallest scope
• Compute Instance Admin vs. Compute Engine Admin
Grant Owner role only if need to change IAM policy• Otherwise, use Editor
Limit project creation with Project Creator role• Limit to those who are also Billing Account User
-
GCP Security Essentials
Other best practices
Thoroughly understand policy inheritanceUse groups when possible
• Multiple need same access to same projects
• Control who owns/manages group
Only allow corporate account access• No personal gmail accounts
• Can add outsiders via Cloud Identity account
Service accounts• Restrict service account actor/user access
• Don’t expose service account keys unnecessarily
• Don’t delete service accounts still in use
If same role needed across multiple projects, grant at organization or folder level
-
GCP Security Essentials
Google Cloud Platform Security Essentials
Firewall Basics
-
GCP Security Essentials
How Does Networking Work?
• Computers need to speak a common language to communicate• TCP/IP network protocol suite is the common language used• TCP/IP is not a single protocol, but a suite, or collection of standardized protocols
-
GCP Security Essentials
TCP/IP Suite
-
GCP Security Essentials
What Are Network Ports?
• Protocols higher than level 4 of OSI model have a port number assigned• Port = ‘channel’• 65535 ports available for both TCP and UDP protocols• Examples:
• HTTP = port 80
• SSH = port 22
• Not every protocol has a port number• ICMP
-
GCP Security Essentials
Firewalls
• Gatekeeper of network access• Allow/deny based on conditions (protocol and/or port number)• Examples:
• Deny access on port 80 (HTTP)
• Allow access on port 22 (SSH)
-
GCP Security Essentials
Firewalls on GCP
• Conditional access based on port/protocol• Can allow access to/from some locations, and deny it to others
-
GCP Security Essentials
Google Cloud Platform Security Essentials
OS Security Best Practices and Acceptable Use
-
GCP Security Essentials
OS Security Best Practices
Disable insecure applications (e.g. Telnet)Protect local/custom credentials
• Linux – custom private SSH keys/passphrase
• Do not publish SSH keys
• Windows – local account username/password
Windows• Disable guest account
• Disable print/file sharing
-
GCP Security Essentials
Software firewall
Traditional firewall protects network from outside threats, but leaves communication within network openGoogle Cloud firewall applied to each instance, including internal communicationSoftware firewalls often necessary for third party compliance auditsSoftware firewall best practices:
• Document application – beware of overlaps with VPC firewall
• Only allow necessary traffic (e.g. port 80 for HTTP access)
-
GCP Security Essentials
Acceptable use and resolution steps
You agree that your resources will not be used for illegal purposes• Spreading malware
• DDOS attack
Abuse resolution• Notification of violation of terms of service
• Submit appeal (including steps to resolve)
• Appeal confirmed/resolved
-
GCP Security Essentials
Google Cloud Platform Security Essentials
Securing Cloud Storage
-
GCP Security Essentials
Cloud Storage most susceptible to leaked data
Lapse in cloud storage security can have dire consequences
-
GCP Security Essentials
Cloud storage security is in your control!
No reason sensitive information should be exposedExposure incidents are 100% preventableSection objective = avoid accidental exposure
-
GCP Security Essentials
Google Cloud Platform Security Essentials
Encryption on Google Cloud Platform
-
GCP Security Essentials
What is encryption?
Process of encoding data, scrambling it and making unusable to outside partiesPlaintext ‘scrambled’ into ciphertextPaired with encryption keyPublic algorithm (AES), but with a secret key
-
GCP Security Essentials
How encryption protects you and your data
In transit – encrypted data is safe from ‘snooping’• Getting from here to there
At rest – encrypted data cannot be ‘unscrambled’ without encryption key‘In transit’ and ‘at rest’ are two key terms
-
GCP Security Essentials
Encryption on Google Cloud Platform
Everything is encrypted by defaultThere is no “non-encrypted” option available
-
GCP Security Essentials
Encryption in transit
Encrypted by defaultDefault and user-customized options availableDefault = TLS using BoringSSL, issued Certificate Authority, ALTSCustomized = VPN (IPsec), managed SSL certificates
-
GCP Security Essentials
Encryption at rest
Protects data, even if attacker gains possession• Cannot unencrypt without keys
Encryption is inherent in all of Google’s storage systems — rather than added on afterwardGoogle encrypts data at multiple layers in the processEncrypted data broken into chunks, and distributed across datacenter with unique keys
• Key for each chunk is itself encrypted by another key (Key Management Service)
-
GCP Security Essentials
Encryption at rest options
Google managed keys• Default/automatic option, rotated frequently
Customer keys in Cloud Key Management Service (KMS)• Customer provided keys
• Managed storage/rotation
Customer supplied and stored keys• Keys kept on-premises
Automation vs. control
-
GCP Security Essentials
Encryption options decision tree
-
GCP Security Essentials
Google Cloud Platform Security Essentials
Next Steps
-
GCP Security Essentials
Next steps
Thank you for joining us!Check out our other Google Cloud Platform contentPost thoughts/questions in CommunityRate us!
top related