google cloud platform security essentials… · 2020. 7. 28. · google cloud firewall applied to...

GCP Security Essentials

Google Cloud Platform Security Essentials

About This Course


Importance of security on GCP

Google takes great steps to secure their platformEnd user (you) shares responsibility for securing their resources


What we will cover

Foundational security and access management concepts of GCPIdentity and Access ManagementSecuring Network Infrastructure (VPC’s and Firewalls)Securing access to Compute Engine operating systemsSecuring access to data storageMonitoring and logging your GCP environment with StackdriverIntroduction to custom encryption


Prerequisites

Basic familiarity with navigating GCP consoleCreating, accessing, and deleting GCE instances



GCP Resource Hierarchy


Top-down Hierarchy


GCP Cloud Resource Hierarchy

Three layers:• Organization – “root”• Projects – “primary folders”• Resources – “subfolders”

Hierarchal/parent-child relationship


Levels

Organization – entire company (@companyname.com):• Organization level roles applied to all layers – “global”

Projects – the core organizational component of GCP:• Services in the same project have a default level of trust

• Primary method of access control

• Create/manage all GCP services

• Billing, API’s, Roles

Resources – GCP services (Compute Engine, BigQuery, etc.)



Identity and Access Management (IAM)


Why Does this Matter?

• All organizations need to manage access to resources• Prevent unwanted access• Security principle of least privilege


What is Cloud IAM?

• Managing who has what access to which resources

• WHO = member• WHAT ACCESS = roles• RESOURCES = GCP resources (instances,

projects, cloud storage buckets, etc.)• Projects = core organizational component for

resource isolation


What is a Member (‘who’)?

• A person, people, or program:• Google account - individual ([email protected])

• Google group ([email protected])

• G Suite domain (@mycompany.com)

• Cloud Identity domain (same as G Suite domain, without Google services)

• Service account – program access ([email protected])

• Every member represented by an email account • Email account =access method


What is a Role (‘what access’)?

• Role = collection of permissions• Permissions = what operations

allowed on resource• Permissions not assigned to a

member, rather permissions are grouped into a role, which is assigned to a member.

• Role scopes:• Org/Project level - primitive

• Resource/granular level -predefined


Primitive and Predefined Roles

Primitive – historically available GCP role before modern Cloud IAM implemented• Granted to entire project

• Owner = Full admin access, including IAM management and billing

• Editor = Modify resource states, but no IAM/billing management

• Viewer = read-only access

Predefined (or Curated)• Granular – applied to resource level (Compute Engine, Cloud Storage, etc.)

• Example: Compute Engine Instance Admin

• Can grant multiple predefined roles per member


What is a Resource?

Everything in GCP, including:• Projects• Compute Engine instances• Cloud Storage buckets• BigQuery datasets


Cloud IAM Policy

• Collection of IAM statements• Often used programmatically


Policy Hierarchy

• Like a file system• Parent-child relationship• ‘Child’ has exactly one parent• Policies inherited all the way down the chain• Parent policy overrules child policy (permissive)


Putting ALL of it Together – IAM…

Grants members (who) Users, groups, organizations, service accounts

Various roles (what access) Primitive (broad) and predefined (granular)

In a hierarchal format Parent overrules child

To GCP Resources

Examples:• [email protected] is granted Owner role to Project ‘My First Project’• [email protected] granted App Engine Service Admin role to App Engine



IAM Best Practices


Principle of least privilege

Use projects to isolate resourcesPredefined over primitive roles, when possibleGrant role by smallest scope

• Compute Instance Admin vs. Compute Engine Admin

Grant Owner role only if need to change IAM policy• Otherwise, use Editor

Limit project creation with Project Creator role• Limit to those who are also Billing Account User


Other best practices

Thoroughly understand policy inheritanceUse groups when possible

• Multiple need same access to same projects

• Control who owns/manages group

Only allow corporate account access• No personal gmail accounts

• Can add outsiders via Cloud Identity account

Service accounts• Restrict service account actor/user access

• Don’t expose service account keys unnecessarily

• Don’t delete service accounts still in use

If same role needed across multiple projects, grant at organization or folder level



Firewall Basics


How Does Networking Work?

• Computers need to speak a common language to communicate• TCP/IP network protocol suite is the common language used• TCP/IP is not a single protocol, but a suite, or collection of standardized protocols


TCP/IP Suite


What Are Network Ports?

• Protocols higher than level 4 of OSI model have a port number assigned• Port = ‘channel’• 65535 ports available for both TCP and UDP protocols• Examples:

• HTTP = port 80

• SSH = port 22

• Not every protocol has a port number• ICMP


Firewalls

• Gatekeeper of network access• Allow/deny based on conditions (protocol and/or port number)• Examples:

• Deny access on port 80 (HTTP)

• Allow access on port 22 (SSH)


Firewalls on GCP

• Conditional access based on port/protocol• Can allow access to/from some locations, and deny it to others



OS Security Best Practices and Acceptable Use


OS Security Best Practices

Disable insecure applications (e.g. Telnet)Protect local/custom credentials

• Linux – custom private SSH keys/passphrase

• Do not publish SSH keys

• Windows – local account username/password

Windows• Disable guest account

• Disable print/file sharing


Software firewall

Traditional firewall protects network from outside threats, but leaves communication within network openGoogle Cloud firewall applied to each instance, including internal communicationSoftware firewalls often necessary for third party compliance auditsSoftware firewall best practices:

• Document application – beware of overlaps with VPC firewall

• Only allow necessary traffic (e.g. port 80 for HTTP access)


Acceptable use and resolution steps

You agree that your resources will not be used for illegal purposes• Spreading malware

• DDOS attack

Abuse resolution• Notification of violation of terms of service

• Submit appeal (including steps to resolve)

• Appeal confirmed/resolved



Securing Cloud Storage


Cloud Storage most susceptible to leaked data

Lapse in cloud storage security can have dire consequences


Cloud storage security is in your control!

No reason sensitive information should be exposedExposure incidents are 100% preventableSection objective = avoid accidental exposure



Encryption on Google Cloud Platform


What is encryption?

Process of encoding data, scrambling it and making unusable to outside partiesPlaintext ‘scrambled’ into ciphertextPaired with encryption keyPublic algorithm (AES), but with a secret key


How encryption protects you and your data

In transit – encrypted data is safe from ‘snooping’• Getting from here to there

At rest – encrypted data cannot be ‘unscrambled’ without encryption key‘In transit’ and ‘at rest’ are two key terms


Encryption on Google Cloud Platform

Everything is encrypted by defaultThere is no “non-encrypted” option available


Encryption in transit

Encrypted by defaultDefault and user-customized options availableDefault = TLS using BoringSSL, issued Certificate Authority, ALTSCustomized = VPN (IPsec), managed SSL certificates


Encryption at rest

Protects data, even if attacker gains possession• Cannot unencrypt without keys

Encryption is inherent in all of Google’s storage systems — rather than added on afterwardGoogle encrypts data at multiple layers in the processEncrypted data broken into chunks, and distributed across datacenter with unique keys

• Key for each chunk is itself encrypted by another key (Key Management Service)


Encryption at rest options

Google managed keys• Default/automatic option, rotated frequently

Customer keys in Cloud Key Management Service (KMS)• Customer provided keys

• Managed storage/rotation

Customer supplied and stored keys• Keys kept on-premises

Automation vs. control


Encryption options decision tree



Next Steps


Next steps

Thank you for joining us!Check out our other Google Cloud Platform contentPost thoughts/questions in CommunityRate us!

google cloud platform security essentials… · 2020. 7. 28. · google cloud firewall applied to...

Documents