Article #10 from 2024
During my 2nd year working as a Sovereign Google Cloud Engineer on a major defense company public Cloud, I had the opportunity to use Google Cloud networking technologies and pass the Professional Cloud Security Engineer certification. Google Cloud provides automated encryption, enterprise-grade DDoS protection, and streamlined identity management.
This article provides a comprehensive overview of Google Cloud Security Engineering, read my Architect, Data, and Network articles for more.
Reading Time: 10 minutes
See the Google Cloud article.
Google believes that security empowers innovation and bakes it in its core infrastructure in progressive layers: low-level infrastructure, service deployment, data storage, internet communication, operations. VPC Networks help isolating networks and monitoring as well as logging help knowing what's happening. Security is a shared responsibility where Google is mostly responsible for the lower levels while the customer is mostly responsible for controlling who has access to its data. This can be done with IAM, Service Accounts (SA) and firewall rules.
Data at rest is chunked and encrypted automatically with a Data Encryption Key (DEK) that is itself encrypted by a Key Encryption Key (KEK) that can be Google or customer managed with Cloud EKM. Deleted data remains in Google systems for 180 days. Because one Google DC has a 1300 Tbps bandwidth, it can easily absorb an attack detected by Google Front-End (GFE). For more insights on Google activities, use Access Transparency (AxT) and Access Approval (AA).
Use Cloud Identity (CI) to centrally manage identities with an Identity Provider (IdP) and Google Cloud Directory Sync (GCDS) to (de)provision user accounts from an existing Active Directory (AD). GCDS is a one-way sync from AD/LDAP to Google that runs as a utility in the server env, not in the Cloud. Identity Platform is a Customer Identity and Access Management (CIAM) system that helps adding identity and access management functionality to apps. Authentication best practices are managing permissions with groups to which you assign roles via the admin console, having 2 or 3 Org admins and limiting permissions.
Use Resource Manager to programmatically manage Org, Folder, Project, Resource, Member and Role objects. Identity & Access Management (IAM) roles define what one can do. Service Accounts (SA) control privileges used by resources and require using keys. Workload Identity Federation (WIF) grants apps running outside of Google Cloud access to data without SA keys but by granting external identities IAM roles allowing them to impersonate SA. A policy is a collection of access statements attached to a resource. IAM deny policies let you prevent certain principals from using certain permissions regardless of the roles. Org Policies focus on what, IAM Policies focus on who. Use Policy Intelligence to manage policies and proactively improve security.
A Virtual Private Cloud (VPC) Network is a global, private, isolated virtual network granting connectivity to VMs where rules are denied at network level but connections are (dis)allowed on a per-instance basis. Sessions remain up until 10mn after the last packet has been sent. All VPC Networks have implied firewall rules including allow egress and deny ingress. Minimize exposure to & from the internet (0.0.0.0/0) and prefer SA rules over tag rules. VPC Peering creates connectivity across 2 non-overlapping VPC Networks that don't need to be in the same project nor org where firewall rules and routes remain independently managed.
To securely extend on-prem to Google Cloud, use Cloud VPN (IPsec E2E encrypted tunnel) or Cloud Interconnect (HA low latency physical connection). VPC Service Controls (SC) allow to control the movement of data and to use context-based security perimeter. An Access Policy is an Org-wide container for organizing access levels and service perimeters. VPC Flow Logs records network flows sent from or received by VM. Cloud Intrusion Detection System (IDS) is an intrusion detection service that mirrors network and VMs traffic.
A SA is an identity that a resource such as a VM can use to run API requests on your behalf and that must be associated to roles with IAM. Maintain a consistent Linux user identity across VM instances with OS Login. Shielded VM offers verifiable integrity of GCE VM instances against boot/kernel-level malware/rootkit and secrets exposition. Secure Boot ensures that the software loading at booting is authentic and unmodified by verifying that the firmware has been digitally signed with Google's Certificate Authority Service (CAS). Measured Boot creates a hash and confidential VMs ensure that data and apps stay private and encrypted even while in use. CAS allows the deployment of a private CA in minutes instead of days. Control access to ressources with projects and IAM and isolate machines using multiple networks.
IAM roles grant permissions to Storage bucket but not fine-grained control over individual objects, use Cloud Storage ACLs to do that only. Use Deny Rules to prevent certain principals from using certain permissions regardless of the roles they're granted. Signed URLs allow temporary access to Google Cloud Storage (GCS).
All data stored on Google Cloud is broken into chunks (several GBs) that are encrypted at rest by default with a unique DEK then distributed across Google Cloud's storage infrastructure. DEKs are encrypted with / wrapped by KEKs prior to being stored with their associated chunk of data. When a service accesses an encrypted chunk of data, the storage system pulls the wrapped DEK stored with it and calls Cloud KMS to retrieve the unwrapped DEK and decrypt the data chunk. A Hardware Security Module (HSM) is a physical device that manages digital keys that detects attempts at physical access and modifications of the cryptographic module. Google provides scripts that verify the authenticity of the attestation.
In BigQuery (BQ), permissions are granted at the dataset level and roles can even be assigned individually to certain types of resources within datasets like table, view, column, row. Don't allow buckets to be publicly writable. Use Lifecycle Rules to remove sensitive data that is no longer needed.
Security shouldn't be an afterthought but part of the design process. Use Web Security Scanner (WSS) helps to identify common vulnerabilities (XSS, flash injection, OWASP10) and run scans in a test environment. Identity-Aware Proxy (IAP) enables employees to work from untrusted networks, without using a VPN, over HTTPS with JWT. Secret Manager (SM) can be used to store and access sensitive data (binary or text secrets) with AES-256 encryption.
Containers don't contain a full OS and they execute within a pod. A node is a VM. Kubernetes SA are part of a cluster while Google SA are part of a Google Cloud project. Because they're more powerful, use Google SA only if their extra capabilities are needed. Use Node Auto-upgrade and Security Health Analytics for scanning. For managing secrets with a third-party secrets manager, use HashiCorp Vault. Limit pod container permissions by setting security-related options with Security Context on both pods and containers. Use Binary Authorization (BA) to enforce deploying only trusted containers and Workload Identity to access Google Cloud services from apps running within Google Kubernetes Engine (GKE). Note that GKE has logging and monitoring functions built in and it supports AxT.
A Distributed Denial of Service (DDoS) attack in an attempt to make an online app unavailable by overwhelming it with traffic from multiple sources. While the biggest can have 1 Tbps strength, one Google DC has 1300 Tbps, meaning that Google's scales help it to deliver a higher level of security at lower layers than customers could on their own. To reduce the network attack surface, isolate machines within VPCs, set up firewall rules to block unused ports, use firewall rules to block unwanted source, use firewall tags on SA to control targets, don't give VMs publics IPs unnecessarily but prefer bastion hosts, use internal LB. Cloud Armor is a DDoS and app defense service and, because it is located at the edge of Google's network, attacks are blocked close to their source. Cloud Armor is what to do (action), when to do it (condition), where to apply it (target).
A ransomware threatens to publish and / or block its victims' data unless a ransom is paid, meaning the victim's data is encrypted with a key only known by the attacker. Make regular backups stored in separated isolated repos, use IAM best practices, use Cloud Data Loss Prevention (DLP). Data misuse leads to exposing sensitive content, allowing access to restricted content, inadvertently including unacceptable content. Use Cloud Natural Language (CNL) API to help identifying different categories of content, Vision API to identity inappropriate (adult and violence) content, Video Intelligence API to scan videos, DLP to identify sensitive data.
Security Command Center (SCC) helps discovering, mitigating and preventing attacks by performing ongoing discovery scans with attack path simulation and threat detection. An effective incident response includes monitoring dashboards, alerting mechanisms, plans and tools for responding to issues: Monitoring, Logging, Error Reporting, Trace, Profiler. Admin Activity and System Events audit logs are kept 400 days and Data Access audit logs are kept for 30 days. Cloud Audit Logs records Google Cloud account activity: who did what where and when including Admin Activity (resource modification), System Events (from services), Data Access (calls to user-provided data), Policy Denied (security violation from user or SA).