Security - bobbae/gcp GitHub Wiki

Information Security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks.

The Internet has transformed our lives in many good ways. Unfortunately, this vast network and its associated technologies also have brought in their wake, the increasing number of security threats.

GCP doesn't rely on any single technology to make its infrastructure secure. GCP delivers security through progressive layers that deliver true defense in depth. Google datacenter security has 6 layers.

Google Infrastructure security design

https://cloud.google.com/docs/security/infrastructure/design

Building secure and reliable systems

https://www.oreilly.com/library/view/building-secure-and/9781492083115/

Security Command Center

Security Command Center is Google Cloud's centralized vulnerability and threat reporting service.

Chronicle Security Operations

https://cloud.google.com/blog/products/identity-security/introducing-chronicle-security-operations

Software Delivery Shield

https://cloud.google.com/blog/products/devops-sre/introducing-software-delivery-shield-from-google-cloud/

mic security operations

https://cloud.google.com/blog/products/identity-security/new-resources-to-advance-your-mic-security-operations-modernization-journey

Mute findings

https://cloud.google.com/blog/products/identity-security/announcing-mute-findings-capability-security-command-center

Mitre Attck mapping

https://cloud.google.com/blog/products/identity-security/announcing-mitre-attck-mappings-released-for-google-cloud-security-capabilities

Cloud and Security

https://cloud.google.com/blog/topics/public-sector/how-public-cloud-reduces-risk-and-keeps-data-more-secure

https://portswigger.net/web-security/all-materials/detailed

GCP Infrastructure Security

https://cloud.google.com/security/infrastructure/design

Shared Fate

https://www.forbes.com/sites/googlecloud/2022/04/19/demystifying-shared-fate-a-new-approach-to-understand-cybersecurity/?sh=6a5731f3d6df

Privacy

We need a holistic approach to security and privacy and must protect information through its entire lifecycle, from the moment it's captured to the day it's destroyed.

Google infrastructure security design

The security of the infrastructure is designed in progressive layers

Secure Low-level infrastructure

https://cloud.google.com/docs/security/infrastructure/design#secure-low-level

Security guardrails for cloud developers

https://cloud.google.com/blog/topics/inside-google-cloud/building-security-guardrails-for-developers-with-google-cloud

Application Layer Transport Security (ALTS)

https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security

Secure Service deployment

https://cloud.google.com/docs/security/infrastructure/design#secure-service

Data residency and sovereignty requirements

https://cloud.google.com/architecture/framework/security/data-residency-sovereignty

Secure Data regions

https://support.google.com/a/answer/7630496

VPC Service control

https://cloud.google.com/vpc-service-controls/docs/overview

Service identity, integrity and isolation

https://cloud.google.com/docs/security/infrastructure/design#service_identity_integrity_and_isolation

Autonomic data security

https://cloud.google.com/blog/products/identity-security/clouds-future-points-to-autonomic-data-security

Secure Sandboxed API

https://developers.google.com/code-sandboxing/sandboxed-api

gVisor

https://gvisor.dev/

confidential computing

https://cloud.google.com/confidential-computing

https://cloud.google.com/blog/products/identity-security/google-amd-partner-to-build-a-more-secure-future-with-confidential-computing

Secure Data storage

https://cloud.google.com/docs/security/infrastructure/design#secure-data

Encryption at Rest

https://cloud.google.com/docs/security/infrastructure/design#encryption_at_rest

Deletion of data

https://cloud.google.com/docs/security/infrastructure/design#deletion_of_data

Private Google Access

https://cloud.google.com/vpc/docs/private-google-access

Secure Internet communication

https://cloud.google.com/docs/security/infrastructure/design#secure-internet

Google Front End Service (GFE)

https://cloud.google.com/docs/security/infrastructure/design#google_front_end_service

DoS Protection

https://cloud.google.com/docs/security/infrastructure/design#dos_protection

Assured Workloads

https://cloud.google.com/assured-workloads

Assured open source software service

https://cloud.google.com/blog/products/identity-security/introducing-assured-open-source-software-service

User authentication

https://cloud.google.com/docs/security/infrastructure/design#user_authentication

Titan security key

https://cloud.google.com/titan-security-key

FIDO Universal 2nd Factor (U2F)

https://en.wikipedia.org/wiki/Universal_2nd_Factor

Digital Operational Resilience Act (DORA)

https://cloud.google.com/blog/products/identity-security/what-google-cloud-is-doing-to-prepare-for-dora

Secure Operations

https://cloud.google.com/docs/security/infrastructure/design#operational-security

Safe software development

https://cloud.google.com/docs/security/infrastructure/design#safe_software_development

Source control protections and two-party review process

https://cloud.google.com/docs/security/infrastructure/design#secure-service

Vulnerability Rewards Program

https://www.google.com/about/appsecurity/reward-program/

Bug hunters key stats

https://bughunters.google.com/about/key-stats

Project zero

https://googleprojectzero.blogspot.com/

Spectre and Meltdown

https://googleprojectzero.blogspot.com/search?q=spectre

Source code protections

https://cloud.google.com/docs/security/infrastructure/design#source_code_protections

Binary Authorization for Borg (BAB)

https://cloud.google.com/docs/security/binary-authorization-for-borg

Keeping employee devices and credentials safe

https://cloud.google.com/docs/security/infrastructure/design#keeping_employee_devices_and_credentials_safe

BeyondCorp

https://cloud.google.com/beyondcorp

BeyondProd

https://cloud.google.com/docs/security/beyondprod

Reducing insider risk

https://cloud.google.com/docs/security/infrastructure/design#reducing_insider_risk

Threat monitoring

https://cloud.google.com/docs/security/infrastructure/design#threat_monitoring

Threat horizons report

https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report

Google Cloud Threat Intelligence for Chronicle

https://chronicle.security/products/uppercase/

Virus Total

https://support.virustotal.com/hc/en-us/categories/360000162878-Documentation

Threat Analysis Group

https://blog.google/threat-analysis-group/

Red team

https://en.wikipedia.org/wiki/Red_team

DDoS Attacks

https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks

Intrusion detection

https://cloud.google.com/docs/security/infrastructure/design#intrusion_detection

inter-service access management

https://cloud.google.com/docs/security/infrastructure/design#inter-service_access_management

Encryption of inter-service communication

https://cloud.google.com/docs/security/infrastructure/design#encryption-inter-service

Access management of end-user data in Google Workspace

https://cloud.google.com/docs/security/infrastructure/design#access-management-of-end-user-data-in-google-workspace

IAM

IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.

https://cloud.google.com/iam/docs/overview

Sensitive Actions

https://cloud.google.com/blog/products/identity-security/announcing-sensitive-actions-to-help-keep-accounts-secure/

Chronicle

https://cloud.google.com/chronicle/docs

Chronicle Context-aware analytics

https://cloud.google.com/chronicle/docs/preview/context-aware-analytics

Context-aware detections, alert prioritization and risk scoring

https://cloud.google.com/blog/products/identity-security/powering-security-operations-google-chronicle

Detect-alert-respond with Context

https://chroniclesec.medium.com/security-analyst-diaries-2-detect-alert-respond-context-is-key-everywhere-in-security-operations-1f7b9be0f7c3

Chronicle secops curated detections

https://cloud.google.com/blog/products/identity-security/introducing-curated-detections-in-chronicle-secops-suite

Security issues in cloud computing

https://jisajournal.springeropen.com/articles/10.1186/1869-0238-4-5

Open Source Security Foundation

https://openssf.org/

Allstar

https://github.com/ossf/allstar

Security Foundations Blueprint

The Security Foundations Blueprint presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.

There is an example repo showing how the CFT Terraform modules can be composed to build a secure GCP foundation.

https://cloud.google.com/blog/products/devops-sre/using-the-cloud-foundation-toolkit-with-terraform

Risk Manager

Google Cloud security diagnostic tool called Risk Manager enables customers to measure and manage their risk on Google Cloud and obtain a report on their security posture.

https://cloud.google.com/risk-protection-program

Security Infrastructure Design

Read the overview of how security is designed into Google's technical infrastructure.

https://cloud.google.com/blog/topics/developers-practitioners/foundational-best-practices-securing-your-cloud-deployment

Cryptography

Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.

Encryption at Rest

Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.

Security as Code

https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/security-as-code-the-best-and-maybe-only-path-to-securing-cloud-applications-and-systems

Security and Identity

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an individual.

IDM

An identity-management system is used for enterprise or cross-network identity management.

Roles

A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to members, including users, groups, and service accounts, you grant roles to the members.

https://cloud.google.com/iam/docs/understanding-roles

Service Accounts

A Service Account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.

Cloud Identity API

Cloud Identity API is an API for provisioning and managing identity resources. It helps you achieve entiality, data integrity, availability, non-repudiation and authentication of your data.

Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.

Access Control

Access Control is a mechanism you can use to define who has access to resources.

IAM

Identity and Access Management lets administrators authorize who can take action on specific resources, giving you full control and visibility.

Identity-Aware Proxy

Identity-Aware Proxy (IAP) IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.

https://cloud.google.com/iap/docs/quickstarts

Context-Aware Access

Based on the BeyondCorp security model, Context-Aware Access is an approach that utilizes a variety of Google Cloud offerings to enforce granular access control based on a user's identity and context of the request.

https://cloud.google.com/iap/docs/cloud-iap-context-aware-access-howto

Policy troubleshooting

https://cloud.google.com/blog/products/identity-security/unblock-bce-users-for-easy-zero-trust-access

Identity Platform

Google Identity Platform provides back-end services, SDKs, and UI libraries that make it easier to authenticate users to your apps and services.

Anthos service mesh and role based access to apps and IAP

https://cloud.google.com/blog/topics/developers-practitioners/securing-apps-googlers-using-anthos-service-mesh

Security and empathy

https://cloud.google.com/blog/products/identity-security/how-to-introduce-more-empathy-into-security-operations

Managed Services for Microsoft Active Directory

Managed Service for Microsoft Active Directory is a highly available, hardened Google Cloud service running actual Microsoft AD that enables you to manage your cloud-based AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.

Resource Manager

The Resource Manager API enables you to programmatically manage these container resources.

Security Key management

Cloud KMS, together with Cloud HSM and Cloud EKM, supports a wide range of compliance mandates that call for specific key management procedures and technologies. You can manage encryption keys via secure hardware.

Access Transparency

Access Transparency provides you with logs that capture the actions Google personnel take when accessing your content. You might be familiar with Cloud Audit Logs, which can help you answer questions about "who did what, where, and when?" in your Google Cloud projects. While Cloud Audit Logs provides these logs about the actions taken by members within your own organization, Access Transparency provides logs of the actions taken by Google personnel.

Binary Authorization

Binary Authorization is a service on Google Cloud Platform (GCP) that provides software supply-chain security when deploying container-based applications.

Cloud Asset Inventory

Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a five-week history of Google Cloud asset metadata.

Cloud Data Loss Prevention

Cloud Data Loss Prevention (DLP) provides access to a powerful sensitive data inspection, classification, and de-identification platform.

Automatic DLP for BigQuery

https://cloud.google.com/blog/products/identity-security/automatic-dlp-for-bigquery

Cloud HSM

Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. Google manages the HSM cluster for you.

Security Command Center

Security Command Center is the canonical security and data risk database for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory, discovery, search, and management.

VPC Service Controls

With VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.

VPC Service Controls enables you to establish security perimeters around sensitive data in Google Cloud Platform services such as Google Cloud Storage and BigQuery.

Incident Response and Management

The incident response problem space can be divided into three categories: people, process, and data management.

Users have long had access to solid people-management solutions (on-call rotation schedulers, etc.) and Google’s SRE book outlines their Incident Management at Google (IMAG) process.

The Stackdriver supports Incident Response and Management (IRM) Insights and the supporting GCP technology that makes the innovation possible.

Phishing Protection

Phishing Protection is a phishing countermeasure platform that helps to detect phishing attacks against your users.

The Phishing Protection Submission API also enables you to submit URLs suspected to be unsafe to Safe Browsing.

Any URLs that are confirmed to match the Safe Browsing Policies will be added to the Safe Browsing list, which is used by over three billion devices to show warnings when a user visits a known unsafe web resource. Common sources of these URLs are customer reports or internal phishing detection results.

Security keys prevent phishing attacks by recognizing a domain name and using its hidden private key.

Cloud KMS

Cloud KMS is a service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises.

reCAPTCHA Enterprise

Google has been defending millions of sites with reCAPTCHA for almost a decade. reCAPTCHA Enterprise is an extension of that effort to help enterprises detect other types of fraudulent activity on their sites, like scraping, credential stuffing, and automated account creation.

https://cloud.google.com/blog/products/identity-security/recaptcha-enterprise-protects-users-and-is-frictionless

https://cloud.google.com/blog/topics/public-sector/humans-or-bots-guidebook-protect-range-digital-fraud

Web Risk

Web Risk is a new enterprise security product that lets your client applications check URLs against Google's constantly updated lists of unsafe web resources.

Best practices using Web Risk API to help stop phishing

https://cloud.google.com/blog/products/identity-security/follow-web-risk-apis-best-practices-to-stop-attacks

Compromising GCP security and penetration testing

https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794

Cloud Audit Logs

Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) helps security, auditing, and compliance entities maintain audit trails in Google Cloud. With Cloud Audit Logs, your enterprise can attain the same level of transparency over administrative activities and accesses to data in Google Cloud as in on-premises environments. Audit logs help the Google Cloud Support team troubleshoot issues with your account.

Cloud IDS

Cloud IDS delivers cloud-native, managed, network-based threat detection, built with Palo Alto Networks’ industry-leading threat detection technologies to provide high levels of security efficacy.

https://cloud.google.com/intrusion-detection-system

Network security threat detection - Comparison of analytics methods

https://cloud.google.com/blog/products/networking/when-to-use-5-telemetry-types-in-security-threat-monitoring

Identity and Security

https://cloud.google.com/blog/products/identity-security/how-google-cloud-ids-helps-detect-advanced-network-threats

Leveraging Network Telemetry for Forensics in Google Cloud

https://cloud.google.com/blog/products/networking/open-source-solutions-and-how-tos

mic Security Operations

https://cloud.google.com/blog/products/identity-security/modernizing-soc-introducing-mic-security-operations

https://cloud.google.com/blog/products/identity-security/introducing-mic-security-operations-for-the-us-public-sector

https://cloud.google.com/blog/products/identity-security/achieving-mic-security-operations-reducing-toil

Executive Order 14028

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

OMB M-21-31

https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf

PKI

GCP Certificate Authority Service implements PKI and private CAs.

OAuth, OpenID Connect, SAML

Federated Identity Management methods include OAuth, OpenID and SAML.

Community Security Analytics

https://github.com/GoogleCloudPlatform/security-analytics

Machine Learning for Cybersecurity

There have been attempts to aid Cybersecurity concerns using Machine Learning.

NTA

ML in network security implies new solutions called Network Traffic Analytics (NTA) aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.

Data Governance

Data governance is a principled approach to manage data during its lifecycle — from acquisition, to use, to disposal.

Data De-risk methods

https://medium.com/google-cloud/de-risk-your-data-to-accelerate-your-cloud-journey-part-3-turning-design-into-reality-363fd6c21e41

Cloud Governance

Cloud governance is a set of practices that help ensure users operate in the cloud in ways that they want, that the operations are efficient, and that the user can monitor and correct operations as needed. A cloud governance framework is not a new set of concepts or practices, but the application of existing governance practices to cloud operations.

BigQuery Security

BigQuery Security topics include Column-level security and row-level security.

BGP

The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. The dynamic nature of the routing protocols means the risks associated must be considered.

The challenge with BGP is that the protocol does not directly include security mechanisms and is based largely on trust between network operators that they will secure their systems correctly and not send incorrect data.

RFC 7454 discusses BGP related Operations and Security issues.

Kubernetes security

Kubernetes Security is important throughout the container lifecycle due to the distributed, dynamic nature of a Kubernetes cluster. Different security approaches are required for each of the three phases of an application lifecycle: build, deploy, and runtime.

CIS hardening support in Container-Optimized OS from Google

https://cloud.google.com/blog/products/infrastructure-modernization/cis-compliance-support-scanning-in-container-optimized-os

IPSec

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-overview.html

Cryptographic evaluation of IPSec

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.7922

AES Key agility issues

https://www.researchgate.net/publication/2646713_AES_Key_Agility_Issues_in_High-Speed_IPsec_Implementations

Comparison of VPN Protocols

There are many VPNs.

https://www.ivpn.net/pptp-vs-ipsec-ikev2-vs-openvpn-vs-wireguard/

IoT Security

https://internetofthingsagenda.techtarget.com/definition/IoT-security-Internet-of-Things-security

Using OAuth 2.0 to Access Google APIs

Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications.

DNS Security

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. DNSSEC does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

https://cloud.google.com/dns/docs/dnssec

DNS over TLS

https://developers.google.com/speed/public-dns/docs/dns-over-tls

DNS over HTTPS

https://wikipedia.org/wiki/DNS_over_HTTPS

Cloud Storage Security

https://www.researchgate.net/publication/300003200_Security_Techniques_for_Data_Protection_in_Cloud_Computing

Enhance Security in cloud storage

https://cloud.google.com/blog/products/storage-data-transfer/5-ways-to-enhance-your-cloud-storage-security-and-data-protection

Cloud Storage security issues

https://www.researchgate.net/publication/306071422_A_Study_on_Data_Storage_Security_Issues_in_Cloud_Computing

GDPR

https://gdpr-info.eu/

Credential Types Supporting Various Use Cases

https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases

Examine Google Cloud Platform security vulnerabilities using Cloud Functions

Monitor security threats in IAM and Firewall via Cloud Functions.

https://blog.searce.com/examine-google-cloud-platform-security-vulnerabilities-using-cloud-functions-40f1d96d69a4

confidential Computing

Encrypt data in-use with confidential VMs and ential GKE Nodes.

https://cloud.google.com/confidential-computing

BYOD

Managed Devices

https://cloud.google.com/identity/docs/concepts/managed-devices

G Suite and BYOD

https://cloud.google.com/blog/products/g-suite/use-byod-safely-in-g-suite-with-these-6-controls-

Endpoint verification

https://cloud.google.com/blog/products/gcp/introducing-endpoint-verification-visibility-into-the-desktops-accessing-your-enterprise-applications

Vulnerability scanning

Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes.

https://medium.com/google-cloud/google-cloud-free-vulnerability-scanning-with-security-command-center-beb6f6b71bcf

How to secure anything

https://github.com/veeral-patel/how-to-secure-anything

Google Cybersecurity Action Team Threat Horizons report

https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report

Famous security vulnerabilities

Log4j

https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html

Solarwinds

https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/

Stuxnet

https://en.m.wikipedia.org/wiki/Stuxnet

Shellshock

https://en.m.wikipedia.org/wiki/Shellshock_(software_bug)

Heart bleed

https://heartbleed.com/

DigiNotar

https://en.m.wikipedia.org/wiki/DigiNotar

Joker

https://arstechnica.com/information-technology/2021/12/google-removes-malicious-app-that-infected-500000-google-play-users/

Mirai

https://en.m.wikipedia.org/wiki/Mirai_(malware)

Java Psychic Paper

https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/

Npm

https://snyk.io/vuln/npm:npm

RAT

https://www.zdnet.com/article/remote-access-trojans-spread-through-microsoft-azure-aws-cloud-service-abuse/

Solarwinds, Microsoft, FireEye, Crowdstrike

https://www.reuters.com/article/us-cyber-solarwinds/solarwinds-microsoft-fireeye-crowdstrike-defend-actions-in-major-hack-u-s-senate-hearing-idUSKBN2AN1Q4

Kaspersky

https://www.reuters.com/technology/germany-issues-hacking-warning-users-russian-anti-virus-software-kaspersky-2022-03-15/

Active Directory

https://adsecurity.org

VPN

https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/

IPSec

https://en.wikipedia.org/wiki/IPsec

https://threatpost.com/researchers-break-ipsec-vpn-connections-with-20-year-old-protocol-flaw/135070/

TLS

https://en.wikipedia.org/wiki/Transport_Layer_Security

Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.

PSP

PSP

https://cloud.google.com/blog/products/identity-security/announcing-psp-security-protocol-is-now-open-source

NSA Shadow brokers

https://cyberlaw.ccdcoe.org/wiki/The_Shadow_Brokers_publishing_the_NSA_vulnerabilities_(2016)

Wanna cry

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Kubernetes clusters exposed

https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-instances-found-exposed-online/

IOT

https://www.bankinfosecurity.com/blogs/attackers-iot-paradise-billions-insecure-devices-p-2922

https://internetofbusiness.com/why-you-should-worry-about-unsecured-cameras/

https://www.soracom.io/blog/unsecured-devices-highlight-the-need-for-advanced-iot-security/

Web Attacks, CORS, CSRF, XSS, etc.

https://cloud.google.com/blog/topics/developers-practitioners/follow-pink-pony-story-csrf-managed-services-and-unicorns

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

https://medium.com/@zhaojunemail/sop-cors-csrf-and-xss-simply-explained-with-examples-af6119156726

https://blog.vnaik.com/posts/web-attacks.html

https://portswigger.net/web-security/all-materials/detailed

Security trends

https://cloud.google.com/blog/products/identity-security/four-security-trends-for-2022-and-what-to-do-about-them

Qwiklabs

Security & Identity Fundamentals

Getting Started with Cloud KMS

Ensure Access & Identity in Google Cloud