Security - bobbae/gcp GitHub Wiki
Information Security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks.
The Internet has transformed our lives in many good ways. Unfortunately, this vast network and its associated technologies also have brought in their wake, the increasing number of security threats.
GCP doesn't rely on any single technology to make its infrastructure secure. GCP delivers security through progressive layers that deliver true defense in depth. Google datacenter security has 6 layers.
Google Infrastructure security design
https://cloud.google.com/docs/security/infrastructure/design
Building secure and reliable systems
https://www.oreilly.com/library/view/building-secure-and/9781492083115/
Security Command Center
Security Command Center is Google Cloud's centralized vulnerability and threat reporting service.
Chronicle Security Operations
https://cloud.google.com/blog/products/identity-security/introducing-chronicle-security-operations
Software Delivery Shield
mic security operations
Mute findings
Mitre Attck mapping
Cloud and Security
https://portswigger.net/web-security/all-materials/detailed
GCP Infrastructure Security
https://cloud.google.com/security/infrastructure/design
Shared Fate
Privacy
We need a holistic approach to security and privacy and must protect information through its entire lifecycle, from the moment it's captured to the day it's destroyed.
Google infrastructure security design
The security of the infrastructure is designed in progressive layers
Secure Low-level infrastructure
https://cloud.google.com/docs/security/infrastructure/design#secure-low-level
Security guardrails for cloud developers
Application Layer Transport Security (ALTS)
https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
Secure Service deployment
https://cloud.google.com/docs/security/infrastructure/design#secure-service
Data residency and sovereignty requirements
https://cloud.google.com/architecture/framework/security/data-residency-sovereignty
Secure Data regions
https://support.google.com/a/answer/7630496
VPC Service control
https://cloud.google.com/vpc-service-controls/docs/overview
Service identity, integrity and isolation
Autonomic data security
Secure Sandboxed API
https://developers.google.com/code-sandboxing/sandboxed-api
gVisor
confidential computing
https://cloud.google.com/confidential-computing
Secure Data storage
https://cloud.google.com/docs/security/infrastructure/design#secure-data
Encryption at Rest
https://cloud.google.com/docs/security/infrastructure/design#encryption_at_rest
Deletion of data
https://cloud.google.com/docs/security/infrastructure/design#deletion_of_data
Private Google Access
https://cloud.google.com/vpc/docs/private-google-access
Secure Internet communication
https://cloud.google.com/docs/security/infrastructure/design#secure-internet
Google Front End Service (GFE)
https://cloud.google.com/docs/security/infrastructure/design#google_front_end_service
DoS Protection
https://cloud.google.com/docs/security/infrastructure/design#dos_protection
Assured Workloads
https://cloud.google.com/assured-workloads
Assured open source software service
User authentication
https://cloud.google.com/docs/security/infrastructure/design#user_authentication
Titan security key
https://cloud.google.com/titan-security-key
FIDO Universal 2nd Factor (U2F)
https://en.wikipedia.org/wiki/Universal_2nd_Factor
Digital Operational Resilience Act (DORA)
Secure Operations
https://cloud.google.com/docs/security/infrastructure/design#operational-security
Safe software development
https://cloud.google.com/docs/security/infrastructure/design#safe_software_development
Source control protections and two-party review process
https://cloud.google.com/docs/security/infrastructure/design#secure-service
Vulnerability Rewards Program
https://www.google.com/about/appsecurity/reward-program/
Bug hunters key stats
https://bughunters.google.com/about/key-stats
Project zero
https://googleprojectzero.blogspot.com/
Spectre and Meltdown
https://googleprojectzero.blogspot.com/search?q=spectre
Source code protections
https://cloud.google.com/docs/security/infrastructure/design#source_code_protections
Binary Authorization for Borg (BAB)
https://cloud.google.com/docs/security/binary-authorization-for-borg
Keeping employee devices and credentials safe
BeyondCorp
https://cloud.google.com/beyondcorp
BeyondProd
https://cloud.google.com/docs/security/beyondprod
Reducing insider risk
https://cloud.google.com/docs/security/infrastructure/design#reducing_insider_risk
Threat monitoring
https://cloud.google.com/docs/security/infrastructure/design#threat_monitoring
Threat horizons report
Google Cloud Threat Intelligence for Chronicle
https://chronicle.security/products/uppercase/
Virus Total
https://support.virustotal.com/hc/en-us/categories/360000162878-Documentation
Threat Analysis Group
https://blog.google/threat-analysis-group/
Red team
https://en.wikipedia.org/wiki/Red_team
DDoS Attacks
Intrusion detection
https://cloud.google.com/docs/security/infrastructure/design#intrusion_detection
inter-service access management
https://cloud.google.com/docs/security/infrastructure/design#inter-service_access_management
Encryption of inter-service communication
https://cloud.google.com/docs/security/infrastructure/design#encryption-inter-service
Access management of end-user data in Google Workspace
IAM
IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.
https://cloud.google.com/iam/docs/overview
Sensitive Actions
Chronicle
https://cloud.google.com/chronicle/docs
Chronicle Context-aware analytics
https://cloud.google.com/chronicle/docs/preview/context-aware-analytics
Context-aware detections, alert prioritization and risk scoring
Detect-alert-respond with Context
Chronicle secops curated detections
Security issues in cloud computing
https://jisajournal.springeropen.com/articles/10.1186/1869-0238-4-5
Open Source Security Foundation
Allstar
https://github.com/ossf/allstar
Security Foundations Blueprint
The Security Foundations Blueprint presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.
There is an example repo showing how the CFT Terraform modules can be composed to build a secure GCP foundation.
https://cloud.google.com/blog/products/devops-sre/using-the-cloud-foundation-toolkit-with-terraform
Risk Manager
Google Cloud security diagnostic tool called Risk Manager enables customers to measure and manage their risk on Google Cloud and obtain a report on their security posture.
https://cloud.google.com/risk-protection-program
Security Infrastructure Design
Read the overview of how security is designed into Google's technical infrastructure.
Cryptography
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.
Encryption at Rest
Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.
Security as Code
Security and Identity
Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an individual.
IDM
An identity-management system is used for enterprise or cross-network identity management.
Roles
A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to members, including users, groups, and service accounts, you grant roles to the members.
https://cloud.google.com/iam/docs/understanding-roles
Service Accounts
A Service Account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
Cloud Identity API
Cloud Identity API is an API for provisioning and managing identity resources. It helps you achieve entiality, data integrity, availability, non-repudiation and authentication of your data.
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.
Access Control
Access Control is a mechanism you can use to define who has access to resources.
IAM
Identity and Access Management lets administrators authorize who can take action on specific resources, giving you full control and visibility.
Identity-Aware Proxy
Identity-Aware Proxy (IAP) IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
https://cloud.google.com/iap/docs/quickstarts
Context-Aware Access
Based on the BeyondCorp security model, Context-Aware Access is an approach that utilizes a variety of Google Cloud offerings to enforce granular access control based on a user's identity and context of the request.
https://cloud.google.com/iap/docs/cloud-iap-context-aware-access-howto
Policy troubleshooting
Identity Platform
Google Identity Platform provides back-end services, SDKs, and UI libraries that make it easier to authenticate users to your apps and services.
Anthos service mesh and role based access to apps and IAP
Security and empathy
Managed Services for Microsoft Active Directory
Managed Service for Microsoft Active Directory is a highly available, hardened Google Cloud service running actual Microsoft AD that enables you to manage your cloud-based AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.
Resource Manager
The Resource Manager API enables you to programmatically manage these container resources.
Security Key management
Cloud KMS, together with Cloud HSM and Cloud EKM, supports a wide range of compliance mandates that call for specific key management procedures and technologies. You can manage encryption keys via secure hardware.
Access Transparency
Access Transparency provides you with logs that capture the actions Google personnel take when accessing your content. You might be familiar with Cloud Audit Logs, which can help you answer questions about "who did what, where, and when?" in your Google Cloud projects. While Cloud Audit Logs provides these logs about the actions taken by members within your own organization, Access Transparency provides logs of the actions taken by Google personnel.
Binary Authorization
Binary Authorization is a service on Google Cloud Platform (GCP) that provides software supply-chain security when deploying container-based applications.
Cloud Asset Inventory
Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a five-week history of Google Cloud asset metadata.
Cloud Data Loss Prevention
Cloud Data Loss Prevention (DLP) provides access to a powerful sensitive data inspection, classification, and de-identification platform.
Automatic DLP for BigQuery
https://cloud.google.com/blog/products/identity-security/automatic-dlp-for-bigquery
Cloud HSM
Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. Google manages the HSM cluster for you.
Security Command Center
Security Command Center is the canonical security and data risk database for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory, discovery, search, and management.
VPC Service Controls
With VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.
VPC Service Controls enables you to establish security perimeters around sensitive data in Google Cloud Platform services such as Google Cloud Storage and BigQuery.
Incident Response and Management
The incident response problem space can be divided into three categories: people, process, and data management.
Users have long had access to solid people-management solutions (on-call rotation schedulers, etc.) and Google’s SRE book outlines their Incident Management at Google (IMAG) process.
The Stackdriver supports Incident Response and Management (IRM) Insights and the supporting GCP technology that makes the innovation possible.
Phishing Protection
Phishing Protection is a phishing countermeasure platform that helps to detect phishing attacks against your users.
The Phishing Protection Submission API also enables you to submit URLs suspected to be unsafe to Safe Browsing.
Any URLs that are confirmed to match the Safe Browsing Policies will be added to the Safe Browsing list, which is used by over three billion devices to show warnings when a user visits a known unsafe web resource. Common sources of these URLs are customer reports or internal phishing detection results.
Security keys prevent phishing attacks by recognizing a domain name and using its hidden private key.
Cloud KMS
Cloud KMS is a service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises.
reCAPTCHA Enterprise
Google has been defending millions of sites with reCAPTCHA for almost a decade. reCAPTCHA Enterprise is an extension of that effort to help enterprises detect other types of fraudulent activity on their sites, like scraping, credential stuffing, and automated account creation.
Web Risk
Web Risk is a new enterprise security product that lets your client applications check URLs against Google's constantly updated lists of unsafe web resources.
Best practices using Web Risk API to help stop phishing
Compromising GCP security and penetration testing
https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794
Cloud Audit Logs
Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) helps security, auditing, and compliance entities maintain audit trails in Google Cloud. With Cloud Audit Logs, your enterprise can attain the same level of transparency over administrative activities and accesses to data in Google Cloud as in on-premises environments. Audit logs help the Google Cloud Support team troubleshoot issues with your account.
Cloud IDS
Cloud IDS delivers cloud-native, managed, network-based threat detection, built with Palo Alto Networks’ industry-leading threat detection technologies to provide high levels of security efficacy.
https://cloud.google.com/intrusion-detection-system
Network security threat detection - Comparison of analytics methods
Identity and Security
Leveraging Network Telemetry for Forensics in Google Cloud
https://cloud.google.com/blog/products/networking/open-source-solutions-and-how-tos
mic Security Operations
Executive Order 14028
OMB M-21-31
PKI
GCP Certificate Authority Service implements PKI and private CAs.
OAuth, OpenID Connect, SAML
Federated Identity Management methods include OAuth, OpenID and SAML.
Community Security Analytics
https://github.com/GoogleCloudPlatform/security-analytics
Machine Learning for Cybersecurity
There have been attempts to aid Cybersecurity concerns using Machine Learning.
NTA
ML in network security implies new solutions called Network Traffic Analytics (NTA) aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.
Data Governance
Data governance is a principled approach to manage data during its lifecycle — from acquisition, to use, to disposal.
Data De-risk methods
Cloud Governance
Cloud governance is a set of practices that help ensure users operate in the cloud in ways that they want, that the operations are efficient, and that the user can monitor and correct operations as needed. A cloud governance framework is not a new set of concepts or practices, but the application of existing governance practices to cloud operations.
BigQuery Security
BigQuery Security topics include Column-level security and row-level security.
BGP
The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. The dynamic nature of the routing protocols means the risks associated must be considered.
The challenge with BGP is that the protocol does not directly include security mechanisms and is based largely on trust between network operators that they will secure their systems correctly and not send incorrect data.
RFC 7454 discusses BGP related Operations and Security issues.
Kubernetes security
Kubernetes Security is important throughout the container lifecycle due to the distributed, dynamic nature of a Kubernetes cluster. Different security approaches are required for each of the three phases of an application lifecycle: build, deploy, and runtime.
CIS hardening support in Container-Optimized OS from Google
IPSec
Cryptographic evaluation of IPSec
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.7922
AES Key agility issues
Comparison of VPN Protocols
There are many VPNs.
https://www.ivpn.net/pptp-vs-ipsec-ikev2-vs-openvpn-vs-wireguard/
IoT Security
https://internetofthingsagenda.techtarget.com/definition/IoT-security-Internet-of-Things-security
Using OAuth 2.0 to Access Google APIs
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications.
DNS Security
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. DNSSEC does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
https://cloud.google.com/dns/docs/dnssec
DNS over TLS
https://developers.google.com/speed/public-dns/docs/dns-over-tls
DNS over HTTPS
https://wikipedia.org/wiki/DNS_over_HTTPS
Cloud Storage Security
Enhance Security in cloud storage
Cloud Storage security issues
GDPR
Credential Types Supporting Various Use Cases
https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases
Examine Google Cloud Platform security vulnerabilities using Cloud Functions
Monitor security threats in IAM and Firewall via Cloud Functions.
confidential Computing
Encrypt data in-use with confidential VMs and ential GKE Nodes.
https://cloud.google.com/confidential-computing
BYOD
Managed Devices
https://cloud.google.com/identity/docs/concepts/managed-devices
G Suite and BYOD
https://cloud.google.com/blog/products/g-suite/use-byod-safely-in-g-suite-with-these-6-controls-
Endpoint verification
Vulnerability scanning
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes.
How to secure anything
https://github.com/veeral-patel/how-to-secure-anything
Google Cybersecurity Action Team Threat Horizons report
Famous security vulnerabilities
Log4j
https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html
Solarwinds
Stuxnet
https://en.m.wikipedia.org/wiki/Stuxnet
Shellshock
https://en.m.wikipedia.org/wiki/Shellshock_(software_bug)
Heart bleed
DigiNotar
https://en.m.wikipedia.org/wiki/DigiNotar
Joker
Mirai
https://en.m.wikipedia.org/wiki/Mirai_(malware)
Java Psychic Paper
Npm
RAT
Solarwinds, Microsoft, FireEye, Crowdstrike
Kaspersky
Active Directory
VPN
https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/
IPSec
https://en.wikipedia.org/wiki/IPsec
TLS
https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.
PSP
PSP
NSA Shadow brokers
https://cyberlaw.ccdcoe.org/wiki/The_Shadow_Brokers_publishing_the_NSA_vulnerabilities_(2016)
Wanna cry
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Kubernetes clusters exposed
IOT
https://www.bankinfosecurity.com/blogs/attackers-iot-paradise-billions-insecure-devices-p-2922
https://internetofbusiness.com/why-you-should-worry-about-unsecured-cameras/
https://www.soracom.io/blog/unsecured-devices-highlight-the-need-for-advanced-iot-security/
Web Attacks, CORS, CSRF, XSS, etc.
https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3
https://medium.com/@zhaojunemail/sop-cors-csrf-and-xss-simply-explained-with-examples-af6119156726
https://blog.vnaik.com/posts/web-attacks.html
https://portswigger.net/web-security/all-materials/detailed
Security trends
Qwiklabs
Security & Identity Fundamentals