security - bobbae/gcp GitHub Wiki
Information Security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks.
The Internet has transformed our lives in many good ways. Unfortunately, this vast network and its associated technologies also have brought in their wake, the increasing number of security threats.
GCP doesn't rely on any single technology to make its infrastructure secure. GCP delivers security through progressive layers that deliver true defense in depth. Google datacenter security has 6 layers.
https://cloud.google.com/docs/security/infrastructure/design
https://www.oreilly.com/library/view/building-secure-and/9781492083115/
Security Command Center is Google Cloud's centralized vulnerability and threat reporting service.
https://cloud.google.com/blog/products/identity-security/introducing-chronicle-security-operations
https://portswigger.net/web-security/all-materials/detailed
https://cloud.google.com/security/infrastructure/design
We need a holistic approach to security and privacy and must protect information through its entire lifecycle, from the moment it's captured to the day it's destroyed.
The security of the infrastructure is designed in progressive layers
https://cloud.google.com/docs/security/infrastructure/design#secure-low-level
https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
https://cloud.google.com/docs/security/infrastructure/design#secure-service
https://cloud.google.com/architecture/framework/security/data-residency-sovereignty
https://support.google.com/a/answer/7630496
https://cloud.google.com/vpc-service-controls/docs/overview
https://developers.google.com/code-sandboxing/sandboxed-api
https://cloud.google.com/confidential-computing
https://cloud.google.com/docs/security/infrastructure/design#secure-data
https://cloud.google.com/docs/security/infrastructure/design#encryption_at_rest
https://cloud.google.com/docs/security/infrastructure/design#deletion_of_data
https://cloud.google.com/vpc/docs/private-google-access
https://cloud.google.com/docs/security/infrastructure/design#secure-internet
https://cloud.google.com/docs/security/infrastructure/design#google_front_end_service
https://cloud.google.com/docs/security/infrastructure/design#dos_protection
https://cloud.google.com/assured-workloads
https://cloud.google.com/docs/security/infrastructure/design#user_authentication
https://cloud.google.com/titan-security-key
https://en.wikipedia.org/wiki/Universal_2nd_Factor
https://cloud.google.com/docs/security/infrastructure/design#operational-security
https://cloud.google.com/docs/security/infrastructure/design#safe_software_development
https://cloud.google.com/docs/security/infrastructure/design#secure-service
https://www.google.com/about/appsecurity/reward-program/
https://bughunters.google.com/about/key-stats
https://googleprojectzero.blogspot.com/
https://googleprojectzero.blogspot.com/search?q=spectre
https://cloud.google.com/docs/security/infrastructure/design#source_code_protections
https://cloud.google.com/docs/security/binary-authorization-for-borg
https://cloud.google.com/beyondcorp
https://cloud.google.com/docs/security/beyondprod
https://cloud.google.com/docs/security/infrastructure/design#reducing_insider_risk
https://cloud.google.com/docs/security/infrastructure/design#threat_monitoring
https://chronicle.security/products/uppercase/
https://support.virustotal.com/hc/en-us/categories/360000162878-Documentation
https://blog.google/threat-analysis-group/
https://en.wikipedia.org/wiki/Red_team
https://cloud.google.com/docs/security/infrastructure/design#intrusion_detection
https://cloud.google.com/docs/security/infrastructure/design#inter-service_access_management
https://cloud.google.com/docs/security/infrastructure/design#encryption-inter-service
IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.
https://cloud.google.com/iam/docs/overview
https://cloud.google.com/chronicle/docs
https://cloud.google.com/chronicle/docs/preview/context-aware-analytics
https://jisajournal.springeropen.com/articles/10.1186/1869-0238-4-5
https://github.com/ossf/allstar
The Security Foundations Blueprint presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.
There is an example repo showing how the CFT Terraform modules can be composed to build a secure GCP foundation.
https://cloud.google.com/blog/products/devops-sre/using-the-cloud-foundation-toolkit-with-terraform
Google Cloud security diagnostic tool called Risk Manager enables customers to measure and manage their risk on Google Cloud and obtain a report on their security posture.
https://cloud.google.com/risk-protection-program
Read the overview of how security is designed into Google's technical infrastructure.
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents.
Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.
Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an individual.
An identity-management system is used for enterprise or cross-network identity management.
A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to members, including users, groups, and service accounts, you grant roles to the members.
https://cloud.google.com/iam/docs/understanding-roles
A Service Account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
Cloud Identity API is an API for provisioning and managing identity resources. It helps you achieve entiality, data integrity, availability, non-repudiation and authentication of your data.
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.
Access Control is a mechanism you can use to define who has access to resources.
Identity and Access Management lets administrators authorize who can take action on specific resources, giving you full control and visibility.
Identity-Aware Proxy (IAP) IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
https://cloud.google.com/iap/docs/quickstarts
Based on the BeyondCorp security model, Context-Aware Access is an approach that utilizes a variety of Google Cloud offerings to enforce granular access control based on a user's identity and context of the request.
https://cloud.google.com/iap/docs/cloud-iap-context-aware-access-howto
Google Identity Platform provides back-end services, SDKs, and UI libraries that make it easier to authenticate users to your apps and services.
Managed Service for Microsoft Active Directory is a highly available, hardened Google Cloud service running actual Microsoft AD that enables you to manage your cloud-based AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.
The Resource Manager API enables you to programmatically manage these container resources.
Cloud KMS, together with Cloud HSM and Cloud EKM, supports a wide range of compliance mandates that call for specific key management procedures and technologies. You can manage encryption keys via secure hardware.
Access Transparency provides you with logs that capture the actions Google personnel take when accessing your content. You might be familiar with Cloud Audit Logs, which can help you answer questions about "who did what, where, and when?" in your Google Cloud projects. While Cloud Audit Logs provides these logs about the actions taken by members within your own organization, Access Transparency provides logs of the actions taken by Google personnel.
Binary Authorization is a service on Google Cloud Platform (GCP) that provides software supply-chain security when deploying container-based applications.
Cloud Asset Inventory provides inventory services based on a time series database. This database keeps a five-week history of Google Cloud asset metadata.
Cloud Data Loss Prevention (DLP) provides access to a powerful sensitive data inspection, classification, and de-identification platform.
https://cloud.google.com/blog/products/identity-security/automatic-dlp-for-bigquery
Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs. Google manages the HSM cluster for you.
Security Command Center is the canonical security and data risk database for Google Cloud. Security Command Center enables you to understand your security and data attack surface by providing asset inventory, discovery, search, and management.
With VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.
VPC Service Controls enables you to establish security perimeters around sensitive data in Google Cloud Platform services such as Google Cloud Storage and BigQuery.
The incident response problem space can be divided into three categories: people, process, and data management.
Users have long had access to solid people-management solutions (on-call rotation schedulers, etc.) and Google’s SRE book outlines their Incident Management at Google (IMAG) process.
The Stackdriver supports Incident Response and Management (IRM) Insights and the supporting GCP technology that makes the innovation possible.
Phishing Protection is a phishing countermeasure platform that helps to detect phishing attacks against your users.
The Phishing Protection Submission API also enables you to submit URLs suspected to be unsafe to Safe Browsing.
Any URLs that are confirmed to match the Safe Browsing Policies will be added to the Safe Browsing list, which is used by over three billion devices to show warnings when a user visits a known unsafe web resource. Common sources of these URLs are customer reports or internal phishing detection results.
Security keys prevent phishing attacks by recognizing a domain name and using its hidden private key.
Cloud KMS is a service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises.
Google has been defending millions of sites with reCAPTCHA for almost a decade. reCAPTCHA Enterprise is an extension of that effort to help enterprises detect other types of fraudulent activity on their sites, like scraping, credential stuffing, and automated account creation.
Web Risk is a new enterprise security product that lets your client applications check URLs against Google's constantly updated lists of unsafe web resources.
https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794
Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) helps security, auditing, and compliance entities maintain audit trails in Google Cloud. With Cloud Audit Logs, your enterprise can attain the same level of transparency over administrative activities and accesses to data in Google Cloud as in on-premises environments. Audit logs help the Google Cloud Support team troubleshoot issues with your account.
Cloud IDS delivers cloud-native, managed, network-based threat detection, built with Palo Alto Networks’ industry-leading threat detection technologies to provide high levels of security efficacy.
https://cloud.google.com/intrusion-detection-system
https://cloud.google.com/blog/products/networking/open-source-solutions-and-how-tos
GCP Certificate Authority Service implements PKI and private CAs.
Federated Identity Management methods include OAuth, OpenID and SAML.
https://github.com/GoogleCloudPlatform/security-analytics
There have been attempts to aid Cybersecurity concerns using Machine Learning.
ML in network security implies new solutions called Network Traffic Analytics (NTA) aimed at in-depth analysis of all the traffic at each layer and detect attacks and anomalies.
Data governance is a principled approach to manage data during its lifecycle — from acquisition, to use, to disposal.
Cloud governance is a set of practices that help ensure users operate in the cloud in ways that they want, that the operations are efficient, and that the user can monitor and correct operations as needed. A cloud governance framework is not a new set of concepts or practices, but the application of existing governance practices to cloud operations.
BigQuery Security topics include Column-level security and row-level security.
The Border Gateway Protocol (BGP) is the protocol used throughout the Internet to exchange routing information between networks. The dynamic nature of the routing protocols means the risks associated must be considered.
The challenge with BGP is that the protocol does not directly include security mechanisms and is based largely on trust between network operators that they will secure their systems correctly and not send incorrect data.
RFC 7454 discusses BGP related Operations and Security issues.
Kubernetes Security is important throughout the container lifecycle due to the distributed, dynamic nature of a Kubernetes cluster. Different security approaches are required for each of the three phases of an application lifecycle: build, deploy, and runtime.
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.7922
There are many VPNs.
https://www.ivpn.net/pptp-vs-ipsec-ikev2-vs-openvpn-vs-wireguard/
https://internetofthingsagenda.techtarget.com/definition/IoT-security-Internet-of-Things-security
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications.
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. DNSSEC does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.
https://cloud.google.com/dns/docs/dnssec
https://developers.google.com/speed/public-dns/docs/dns-over-tls
https://wikipedia.org/wiki/DNS_over_HTTPS
https://cloud.google.com/storage/docs/gsutil/addlhelp/CredentialTypesSupportingVariousUseCases
Monitor security threats in IAM and Firewall via Cloud Functions.
Encrypt data in-use with confidential VMs and ential GKE Nodes.
https://cloud.google.com/confidential-computing
https://cloud.google.com/identity/docs/concepts/managed-devices
https://cloud.google.com/blog/products/g-suite/use-byod-safely-in-g-suite-with-these-6-controls-
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes.
https://github.com/veeral-patel/how-to-secure-anything
https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html
https://en.m.wikipedia.org/wiki/Stuxnet
https://en.m.wikipedia.org/wiki/Shellshock_(software_bug)
https://en.m.wikipedia.org/wiki/DigiNotar
https://en.m.wikipedia.org/wiki/Mirai_(malware)
https://www.wired.com/story/vpn-hacks-pulse-secure-espionage/
https://en.wikipedia.org/wiki/IPsec
https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.
https://cyberlaw.ccdcoe.org/wiki/The_Shadow_Brokers_publishing_the_NSA_vulnerabilities_(2016)
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
https://www.bankinfosecurity.com/blogs/attackers-iot-paradise-billions-insecure-devices-p-2922
https://internetofbusiness.com/why-you-should-worry-about-unsecured-cameras/
https://www.soracom.io/blog/unsecured-devices-highlight-the-need-for-advanced-iot-security/
https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3
https://medium.com/@zhaojunemail/sop-cors-csrf-and-xss-simply-explained-with-examples-af6119156726
https://blog.vnaik.com/posts/web-attacks.html
https://portswigger.net/web-security/all-materials/detailed
Security & Identity Fundamentals