GCP Cloud Security - vidyasekaran/GCP GitHub Wiki

Mitigating Security Vulnerabilities on Google Cloud -- Coursera

DDoS Mitigation and Prevention on Google Cloud

**Load Balancing ** - Using proxy-based load balancing to distribute load across resources

**Attack surface **- Reducing the attack surface on by reducing externally facing resources

Internal traffic - Isolating internal traffic from the outside world by restricting access firewall rules (Ingress/Egress)

API Management - Monitor and manage APIs to spot and throttle DDoS atttacks

CDN Offloading - Offloading static content to a CDN to minimize impact

Specialized DDos Protection - Deploying apps tha specifically provide deeper DDoS protection

(Cloud Armour) - can setup allow/deny list, built in cross site scripting attaching , sql injection and Rate-based rules help you protect your applications from a large volume of requests that flood your instances and block access for legitimate users. You can configure cloud armour with load balancer and setup rules to restrict access to your load balancer.

Security Command Center

Security Command Center provides a single centralized dashboard, so you can view and monitor an inventory of your cloud assets. It also gives enterprises that consolidated view on their Google Cloud assets across their organization. You can quickly see the number of projects you have, what results are deployed, where sensitive data is located and how firewall rules are configured.

Anomaly detection from Google which is integrated with security command center identifies threats like botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic.

When a threat is detected, event threat detection also integrated with security command center surfaces that information so you can quickly take corrective action.

Cloud data loss prevention API integrated with security command center scans and reports on which storage buckets contained vulnerable data, such as personally identifiable information or PII. Whenever threats are found, you can get real time alerts triggered by pub sub which sends pertinent information to Gmail or SMS. So quick action can be taken to protect your information.

Professional Cloud Security Engineer

Course PDF Reference - file:///C:/Users/shant/Downloads/GCP-pse.pdf

https://cloud.google.com/certification/guides/cloud-security-engineer/

GCP Security references https://ethoughts.medium.com/gcp-security-architecture-whitepaper-da19fc9b4ba2

Udemy Course

Google Professional Cloud Security Engineer Certification

cloud Location

https://cloud.google.com/about/locations

Services related to Security Engineer Certification

  • Encryption
  • VPC
  • Hybrid Connectivity
  • Data loss
  • SCC - Security command Center

Services from Google Console

Security

  • Security Command Center - Help identify vulnerabilities with the resources provisioned in our gcp cloud.
  • Identity aware proxy - Help us protect our application.
  • Binary Authorization - Only trusted docker images will be deployed.
  • Data Loss Prevention - Detect sensitive data from our personally identified information (PII).
  • Cloud Key Management Service - Securely encrypt all our data.
  • Web Security Scanner - Help identify vulnerabilities within our different web applications.

VPC Network

  • Provision new VPC Network and resource within
  • Firewall - to setup firewall to allow or deny traffic
  • VPC Network Peering - Connect 2 VPCs within same project or from different projects.

We are logged in using our email so its a cloud identify domain account

IAM & ADMIM

Services we will touch upon Compute Engine, App engine (how to secure this with Identity aware proxy)

Storage

Cloud Storage

Cloud Identity

1. Configuring access within a cloud solution environment

Cloud Identity is an Identity as a Service (IDaas) solution that centrally manages users and groups.

Different identities to connect to google cloud are

  1. Google Account - For single/personal use to learn and demo gcp; create @ https://accounts.google.com

  2. Google Groups

  3. Service Account

  4. Google Workspace (Gsuite - old name) - For Multiple Users, Organizations. Its a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. Google Workspace consists of Gmail, Contacts, Calendar, Meet and Chat for communication; Currents for employee engagement; Drive for storage; and the Google Docs suite for content creation. Its a paid subscription for all apps. An Admin Panel is provided for managing users and services. https://admin.google.com

Google Workspace (G Suite) tutorial - Adding Users and Changing Details | G suite Productivity

https://www.youtube.com/watch?v=89yq-j37qAo

Google Workspace = Paid Apps + Cloud Identity Domain.

  1. Cloud Identity domain - For multiple users same like Google Workspace but without its applications. We get a verified domain (example.com). Complete user management in example.com.

Cloud Identity domain

Subscription = Free/ Paid (14 days free) -

admin = admin.google.com (for user management)

You can create your cloud identity domain from here - https://gsuite.google.com/signup/gcpidentity/welcome

Buy domain from https://www.znetlive.com/ or https://domains.google/

Once you added TXT Record in your domain www.znetlive.com you can check domain status @ https://www.whatsmydns.net/

Once our domain is reflected in all countries we can now Verify it in admin.google.com after which you can create all users and manage it. Complete admin of this Google Admin, related to managment of users,apps, billing and attaching this identity with google cloud.

Now we have successfully setup our cloud identity domain account and we have attached this domain account with our Google cloud platform. Let us now explore the google admin console and see about what are the features being offered which eventually we are going to use for our google cloud platform.

You can add an user and add permission, some account level setting, some security level setting and some reports,

Directory --> Users, Groups, Org units, Directory settings

Devices --> Chrome, Mobile & endpoints , networks

Apps -->

Security - passwd mgmt, setup strong password, single sign on setup

Reorting - reports, audit, email log seach

billing - u can add and use different google apps.

Account - whole account level setup

You can create multiple organizational unit under root and have multiple users under each of it.

You can create multiple organizational unit under root and have multiple users under each of it.

Create Group to manage multiple users as a one entity

You can create users and create a group and add users to the group from google admin. Now in Google console under Iam you can add user and roles permission or add group(group email ) and add roles/permissions so all users in the group get access.

GCDS (Google Cloud Directory Sync)

From on prem (LDAP/Active Directory) you want to migrate your user to Google cloud Identity provider you can use GCDS.

https://tools.google.com/dipage/dirsync/thankyou.html

SAML

Security assertion markup language

Google Authentication

  • Credential stored at google server
  • Password, user info, etc
  • Google behaves like service provider + identity provider

SAML - SSO Based authentication

-- use our organization or some 3rd party as identity provider -- Google as service provider

You can configure SAML in Google Admin by providing 3rd party Identity provider

2. Configuring network security

CIDR Notation - Way to assign ip to a specific range.

123.52.36.0/28 - 28 bits are fixed - (32 - 28) 4 bits are variable - 2 power 4 = 16 ip addresses you will get. 123.52.36.0/31 - 31 bits are fixed - (32 - 31) 1 bit is variable - 2 power 1 = 2 ip addreses you will get. 123.52.36.0/32 - 32 bits are fixed - (32 - 32) 1 bit is variable - 2 power 0 = 1 ip addreses you will get. 0.0.0.0/0 - 0 bits are fixed - 32 bits are variable

VPC and SubNetworks - its a global resource which is Virtual version of physical n/w which are part of a project which is a placeholder to keep all your resources. Maximum 5 networks per project allowed and no ip address assigned. VPC network contain subnetworks which are used to segregate resources. Subnetworks has IP range expressed in CIDR notation, we will assign ip address to subnetworks and if we assign a resouce in subnetwork it will get an IP address from the assigned range. VPC must have one subnetwork in a region. subnet belong to a region.

If we have many resources in a VPC we segregate it in different subnets which belongs to different region.

types of VPC

Default - created when compute engine api is enabled. every project has default vpc. there is 1 subnet per region.

Auto - with auto default vpc can be created. fixed subnetwork ranges per region. Can expand from /20 to /16. Default firewall can be added easily.

Custom - No subnets automatically created. Subnets created manually. custom ip allocation. not necessary to create VPC in each region.

Firewall rules

Trust nothing by default

Some default rule: Allow all outgoing traffic - egress Allow all incoming traffic - ingress

Common port/protocol

22 - ssh, 3389 - rdp

icmp - ping

80 - HTTP/HTTPS

Create Firewall Rule - SSH

You can create firewall rule to allow / deny traffic inside your VPC

Allow incoming traffic to all instances in the network

Source filter - ip ranges

source ip/ranges - 0.0.0.0/0

Second source filter - none (can be IP ranges, Source tags, Service account)

Protocols and Ports

allow all

specific protocols and ports

tcp - 22

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

3. Ensuring data protection

Data Loss Prevention API (DLP)

Fully managed service designed to help you discover, classify and protect your most sensitive data.

PII data

-- person's name, credit card number, ssn

Apply API on Cloud Storage, Big Query data

DLP work upon free from text, structured and unstructered data(image)

What to do with this data

--> Identify sensitive data

--> De- identify data --> masking and Encryption --> Redacation - remove sensitive data --> Replacement - replace with some tokens(like info_type) --> Masking - Replace one/more character with some other char --> Encryption - Encrypt Sensitive data

--> Re-identify (incase want to recover original data)

Google has more than 128 built in type to identify and deidentication of data

Templates - config which define for inspection of jobs and deidentification of jobs

once template defined, can be reused for other jobs

                                            Templates Types
                                                      |
                                                      |
                    -------------------------------------------------
                    |                                                                    |
       Identification:                                             De-identification
       Find Sensitive Data                                  Remove Sensitive Data

INFOTYPES

what to scan for like credit card, ssn, age

Types of InfoTypes - Built in -- SSN, EMAIL_ADDRESS -- Such Types of 120 built-in infotype defined

                    Stored -- Custom Infotype, Based on fixed words, Regular expression,custom dictionary

Match likelihood - how much confidence DLP has

likelihood_unspecified - default value; same as possible very_unlikely, unlikely, possible, likely, very_likely

Create DLP Template to analyze words

Create Job for Inspection - analyze words as per template and store it in Biq Query, you have multiple options here

Create DLP Template to deidentify words

Create job to deidentify words

Data Encryption at Rest

-Encryption

Google-managed encryption keys Customer-managed encryption keys Customer-supplied encryption keys Object Lifecycle policy for cloud storage object Secrets Manager Application Secrets App Secrets inside Cloud Functions

**In GCP Data is stored in **

GCS, Persistent Disk, SSD (wont work in isolation; need VM), File Server, Database file

Encryption/Decryption

PlainText --->Key1 --> Encryption Algorithm --> CiperText CiperText -->Key2 -->Decryption Algorithm --> PlainText

Symmetric Key Encryption - same keys Asymmetric Key Encryption - different keys

When Encryption

Data at Rest - stored in DB

Data in motion - Data transfer from one network to another Within GCP or Outside of GCP

Data in use - Data situated in RAM. Memory Store, In memory data processing

What are the things need to encrypt

-Data

-Keys (Envelope Encryption)

Client Side (Encryption occur before data is sent to cloud storage)

Server Side (Encryption that occurs after google cloud receives your data)

 Manage encryption keys on Google Cloud.

3 ways of managing keys

Google-managed encryption keys Customer-managed encryption keys Customer-supplied encryption keys

4. Managing operations within a cloud solution environment

RTO – Recovery Time objective - Maximum time for which system can be down RPO - Recovery Point objective - Maximum time for which organization can tolerate Dataloss

Data backup

Data at On-Premises

Cloud Storage Cloud Interconnect Transfer Services Transfer Appliance

Data at Public Cloud

Storage Transfer Service (From different cloud or online service or from one gcp bucket to another gcp bucket you can transfer data to GCP) Support for Amazon S3, Azure Storage to Google Cloud Storage

a. from within gcp one bucket to another - Use object lifecycle rule to move the data from one tier to another

b. Persistent Disk / VM backup - Take a snapshot - Build custom image by creating image from disk, another snapshot, image, virtual disk, cold storage file (snapshot with dependent library),

Database Backup

If your database is at on-premise or Other public cloud

For each vendor, method to export data varies

Upload to GCS Import data to Database Instance Cloud SQL instance – Inside GCP on-demand backup Scheduled backup

From Youtube- Edureka

https://www.youtube.com/watch?v=UaQf4Uw7iO4&list=RDCMUCkw4JCwteGrDHIsyIIKo4tQ&start_radio=1

Security command center - is an intelligent risk dashboard and analytics system for surfacing, understanding, and remediating google cloud security and data risks across an organization.

Security command center provides a single, centralized dashboad so you can:

View/monitor an inventory of your cloud assets. Scan storage systems for the sensitive data. Detect common web vulnerabilities and anamalous behaviour. Review the access rights to the critical or important resources in your org follow the recommended actions to resolve the vulnerabilities present.

Features

  1. Gain centralized visibility and control.
  2. Fix misconfigurations and compliance violations
  3. Threat detection
  4. Threat Prevention
  5. Sensitive data identification

Cloud Armor

Google Cloud Armor protects your applications and websites against denial of service and other web attacks.

DDOS - A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

How it works

a. Armors DDOS protection is always-on inline, scaling to the capacity of Google's global network.

b. it is able to instantly detect and reduce network attacks in order to allow only web formed requests through the load balancing proxies.

c. Armors security policies eanble you to allow or deny access to your external HTTPS load balancer at google cloud edge.

d. helps you prevent unwanted traffic from consuming resources or entering your VPC networks.

Features

IP-based and geo based acess control

Adaptive Protection

Pre configured web application firewall rules

GCP identity and access management

Identity and access management (IAM) lets adminstrators authorize who can take action on a specific resources.

How it works

  1. With IAM, you manage access control by defining who (identity) has what access (role) for which resource.

  2. Permissions are grouped into roles, and roles are granted to authenticated members.

  3. When an authenticated member attempts to access a resource. IAM checks the resource's policy to determine whether the action is permitted or not.

  4. Only if the actions are premitted then it lets the user access the resources.

Features

Smart access control - Recommeder

Fine-grained control - applies at org level, folder, project and resource level

Single access control interface -

Gcp Security best practices

Cloud Security - Shared Responsibility

Platform Security - Google takes care of Platform security which is manage physical machines and datacenter, application and data it uses.

Application Security - Users need to take care proper authentication, authorization and identification of users in their systems.

Infra Security - both user and google has to take care of this.

  1. Apply Least Previlege Access Controls - assign minimum access to allow user to do their jobs.

  2. Manage Unrestricted traffic and firewalls - limit ip ranges to each firewall and only allow the network that need access to those resources. we can assign targets to tags and service accounts at firewall level which will allow traffic is it comes from specific tags and service accounts.

  3. ensure bucket names are unique -

  4. Setup Google Cloud Organizational Structure - so that assigning permission to group reflects to all resources

Google cloud security: Getting Started and Best Practices

https://www.youtube.com/watch?v=2WdTU0f8QRg

How Google Approaches Security

Organizing your resources

Identity and Access Management

Network Security

Operational Monitoring

Data Security

Zero Trust

Google infrastructure security

**Operational Security **

 Intrusion Detection     |   Reducing Insider risk   | Safe Employee 				                                                                 devices and Credentials

Internet Communication

Google Front end         |  Dos protection

Storage Services

Encryption at rest         |  Deletion of Data

User Identity

Authentication             |  Login Abuse Protection

Service Deployment

Access Mgmt of end user data | encryption of interservice communication | Inter service access mgmt | Service identity, integrity, isolation

Hardware infra

Secure boot stack and machine identity | H/w design and provenance | Security of Physical premises.

Planning and setting our organization

Organization hierarchy

Structure your org so that you can manage resources efficiently and effectively.

Map our physical organization to Google cloud platform Organization structure

Organization - is created using domain (example.com) -

Central control of all resources

  • View and manage all of your company's projects - no shadow projects or rogue admins.

  • Projects belong to your organization instead of the employee who created the project.

  • Cloud identify & Access management (Cloud IAM) controls the users access to resources, including critical components such as networking, billing, org admin.

  • Org policies constrain what can be done with resources.

Folders - nodes can contain projects, folders up to 10 levels deep

Folders can be used to control access to the resources in the folder through folder-level IAM policies.

Enforce constraints on allowed resource configurations thru the org policy service

Projects

Trust boundary of all your resources.

Iam enforcement point

Projects are completely seperate from one another

Resources ar part of a project

Projects can be part of an organization

Billling accounts are mapped to the projects.

You can map projects to your team.

Recommended project organization

  • One project per application or service for each environment
  • Consistent naming scheme for all company projects

Implementing guard rails

The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

#Set less permissive policies at org level and build stricter policies as you go down the resource hierarchy

Dev                     Test                  Prod

Resources

Firewall @ DataCenter its between subnets

Firewall @ Google Cloud is within a subnetwork

VM #1 ---- Firewall rules ----- VM #3

Attaching firewall rules to VMS

Tags and Service acounts

Use Service accounts to apply firewall rule

Tags : An instance admin may add/remove firewall tags as needed. While an instance admin cannot define firewall rules, some org require further restrictions. (NOT ACL)

Service A/c - An instance admin requires a specific IAM permissioon on the service account in order to be able to create VM instances with tha service account.

Service account firewall rule : ties a firewall rule to a specific service account. thus restricting who may use specific firewall rules and the application of those rules.

Firewall rule ---rule applied to service account --> Service account -->service account compute identiry --> compute instance

VPC Service controls (Securing the connectivity/ Network - network level acccess control)

Define a security perimeter with VPC Service controls - Define security perimeters around sensitive data in google cloud platform services.

VPC Service controls allows customer to address threats such as data theft accidental data loss and excessive access to data stored in GCP using multi tenant services it enables client to control what entities can access and what in order to reduce both intentionally and unintentionally losess.

VPC Service control addreses the issue of protecting data ingress and egress of gcp which are accessed via api's. this is efficient in masking all your services away from external network , it is enabled by Service perimeter which creates a security bounding a boundary around your gcp resources and you can configure these service parameter to control communication from your vms to your gcp service api

VPC Service control feature

Control VM to service and service to service paths.

Ingress: Prevent access from the unauthorized networks.

Egress : prevent copying of data to unauthorized GCP projects.

Project level granualarity.

Mitigate data exfiltration risks

Privately access GCP services from on-premises

Enforce context aware access from the internet

Centrally manage security policies

Identity aware proxy (Network security - application level access control)

  • For customers running apps on GCP, they can now add access controls to those applications based on an end users identity.

  • allow you to shift access controls from the network perimeter to individual devices and users.

-Identity-Aware proxy enabes a central, manageable layer where authorizations checks can be applied.

Cloud Armour : DDOS protect & WAF

cloud armour is nothing but your protection against those ddos and WAF protection, it is delivered at google's edge network and block all the atacks so obviously the 1st level of trust is by your load balancers so cloud armour is extra protection to guard against layer 7 application and access control some of the back end traffic that comes from ip and

Defense against L3/L3 volumetric and protocol DDOS attacks

1st level of

HTTPS --> HTTP LOAD BALANCER --> CLOUD ARMOUR [ip allow/deny, Geo, WAF, custom rules (L3- L7)]

                                      |
                                      |
                                      |
                ------------------------------------
          App instance        App instance    App instance  
[Firewalls shoud be configured to only allow traffic from HTTPS LB, no direct internet traffice]

Data monitoring

Gcp data is encrypted at rest and in transit, we can manage security using security encryption keys that are provided by google and also you can have your own managed encryption key

Cloud Data Loss Prevention - masks your pii data into hash or stars and make your data more secure

Tip # Give access to your data based on least privilege principle eg. Data in storage buckets using signed urls.

Google Cloud Encryption in Transit

https://www.youtube.com/watch?v=Dzju5aALHRQ https://cloud.google.com/security/encryption-in-transit

Google front end encrypts traffice from user to Google and provides load balancing and DDOS attack prevention.

Google front ent protects your data using

  1. authentication

  2. integrity (data comes unaltered ).

  3. Encryption - any data sent to gcp is encrypted by default from user to gcp using transport layer security.

Once your data is inside google what hapens?