Scribd
Upload
58 views

GCP Pse

This document provides an overview of identity and access management in Google Cloud. It discusses using a Google account, Google Workspace, or Cloud Identity domain to manage users. It also covers exploring the Google Admin Console to add and manage users and groups, as well as configure password policies and two-step verification. The document briefly introduces Google Cloud Directory Sync and SAML single sign-on integration. The overall summary is that this document outlines how to set up and configure identity management within Google Cloud.

Uploaded by

Mata
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
58 views

GCP Pse

This document provides an overview of identity and access management in Google Cloud. It discusses using a Google account, Google Workspace, or Cloud Identity domain to manage users. It also covers exploring the Google Admin Console to add and manage users and groups, as well as configure password policies and two-step verification. The document briefly introduces Google Cloud Directory Sync and SAML single sign-on integration. The overall summary is that this document outlines how to set up and configure identity management within Google Cloud.

Uploaded by

Mata
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 162

GCP

Google Cloud
Professional Cloud
Security Engineer

© ANKIT MISTRY – GOOGLE CLOUD


Google Certified
Professional Security Engineer

© ANKIT MISTRY – GOOGLE CLOUD


Professional Security Engineer
 Pay attention for 5 minutes, before we dive in.

 Course is long, 12+ Hours of video

 Basic foundation for GCP is required

 Learn by Doing

 So with every exam objective, There is hand-on Lab – 50+

© ANKIT MISTRY – GOOGLE CLOUD


GCP certifications

https://cloud.google.com/certification/guides/cloud-security-engineer

© ANKIT MISTRY – GOOGLE CLOUD


Cloud Cost for this course
 $0 – for GCP account without domain

 Domain Purchase cost

 GCP Free trial

 $300 for next 3 months https://cloud.google.com/free

 Length: Two hours

 Registration fee: $200 (plus tax where applicable)

 Languages: English

 Exam format: Multiple choice and multiple select,

© ANKIT MISTRY – GOOGLE CLOUD


Udemy Tips

@ ANKIT MISTRY – GOOGLE CLOUD


PSE Exam Guide

@ ANKIT MISTRY – GOOGLE CLOUD


GCP Fundamental

@ ANKIT MISTRY – GOOGLE CLOUD


GCP Regions & Zones

@ ANKIT MISTRY – GOOGLE CLOUD


Why Zones & Regions

 Low latency

 Follow Government rules


Singapore Singapore US West US West
 High availability Zone-a Zone-b Zone-a Zone-b

 Disaster recovery

@ ANKIT MISTRY – GOOGLE CLOUD


GCP (Zones & Region)
Fascinating Number: Google Is Now 40% Of The Internet (forbes.com)

 Zones – Independent data Center Global


Multi-regions
 Region – Geographical area Regions-1 Regions-2
Zone-a Zone-a
 Multi-region : Collection of Geographical
Zone-b Zone-b

 Global - Anywhere Zone-c Zone-c

Global Locations - Regions & Zones | Google Cloud

@ ANKIT MISTRY – GOOGLE CLOUD


GCP Services
 GCP has 200+ services

 Security Engineer certification


 Encryption

 VPC

 Hybrid Connectivity

 Data Loss

 SCC – Security Command Center

© ANKIT MISTRY – GOOGLE CLOUD


GCP Security at
Google
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Security at Google
 What Google does to secure your app, data

 How Google does all these

 Security mechanism at different layers

 Shared responsibility model

 Tools GCP provide to secure your resources

 Regulatory compliance

© ANKIT MISTRY – GOOGLE CLOUD


Why trust on Google for
Security

 Google has more than 7 app having billion plus users

 Security is main concern for Google

 Your app, data will be deployed in same infra where these amazing
app is hosted.

 Google has hundreds of dedicated engineer working on security of


their platform 24x7

© ANKIT MISTRY – GOOGLE CLOUD


How Google Secure Infra
 Hardware layer
 Less than 1% of employee has physical access to data center

 Google builds all hardware required for infrastructure

 IAM
 Identity & access management

 IAM centrally manage all Authorization

 Who can do what on which resources

© ANKIT MISTRY – GOOGLE CLOUD


Contd
 User management
 Google account authentication – Support for SAML
 Enforce rule
 Password length, 2 step verification

 Storage Data
 Google By default encrypt all data with Google managed encryption key
 CMEK, CSEK

 Data in Transit
 Google encrypt all traffic which goes beyond physical boundary of Google.

© ANKIT MISTRY – GOOGLE CLOUD


Contd
 GCP offers IAP to secure your VM & App engine

 Built-in DOS attack prevention

 Data loss prevention

 To Inspect

 To Redact

 To Transform

 To re-identify PII Data

© ANKIT MISTRY – GOOGLE CLOUD


Contd
 VPC layer Security
 Some Cloud native solutions

 Subnet

 Firewall rules

 Ingress/Egress Traffic

 Cloud Armor

 Operations
 Logging, Monitoring, trace, Profiling

© ANKIT MISTRY – GOOGLE CLOUD


Contd
 Regulatory Compliance
 Encryption, Hardware security, VPC Firewall is technical aspect of security

 Compliance is another important face of Security.

 Cloud providers need to follow different compliance standard.

 Google does verification of Compliance after periodic interval.

© ANKIT MISTRY – GOOGLE CLOUD


Shared Responsibility Model
 Google Responsibility to secure cloud, app, data is one aspect

 As a cloud user, also responsible to secure individual resources

 Its shared responsibility between user & Google

© ANKIT MISTRY – GOOGLE CLOUD


https://cloud.google.com/security/incident-response

© ANKIT MISTRY – GOOGLE CLOUD


© ANKIT MISTRY – GOOGLE CLOUD
1.Configuring Access
Within Cloud Solution
Environment
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Module 1
 Cloud Identity Domain

 Google Admin Console

 Resource hierarchy

 IAM – Identity & access management

© ANKIT MISTRY – GOOGLE CLOUD


Cloud identity
Google Cloud Identity is an Identity as a Service (IDaaS) solution that
Account
centrally manages users and groups.

Google Service
Groups Different Account

Cloud
Identity

Cloud
Google
Identity
Workspace
Domain

© ANKIT MISTRY – GOOGLE CLOUD


Google Account
 With Any valid Email-ID  In GCP Console :
 Gmail is common one.
 No Organization
 https://accounts.google.com/  You can not create Folders Hierarchy
 Good
 when Learning GCP
 Demonstrating some tutorial on GCP Console

 Issue :
 Personal ID – Not Organization specific
 If Employee left organization

© ANKIT MISTRY – GOOGLE CLOUD


Google Workspace
Like Office 365

 Paid Subscription for all Office apps like :


 Sheets, Slides, Docs & many more

 Verified Domain - Example.com

 Complete user management for employee in (Example.com)

 Subscription – per user per month/annual - 14 days Free Trial

Admin management Console - https://admin.google.com

© ANKIT MISTRY – GOOGLE CLOUD


Google Cloud identity Domain
 Like Google Workspace without all apps

 Google Workspace = Paid Apps + Cloud identity Domain

 Verified Domain - Example.com

 Complete user management for employee in (Example.com)

 Subscription – Free/Paid
 For Paid start with 14 Days Free Trial

 Admin management Console - https://admin.google.com

© ANKIT MISTRY – GOOGLE CLOUD


Create Cloud Identity Account
(Hands-on)

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Verify Cloud Identity Domain
(Hands-on)

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


(Free trial)
GCP Account with Cloud Identity Domain

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


(Free trial)
GCP Account with Google Personal
Account
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Explore Google Admin Console

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Add users (Hands-on)

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Create Groups(Hands-on)

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Password Policy & 2SV(Hands-on)

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Google Cloud Directory Sync - GCDS

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


GCDS
 Google Cloud Directory Sync (GCDS) helps you can synchronize the data in your Google
Account with your Microsoft Active Directory or LDAP server

 GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your
Google Account

 You use GCDS to synchronize your Google users, groups, and shared contacts to match the
information in your LDAP server.

© ANKIT MISTRY – GOOGLE CLOUD


GCDS

LDAP
GCDS Cloud Identity
Microsoft AD 10,679

https://tools.google.com/dlpage/dirsync/thankyou.html

© ANKIT MISTRY – GOOGLE CLOUD


SAML
 Security Assertion Markup Language

 Google authentication
 Credential stored at google server

 password, user info, etc…

 Google behaves like service provider + identity provider

 SAML – SSO based authentication


 use our organization or some third party as identity provider

 Google as service provider

© ANKIT MISTRY – GOOGLE CLOUD


Google Authentication

Identity
Provider +
User Service
Provider

© ANKIT MISTRY – GOOGLE CLOUD


SSO

Identity
Provider

User
Service
Provider

© ANKIT MISTRY – GOOGLE CLOUD


Configure SAML in Console
Let’s visit :

https://admin.google.com/

© ANKIT MISTRY – GOOGLE CLOUD


Resource
Hierarchy
in GCP

© ANKIT MISTRY – GOOGLE CLOUD


Organization policies

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


3 Policy Use cases
 Disable service account creation

 Enforce uniform bucket-level access

 Skip default network creation

© ANKIT MISTRY – GOOGLE CLOUD


GCP : IAM
 IAM – Identity & Access management

 Fine-grained access control and visibility for centrally managing cloud resources.

 Who can do What on Which resources.


 Who - Identity - Member - Email
 What – Roles (Collection of Permissions)
 Which (Resources, Compute, Appengine, BigQuery)

X can Create VM in Compute Engine


Y can Delete, Create Bucket in Cloud Storage

© ANKIT MISTRY – GOOGLE CLOUD


Identity

© ANKIT MISTRY – GOOGLE CLOUD


Roles

Primitive Pre-defined Custom Role


• Owner • Role on single service • Customized
• Editor • Compute Admin • Can be created from
• Viewer • Network viewer Predefined role
• Big query Job user

© ANKIT MISTRY – GOOGLE CLOUD


Permission
 Roles = Collection of permission
 Structure of permission :
 Service.ResourceType.Verb
 Example :
 bigtable.tables.get
 cloudfunctions.functions.list
 storage.objects.delete
 compute.disks.create

© ANKIT MISTRY – GOOGLE CLOUD


Primitive Roles
 Too much Broad access Primitive

 Not recommended
Owner Editor Reader
 Does not follow principal of least privilege

 Reader = Read only permission for all resource inside project

 Editor = Reader + Modification

 Owner = editor + manage user, groups, billing

© ANKIT MISTRY – GOOGLE CLOUD


Pre-Defined Roles
 GCP defined Role
 Maintained by GCP
 For each product/services – Different sets of Roles defined
 Like :
 Compute Admin
 Network viewer
 Big query Job user

© ANKIT MISTRY – GOOGLE CLOUD


Assign Roles to Identity

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Custom Roles
 Custom Defined

 Custom Roles can be defined by :


1. Combined Permission from multiple pre-define role
2. Remove Permission from pre-define role
3. Add Permission to pre-define role
4. Add list of permissions

© ANKIT MISTRY – GOOGLE CLOUD


Requirement for Custom Role

 For New Joinee , Create custom role from below requirement


 can upload object inside bucket - create

 can not delete object

 can not create bucket

© ANKIT MISTRY – GOOGLE CLOUD


Assign Role at Org/Folder level

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Demo Steps
 User kapil

1. Part – I
1. at Project level – Compute Admin
2. at org level – Editor

2. Part – II
1. Provide 2 role at same level

© ANKIT MISTRY – GOOGLE CLOUD


Service Account

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Service Account
 For non human – like for Apps, services

 Service Account is identity for Compute engine

 Service account keys for authentication

 Max 10 keys per Service Account

 Max 100 Service Account per project

© ANKIT MISTRY – GOOGLE CLOUD


Types Service Account

Types of Service
Account

Built-in SA -
Google Managed Compute Engine & User created
Service Account App Engine default custom SA
service accounts

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on] Create Service Account

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Service Account + Virtual Machine

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Cloud API access scopes
From Virtual Machine

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Access Scope
• 3 Access Scopes
• Allow default access
Legacy • Allow full access to all Cloud APIs
• Set access for each API
• Drawbacks – Machine must be stopped

• Assign role to Service account like Identity


Modern : IAM • No Machine restart required

© ANKIT MISTRY – GOOGLE CLOUD


Service Account as Identity

 Service Account can be used as identity for Compute Engine, App Engine

 Service Account User role


 User can use SA identity for Compute Engine, App Engine if user has

 iam.serviceAccounts.actAs Permission

 Service Account User role

© ANKIT MISTRY – GOOGLE CLOUD


Service Account as Resource

 User can use Service Account (Like Resource)

 User can do all things which role assigned to SA

 impersonate Service Account

 How to Do?
 Provide user Service Account Token Creator role

© ANKIT MISTRY – GOOGLE CLOUD


Service Account RSA Private
Key

 Like Google Account has Password


 Service Account has keys

 Keys can be used for Authentication

 Generate Key from Cloud Console

 gcloud auth activate-service-account --key-file=rsa_private_keys.json

© ANKIT MISTRY – GOOGLE CLOUD


© ANKIT MISTRY – GOOGLE CLOUD
2.Configuring network
security

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Module 2
 Network Resources
 VPC, Firewall, Subnets, CIDR

 Share VPC & VPC Peering

 Cloud Interconnect – Partner interconnect

 Cloud VPN

 Cloud Load balancing

© ANKIT MISTRY – GOOGLE CLOUD


CIDR notation
Classless Inter-Domain Routing 123.52.36.0
123.52.36.1

123.52.36.47 123.52.36.2
123.52.36.3
123.52.36.4
123.52.36.5 123.52.36.0 24
123.52.36.6
123.52.36.7
123.52.36.8
123.52.36.9 123.52.36.0/24

123.52.36.10
123.52.36.11

@ ANKIT MISTRY – GOOGLE CLOUD


CIDR notation
123.52.36.0
123.52.36.0/24 123.52.36.1
123.52.36.2
123.52.36.3
123.52.36.4
||
||
||
||
||
123.52.36.254
123.52.36.255
CIDR Notation

123.52.36.0/28 28 bits are fixed 4 bits are variable Total IP address – 24 = 16

123.52.36.0/31 31 bits are fixed 1 bit is variable Total IP address – 21 = 2

0.0.0.0/32 32 bits are fixed 0 bits are variable Total IP address – 20 = 1

0.0.0.0/0 0 bits are fixed 32 bits are variable Total IP address – 232
= 4,294,967,296

@ ANKIT MISTRY – GOOGLE CLOUD


VPC - Subnetworks
 No Network -> No Cloud  Network contain subnets

 Virtual version of a physical network  Subnets are used for segregate resources

 Networks are part of projects  Subnets has IP ranges

 Expressed as CIDR notation


 It’s Global resources

 Placeholder to keep all your resources  VPC must have minimum one subnet

 Max 5 networks per project  Subnet belongs to one single region in GCP

 No IP Assigned

© ANKIT MISTRY – GOOGLE CLOUD


VPC - Subnetworks
VPC

Subnet-1 Subnet-2

DB

© ANKIT MISTRY – GOOGLE CLOUD


Types of VPC

Default Auto Custom

• Created when compute • With Auto mode, Default • No Subnet automatically


engine API enabled VPC can be created created
• Every project has default • Fixed subnetwork ranges • Subnet creation manual
VPC per region • Custom IP range allocation
• There is one subnet per • Can expand from /20 to • No necessary to create
regions /16 subnet in each region
• Default firewall can be
added easily.

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Default VPC

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Auto Mode VPC

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Custom Mode VPC

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Custom Mode VPC

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Create VM with all 3 VPC

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Firewall
VPC
F
Subnet-1
I Subnet-2

R
INTERNET
E
W
A
L DB

© ANKIT MISTRY – GOOGLE CLOUD


Firewall rules
 Trust nothing by default

 Some default rule :


 Allow all outgoing traffic - egress

 Deny all incoming traffic - ingress

 Rule has priority number : (0-65535)


 Lower the number higher priority

 Common port/protocol
 22 – SSH, 3389 - RDP

 ICMP – ping

 80 - HTTP/HTTPS

@ ANKIT MISTRY – GOOGLE CLOUD


Internal IP – External IP

INTERNET
10.0.0.1 10.0.0.2

Internel IP

DB
VPC1
123.52.36.52
10.10.0.25
External IP
External IP
123.52.37.52
VPC2

@ ANKIT MISTRY – GOOGLE CLOUD


Static vs ephemeral IP
 Ephemeral IP
IP Address  Short Lived

 Changes after VM restarts

Internal  Static IP
• Static
• Ephemeral  Constant – Can be exposed to outside

 High cost when not in use

External
• Static
• Ephemeral

@ ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Expand Subnet IP ranges

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Shared VPC
 Host Project - Shared VPC Org

 Multiple Service Project


Project - 1 Project - 2
 Central management of VPC

 Large organization use shared VPC

 Max Host project – 100

 Max Service Project – up to 100

 Shared VPC is only available for projects within


an organization node only

@ ANKIT MISTRY – GOOGLE CLOUD


[Hands-on]
Shared VPC Demo

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


[Hands-on] Shared VPC Demo
 HostProject
 my-vpc

 ServiceP1

 ServiceP2

 Share my-vpc from HostProject to Service Project

@ ANKIT MISTRY – GOOGLE CLOUD


VPC peering
 No central management

 VPC Managed by individual project team & VPC - 1 VPC - 2

control all ingress egress traffic

 Use case
 Project 1 (Ecommerce App) wants to
communicate to Project 2 (ML Services App)
for Some services like Sentiment Analysis

@ ANKIT MISTRY – GOOGLE CLOUD


VPC peering

Org1 Org2

Project 1 Project 2 Project 3 Project 4

VPC1 VPC3 VPC5 VPC7

VPC2 VPC4 VPC6 VPC8

@ ANKIT MISTRY – GOOGLE CLOUD


[Hands-on] VPC Peering
 Org
 Project1
 VM1

 Project2
 VM2

 Test Connectivity from VM1 to VM2

 create peering

 Test Connectivity from VM1 to VM2

@ ANKIT MISTRY – GOOGLE CLOUD


IAP
 IAP - Identity aware proxy

 With IAP you can guard access to your applications and VMs.

 IAP can protect access to applications hosted on Google Cloud, other clouds, and on-premises.

User App Engine/VM

App
User IAP
Engine/VM

© ANKIT MISTRY – GOOGLE CLOUD


IAP - Demo
1. Secure App Engine Application – HTTP based
1. Consent screen configuration

2. Assign IAP web user role

2. Securely connect VM with Internal IP Address


1. With External IP address

2. Without external IP address – with tunneling

© ANKIT MISTRY – GOOGLE CLOUD


Google API Private Access
 Private access allow different subnetwork to use GCP services privately

 No external IP Address require

 Call Google APIs & Services with internal IP address

 YouTube API, Cloud Storage etc…

© ANKIT MISTRY – GOOGLE CLOUD


Private Access - Demo
1. Create VM with Default

2. Test connectivity with different APIs

3. Remove external IP

4. Step - 2

5. Make Private Google Access – On

6. Step - 2

© ANKIT MISTRY – GOOGLE CLOUD


GCP Hybrid Connectivity
Hybrid
Connectivity
 Connect your datacenter network
Products
with GCP network
Cloud VPN – Cloud Peering with
IPSEC Interconnect Google

Dedicated
Direct
Interconnect

Partner
Carrier
Interconnect

© ANKIT MISTRY – GOOGLE CLOUD


Cloud VPN
 A virtual private network lets you securely connect your Google Compute Engine resources to your own private network.

 Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN

 It works between
 Google cloud & datacenter

 Google cloud & other public cloud (AWS)

 If you want to quickly setup connectivity, Cloud VPN is good choice.

 Traffic is encrypted by one VPN gateway and then decrypted by the other VPN gateway.

 Traffic travelled over public internet

 Cloud VPN tunnel can support up to 3 Gbps

© ANKIT MISTRY – GOOGLE CLOUD


Cloud Interconnect
 Extend your on premises VPC to GCP network

 highly available, low latency connection

 Access resource with Internal IP address only

 Require time for initial setup

 Once setup, it works with very low latency &


with Internal IP address

 No encryption while traffic travelled

© ANKIT MISTRY – GOOGLE CLOUD


Create Cloud
Interconnect Request
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Dedicated vs partner Cloud
Interconnect

Dedicated Interconnect Partner Interconnect


No Encryption No Encryption

SLA : Your Datacenter & Google VPC SLA : Your Datacenter & Google VPC

Pricing is high Pricing is lower than dedicated

Bandwidth : 10 Gbps to 200 Gbps Bandwidth : 50 Mbps to 10 Gbps

No Service Provider require Service Provider require

Internal IP communication Internal IP communication

© ANKIT MISTRY – GOOGLE CLOUD


DNSSEC
 DNS – Domain name system

 Phonebook of internet
 google.com -> 172.217.12.142

 msn.com -> 13.82.28.61


DNSSEC
 DNS helps to travel packet from source to destination
DNS
 Packet is unencrypted, so can be hacked easily

 Need some layer of extra security on top of DNS

 Domain Name System Security Extensions- DNSSEC

© ANKIT MISTRY – GOOGLE CLOUD


© ANKIT MISTRY – GOOGLE CLOUD
3.Ensuring data protection

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Module 3
 Data loss prevention API

 Data Encryption – Cloud KMS

© ANKIT MISTRY – GOOGLE CLOUD


Data Loss Prevention
API
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Data Loss Prevention API
 Fully managed service designed to help you discover, classify, and protect your most sensitive data.

 PII data
 Person’s name, Credit Card Number, SSN

 Apply API on Cloud Storage, Big Query Data

 DLP work upon Free form Text, Structured & Unstructured data (image)

 What to do with this Data


 Identify sensitive data
 De-identify data
 Masking and Encryption

 re-identify (In case want to recover original data)


© ANKIT MISTRY – GOOGLE CLOUD
De-Identification of Data
 Redacation – remove sensitive data

 Replacement – replace with some tokens (Like Info_type)

 Masking – Replace one/more character with some other char

 Encryption – Encrypt Sensitive Data

© ANKIT MISTRY – GOOGLE CLOUD


TEMPLETES, INFOTYPES &
MATCH LIKELIHOOD
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


TEMPLATES
 Configuration which define for
 Inspection of Jobs

 De-identification of Jobs

 Once Template defined , can be reused for other Jobs


TEMPLATES
TYPES

Identification : De–Identification :
Find Sensitive Data Remove Sensitive Data

© ANKIT MISTRY – GOOGLE CLOUD


INFOTYPES
 What to Scan For Types of
INFOTYPES
 Like Credit Card

 SSN
Built-IN STORED
 Age

US_SOCIAL_SECURITY_NUMBER,
Custom Infotype
EMAIL_ADDRESS

Such types of 120 Built-in Infotype Based on Fixed words, Regular


Defined Expression, Custom Dictionary

© ANKIT MISTRY – GOOGLE CLOUD


MATCH LIKELIHOOD
LIKELIHOOD_UNSPECIFIED Default value; same as POSSIBLE.

It is very unlikely that the data matches the


VERY_UNLIKELY
given InfoType.
It is unlikely that the data matches the
UNLIKELY
given InfoType.
It is possible that the data matches the
POSSIBLE
given InfoType.
It is likely that the data matches the
LIKELY
given InfoType.
It is very likely that the data matches the
VERY_LIKELY
given InfoType.

© ANKIT MISTRY – GOOGLE CLOUD


DLP API Demo
https://cloud.google.com/dlp/demo/#!/

BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Create INFO_TYPE
(Hands-on)
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Create TEMPLETES
(Hands-on)
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Create Job for Inspection
(Hands-on)
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Create Template for De-
identification
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Apply Some more rules to
template
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Managing Encryption
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Data Encryption
 What is encryption

 When You should encrypt data – 3 Data States

 Cloud KMS

 Envelope Encryption

 Cloud Storage Encryption Options

© ANKIT MISTRY – GOOGLE CLOUD


Encryption
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Why Encryption
 In GCP, Data stored at
 GCS

 Persistent Disk, SSD

 File Server

 Database File

 If Let’s say hacker get access to your hard Disk?

© ANKIT MISTRY – GOOGLE CLOUD


Encryption
Encryption
Key1

Cipher Text :
Plain Text : Encryption
Algorithm x3qHS1QusMZg0H
I am Learning GCP
ZYMd/7LQFWeok=

Key2
Symmetric Key Encryption Decryption
Asymmetric Key Encryption
© ANKIT MISTRY – GOOGLE CLOUD
When Encryption
 Data at Rest
 Data Situated at GCS, Database

 Data in Motion
 Data transfer from one network to another
 Within GCP or Outside of GCP

 Data in Use
 Data situated in RAM.
 Memory Store, In memory Data Processing

© ANKIT MISTRY – GOOGLE CLOUD


Cloud KMS
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


What are the things need to
encrypt
 What are the things need to encrypt
 Data

 Keys
 Envelope Encryption

 Client Side
 Encryption that occurs before data is sent to Cloud Storage - GCP.

 Server Side

 Encryption that occurs after Google Cloud receives your data

© ANKIT MISTRY – GOOGLE CLOUD


Cloud KMS
 Manage encryption keys on Google Cloud.

 3 ways of managing keys


 Google-managed encryption keys

 Customer-managed encryption keys

 Customer-supplied encryption keys

© ANKIT MISTRY – GOOGLE CLOUD


Google-managed
encryption keys

 By Default Encryption

 Server side encryption – before data written to disk

 No Additional Configuration required

 Encrypt data using AES-256

 Google manage rotation policy

© ANKIT MISTRY – GOOGLE CLOUD


Customer-managed
encryption keys

 Keys generated by Google Cloud KMS


key1
 Customer has control over
KeyRing1
 Rotation policy
Cloud KMS key2
 HSM/Software based keys
KeyRing2

© ANKIT MISTRY – GOOGLE CLOUD


Customer-supplied
encryption keys

 Complete control over encryption keys

 If keys lost, data can not be recovered

 To generate keys,

 openssl rand -base64 32

 Can not create bucket from Cloud console

 gsutil -o 'GSUtil:encryption_key='keys

© ANKIT MISTRY – GOOGLE CLOUD


Object Lifecycle policy
for cloud storage object

 You can create object lifecycle rule

 To create rule Define :


 Action & Condition

 If condition met, Action will be executed

 Let’s see in Action

© ANKIT MISTRY – GOOGLE CLOUD


Application Secrets
 While building Application we need to store
 Database password, Some API Keys

 It’s not good idea to store in code or some config file

 Solution : Secret manager

 Dynamically grab secret inside code from secret manager

 Let’s see in action

© ANKIT MISTRY – GOOGLE CLOUD


Get App Secret inside
Cloud Function
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


© ANKIT MISTRY – GOOGLE CLOUD
4-5. Managing operations within
a cloud solution environment,
Ensuring compliance
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


RTO & RPO
 Data loss : 13 hours

 System Downtime : 7 Hours


Downtime RTO

Disaster System
Last Backup happens Recovered

5th March 5th March 5th March


3:00 AM 4:00 PM 11:00 PM

Loss data RPO

© ANKIT MISTRY – GOOGLE CLOUD


RTO & RPO
 RTO – Recovery Time objective
 Maximum time for which system can be down

 RPO - Recovery Point objective


 Maximum time for which organization can tolerate Dataloss

© ANKIT MISTRY – GOOGLE CLOUD


Data backup
 Copying a discrete amount of data from one place to another

 Data backups have a small to medium RTO and a small RPO

Your can be at
 On-premise
 Google Cloud
 Other Public Cloud

 Services :
 SQL instances
 Cloud Storage – blob file
 Cloud native Services
© ANKIT MISTRY – GOOGLE CLOUD
Data at On-Premises
 Cloud Storage
 gsutil -m cp -r [SOURCE_DIRECTORY] gs://[BUCKET_NAME]

 gsutil -m rsync -r [SOURCE_DIRECTORY] gs://[BUCKET_NAME]

 Cloud Interconnect

 Transfer Services

 Transfer Appliance

© ANKIT MISTRY – GOOGLE CLOUD


Data at Public Cloud
 Storage Transfer Service

 Support for Amazon S3, Azure Storage to Google Cloud Storage

 Let’s See in Action

© ANKIT MISTRY – GOOGLE CLOUD


Data at GCP
 Different bucket & Region

 Take backup with different Tiered storage


 NearLine, ColdLine, Archieve

 Persistent Disk/VM backup


 Take Snapshot

 Build Custom image

© ANKIT MISTRY – GOOGLE CLOUD


Database Backup
 If your database is at on-premise or Other public cloud
 For each vendor, method to export data varies

 Upload to GCS

 Import data to Database Instance

 Cloud SQL instance – Inside GCP


 on-demand backup

 Scheduled backup

 Let’s see in action

© ANKIT MISTRY – GOOGLE CLOUD


Cloud Logging
 Real time Log Management tool  Collect Log from App Engine, Cloud Function, GKE

 Fully managed - No server management  Install Logging agent to collect log from GCE – VM

 Massive volume of data can be store  Route Logs to different Destination

 Log can stored, search, analyze  Cloud Storage, BigQuery, Pubsub etc…

 Use query to search Logs  Is it free?

 Nice visualization with Log Dashboard

 Ingest log from on-primes also

© ANKIT MISTRY – GOOGLE CLOUD


Types of Logs

Admin activity System Event Data Access Policy Denied


Logs Logs Logs Logs
By Default Not
By Default Enabled By Default Enabled By Default Enabled
Enabled

400 days 400 days 30 days 30 days

Free Free Not Free Not Free

Create VM, Delete VM Migration, Create Object in


Security violation
VM Auto Restart Bucket

© ANKIT MISTRY – GOOGLE CLOUD


Explore Cloud Logging
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


Cloud Log
Router-
Sinks

© ANKIT MISTRY – GOOGLE CLOUD


Container scanning API
 Container images can have vulnerabilities

Scanning vulnerabilities inside container

 Enable Container scanning API

 It works with
 Container Registry

 Artifact Registry

© ANKIT MISTRY – GOOGLE CLOUD


Binary Authorization
 Policy
 Ensures that trusted images are deployed to GCP

 Enable Binary Authorization

 Works with

 GKE

 Cloud Run

 Let’s see in action

© ANKIT MISTRY – GOOGLE CLOUD


Forseti Security
 3 Resources inside GCP

 Easy to monitor few resources manually

 1000’s of VM need to monitor

 Forseti Security is a collection of community-driven, open-source tools to help you improve the
security of your Google Cloud Platform (GCP) environments.

 systematically monitor your GCP resources to ensure that access controls are set as you
intended

© ANKIT MISTRY – GOOGLE CLOUD


How Forseti Security Works
 Inventory

 Scanner

 Enforcer

 Explain

 Notification

 https://forsetisecurity.org/docs/latest/concepts/architecture.html

© ANKIT MISTRY – GOOGLE CLOUD


How Forseti Security Works
A. Inventory collects information about your GCP
resources and G Suite.

B. Inventory stores information in Cloud SQL for


your review and use by other Forseti modules.

C. Scanner compares the data collected by


Inventory to the policy rules you set.

D. Notifier sends Scanner & Inventory results to


one or more of the following channels you
configure: Cloud Storage, SendGrid, Slack and
Cloud Security Command Center.

E. You use Explain to query and understand your


Cloud IAM policies.

F. Enforcer uses Google Cloud APIs to make sure


policies match your desired state.

G. You use the command-line interface to query


Forseti data using gRPC.

H. You use Data Studio or MySQL Workbench to


visualize the Forseti data stored in Cloud SQL.
© ANKIT MISTRY – GOOGLE CLOUD
Web Security Scanner
 Identify vulnerabilities in Web Application (App Engine, Compute engine, GKE) by running security tests.
 Scan Types :Cross-site scripting (XSS)

 CLEAR_TEXT_PASSWORD

 INVALID_HEADER

MIXED_CONTENT

 OUTDATED_LIBRARY

 Complete List : https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-


overview

 Web Security Scanner only supports public URLs and IPs

© ANKIT MISTRY – GOOGLE CLOUD


Security Command Center
 Centralized place to see security of GCP via Dashboard

 It has number of services to analyze security

 It has two Tiers :

 Standard tier

 Premium tier

 https://cloud.google.com/security-command-center/docs/concepts-security-command-center-
overview

© ANKIT MISTRY – GOOGLE CLOUD


Configure Security
Command Center
BY ANKIT MISTRY

© ANKIT MISTRY – GOOGLE CLOUD


© ANKIT MISTRY – GOOGLE CLOUD
© ANKIT MISTRY – GOOGLE CLOUD
© ANKIT MISTRY – GOOGLE CLOUD
© ANKIT MISTRY – GOOGLE CLOUD
© ANKIT MISTRY – GOOGLE CLOUD
© ANKIT MISTRY – GOOGLE CLOUD
THANK YOU

© ANKIT MISTRY – GOOGLE CLOUD

You might also like