In previous blog posts, we discussed security around Azure and AWS cloud solutions and now it’s time to look at the third big contestant, Google Cloud Platform (GCP). To make things clear, we are going to define some Google Cloud Platform (GCP) concepts and cover Identity and Access Management, Secure Networking and Data Loss Protection.
Some examples of Google Cloud Platform (GCP) resources are projects, Compute Engine instances, and Cloud Storage buckets.
Permissions determine what operations are allowed on a resource. In the GCP IAM world, permissions are represented in the form of <service>.<resource>.<verb>, for example pubsub.subscriptions.consume.
A role is a collection of permissions. You cannot assign a permission to the user directly; instead you grant them a role.
You can grant roles to users by creating a GCP IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed. For more info, see policy overview.
There are three types of roles in GCP IAM:
Now that we’ve established some concepts, let’s look at the major components of GCP and their implications towards security.
The first thing that we must think about for cloud security is Identity and Access Management (IAM), especially because GCP, Azure, and AWS implements IAM, but each of them in a different way. Here we are going to try to explain how Google implements IAM on their cloud.
It is important to keep in mind is that GCP IAM implements the security principle of least privilege. What does this mean? It means giving users only the necessary access to the resources they are using and nothing more. So, if a user needs to be able to access to a VM, you give him the appropriate roles for that task (turn it on/off) but you don’t give them access to other tasks like taking a snapshot or editing the VM’s properties.
In GCP IAM, you grant access to members. Members can be of the following types:
When it comes to network security, each cloud provider offers similar tools to help you protect your network, but there are some principles that apply globally:
GCP uses VPC (Virtual Private Cloud/Network) and subnets to allow you to organize your resources the best way possible. You can group your resources to use the same subnet and also isolate them, so nobody else has access outside the resources on that group. This can limit the attack surface for someone who wants to target your company.
Also, you can find Shared VPC, which allows you to connect VPCs that you have isolated in a secured way, by using only internal IPs and not exposing anything to the Internet while maintaining your resource separation.
Firewall rules applies to VPC, and these rules are the ones that provides the security for your resources. Some tips for firewall rules are:
Data Loss Prevention (DLP) is a service that GCP provides to users to help them with their sensitive data. If your company allows users to upload documents and pictures to your Google cloud, you can use DLP to see if they are exposing something that they shouldn’t.
DLP provides an API and you can interact with it programmatically using Cloud DLP Client Library using your favorite language.
DLP allows you to inspect different kind of data, such as text strings, images and text files.
When you interact with DLP and depending on the parameters you sent to it, DLP scans your content and check if there is sensitive data exposed by applying different techniques and known patterns to identify valuable data. This can also do some inspect Cloud Storage files and BigQuery tables.
You can also use DLP to not only detect sensitive data but also to hide that data is it is found. You just give DLP the data you have, what is going to be the placeholder that is going to replace the sensitive data and what type of data you want to hide. For example, to hide an email, you will make a request like this:
And then, DLP would respond something like this:
You can schedule when Cloud DLP runs jobs by creating job triggers. A job trigger is an event that automates the creation of DLP jobs to scan Google Cloud Platform storage repositories, including Cloud Storage buckets, BigQuery tables, and Cloud Datastore kinds. I hope this has given you a look at some of the important concepts, systems, and features available in the Google Cloud Platform to support running your workloads securely in the cloud. Next time we will finish our look at GCP with a focus on more advanced features such as Cloud Armor, Cloud Security Scanner, and Stackdriver.
To learn more about Google Cloud Platforms, be sure to check out the other blog posts in the series:The 5 Key Features of Google Stackdriver, How to Configure Google Cloud Armor, and 5 Techniques to Avoid Unwanted Outcomes with Cloud Security Scanner.
In addition to learn more about cloud security, be sure to check out our posts on Azure and AWS.
Use of public cloud infrastructure is now commonplace with nearly $60 billion spent annually. Important benefits are time to implement, scalability, availability, and a wealth of centralized tools to help companies manage and monitor their cloud infrastructure.
However, with the benefits come some potential security risks, most stemming from the customer’s use of the platforms versus the platforms themselves. From a security perspective, where do you start?