Secure And Audit The Google Cloud Platform Perimeter
Moats, walls and keeps
As you may have read, Google’s BeyondCorp vision is…
an enterprise security model that builds upon 6 years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, BeyondCorp allows employees to work more securely from any location without the need for a traditional VPN.
One of the core building blocks of Google’s Security by Design is that…
Google Cloud Platform’s infrastructure security is designed in progressive layers — hardware, services, user identity, storage, internet communication, and operations. We call this defense in depth. Each layer has strict controls for access and privileges.
However, as described in the BeyondCorp research paper, enterprises have used perimeter security to protect and gate access to internal resources since the early days of IT infrastructure; this model is familiar, and particularly important to B2B SaaS customers to whom a Google Cloud Platform hosted SaaS application looks a lot like a black box.
One of Google Cloud’s goals is to meet you where you are; this series of articles explores some of the controls available to secure the perimeter of Google Cloud Platform applications and their data, and to verify your trust.
Perimeter security and audit
Traditional enterprise concerns often fall into the following areas:
- How do you secure your users’ transit to the cloud? HTTPS on public internet is often not perceived as sufficiently secure.
- How do you ensure your users are only communicating with your, or your SaaS provider’s, applications? Enterprises often secure their own perimeter by only supporting communication with whitelisted IPs.
- How do you audit traffic and data access, i.e. how do you know the controls worked as intended?
We’ll look at each of these areas in turn in the following sections, across representative Google Cloud Platform services:
- Compute Engine, which is most similar to a traditional enterprise VM.
- Kubernetes / Kubernetes Engine.
- App Engine Flex.
- App Engine Standard.
- Cloud Storage, as a representative managed data service.
What’s next
Read the following to learn more about the concepts underpinning this article:
Read the following guides to learn about Google Cloud Platform’s capabilities in the following perimeter security areas.
Acknowledgements
Many thanks to Ben Menasha for all the smarts in this series of articles; any errors are mine.