GCP Checklist 2 — Securing your GCP resources

Securing your GCP environment requires addressing what your users are permitted to do; Enforcing organisation wide controls; Protecting your GCP organisation by implementing applicable security controls and protecting your applications deployed on GCP.

You need to consider the following as a baseline for a secure organisation :

• Managing Identities — Manage your identities centrally. Make use of groups for ease of administration. Use os login to centrally manage who can SSH into your VM’s
• IAM
• Use principles of least privilege .
• If the predefined IAM roles do not fit your use case create custom roles
• If using Custom roles start from a pre-defined role first
• Be aware of the operational overhead with using custom roles
• Implement break glass access for elevated roles such as the organization admin role that will trigger more stringent auditing around the use of these roles.
• Implement Org wide standardization using Organization policies
• Network controls — allow you to implement boundaries based on traffic
• Subnets to provide a logical boundary based on a subnet range. You have to explicitly allow traffic between subnets
• Firewalls to manage what traffic is permitted between a source and target
• Use service accounts to configure firewall rules between VM’s
• Configure a shared VPC to allow central administration of your network
• Use Security zones to provide defence in depth
• Securing infrastructure — Take a defence in depth approach using features of the GCP platform and working inwards by implementing security controls applicable to the right layer for your use case
• Use Global load balancing together with Cloud Armor to protect your internet facing applications
• Use IAP to manage user access to your web facing applications
• Use API proxies either Cloud endpoints or Apigee edge to manage authenticated calls to your API’s
• Do not make cloud storage buckets publicly available use IAM to manage access
• Manage downloaded security keys carefully. Implement a process to rotate, avoid the accidental loading of secrets to private and public repos.
• Encryption reqs — If allowing Google to manage your encryption needs is not sufficient for your use case then you can use your own keys. Encrypt your secrets and downloaded keys using KMS
• Securing data — classify data — Use the DLP API to classify and redact data , implement iam roles to restrict access to your datasets .Audit data access . Dat lineage and location are all important.
• Inventory — Be aware of your GCP resources. Use the Cloud security command center and/or forseti
• Auditing & alerting — These are typically the first indications that there is something amiss use Stackdriver to configure audit logging and to set up alerts
• Data classification — Use the DLP API to classify and redact sensitive data
• Compliance — Use the
• Incident responses ( see operational efficiency)
• Break glass access

Here’s your reading list:

DLP

IAM roles

BQ iam roles

Encryption choices

Security site

Compliance site

IAM change log

Protecting service accounts

Detecting security keys

Network controls

https://forsetisecurity.org/docs/latest/concepts/best-practices.html

When you’re done with that here’s your checklist:

A list of all the checklists in the series can be found here