12 gifts for the security admin in your life
Make yourself a nice warming drink, find the equivalent of a rocking chair by a roaring fire and settle down to the 12 things a Security Admin working with GCP should have in their festive box of treats ( as chosen by me)
1.Use case policies — Each article in this series uses a hypothetical customer, and explains how to design GCP policies that meet the requirements of a reference organization policy. They help you address issues including:
- Identity management
- Organizational mapping: How can you map your organization structure to GCP?
- Billing: What controls do you place on billing? How do you monitor and understand spending?
- Network configuration: Does your network separate and prevent traffic between areas that need to be separated?
- Security controls: How do you implement security controls in a way that can be expressed using GCP policies
2. Cloud Identity and Access management ( IAM ) best practices — Here you can find resources to help you follow best practice guidance on using GCP’s IAM service and examples of how to implement IAM policies to map to functional roles (networking and billing roles more being added) using example scenarios to help you ramp up quickly.
3. Organization policy service — This service makes it easy to implement an ever growing list of policies that can apply to your entire GCP organization. One of the available policies allows you to define the set of services and their APIs that can be enabled on a resource . For example you may dictate that there will be no instances of say Spanner allowed in any developer projects except those that the Data Engineers use so you can set a policy to not allow the Spanner service on the folder you have placed all non data scientist projects in . All projects in that folder will inherit the policy
- Policies can be set per project, per folder, or per organization.
- Policies are inherited down the resource hierarchy, which if permitted by the Organization’s policy administrator can be overridden at any level on which an organization policy can be set.
4.Cloud Data Loss Prevention — This service is fantastic ! it’s a single API that can help you classify your data and redact sensitive data contained with text files streamed data and data stored in sources such as Cloud Storage and BigQuery. Images are not resistant to DLP’s abilities either!
5. Cloud Identity Aware Proxy — Pretty sure as a Security Admin you will at some point have been concerned about who is really accessing your web applications ( probably always are!) Cloud IAP takes care of authentication and authorization so only authenticated users are granted access to the application. It’s a really interesting service and is a stepping stone towards Beyond corp
6. Firewalls — GCP has firewalls too but not as you know it. Unlike traditional firewalls where you have to steer traffic to a middlebox which itself often becomes a chokepoint, GCP enforces the firewall rules on the instances themselves. You can set up rules based on service accounts and labels in addition to the standard source and destination IP address rules you’re used to
7. Cloud Audit Logging — To help you answer the question of “who did what, where, and when?”
GCP provides two log streams for each project in your organization
Admin activity logs which contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. Admin Activity logs are always enabled. There is no charge for your Admin Activity audit logs .
Data Access logs . Data Access audit logs which record API calls that create, modify, or read user-provided data. Data Access audit logs are disabled by default because they can be quite large.
8. Cloud KMS — Is a key management service. Using Cloud KMS you can manage symmetric encryption keys in a cloud-hosted solution, whether they’re used to protect data stored in GCP or another environment. You can create, use, rotate and destroy keys via the Cloud KMS API, including as part of a secret management or envelope encryption solution.
9. Managing SSH keys — Managing SSH keys for multiple users and keeping track of whose keys are where has always required well defined processes. GCP is making that easier with the OS login API . This allows you to associate your public SSH keys with managed user accounts from either G Suite or Cloud Identity . It has the following benefits:
- Public keys are associated with user accounts rather than project or instance metadata values, which are easier to maintain and track.
- SSH access can be granted to users through a single IAM role rather than having to grant metadata update permissions to those users.
- Users are unable to add arbitrary keys to metadata, which makes it easier to audit who has access to instances.
- SSH access can be revoked from individual accounts by revoking IAM roles rather than manually removing public SSH keys from metadata or the instance itself.
10. In addition to the IAM specific best practice guides GCP also provides some Product and service specific guidance to help you secure various GCP resources . Managing buckets and objects , Understanding Service accounts , Keeping Service account keys safe ( okay this one is a blog post !) are some great ones to start off with.
11. As a Security Admin checking what controls your Cloud provider meets often means checking Compliance matrix sheets and other security white papers .
Matrices that are super useful ( according to me anyway ) are The cloud security compliance matrix which can be found here and the PCI DSS shared responsibility matrix . In addition to those there is a lot of security information detailed in whitepapers that can be found at https://cloud.google.com/security/
12. And last but not least Cloud Functions — This may not be a security focused product but is useful as a way to take actions on events. For example you may want to implement a process to guard against the accidental exposure of data uploaded into buckets that may have wider permissions than the classification of the file permits. By using the DLP API together with Cloud Functions you can implement a process that either quarantines or deletes the file that DLP has scanned and classifies as not meeting the classification level you have assigned to the bucket.