Open in app

Sign in

Write

Sign in

Zero Trust in Enterprise when working from home

Jen Person
Google Cloud - Community
Published in
6 min readJun 16, 2020

This blog is co-written by Jen Person and Max Saltonstall

With more folks working from home than ever, companies need solutions for secure access to resources. It’s not easy to get everyone connected securely and safely from outside the office, and the risk profile has changed. If you haven’t heard of the BeyondCorp model for remote access to web applications, then read all about it.

Photo by Gustavo Fring from Pexels

How do we keep workers secure when WFH?

Today we’re going to set up a sample application using this context-based trust model. We will run identity-based access controls for a simple App Engine app, using Cloud Identity to control authorization. Read on for step-by-step instructions for setting up a new app and protecting it with Identity-Aware Proxy.

Identity Aware Proxy

Before we get into the fun example stuff, it’s a good idea to know about the products we’re using! Cloud Identity Aware Proxy (IAP) can help you control access to your public cloud apps, your on-prem apps and your VMs running on Google Cloud. IAP works by verifying a users’s identity and considering the context of their request to determine if they should be allowed access. This is one building block in the zero trust model of access, an enterprise security model that enables every employee to work from untrusted networks without the use of a VPN.

Identity-Aware Proxy decides who gets in or stays out

https://burst.shopify.com/photos/shining-disco-ball?q=nightclub

For our example, we’re using IAP to verify the identity and context of a client before serving an App Engine app. Think of IAP as the bouncer and App Engine as the club: IAP sees you and gets information about who you are, then checks to see if you’re on the list. If you’re on it, you’re in! If not, then you’re out of luck, and you can spend your night in 403: Forbidden.

Deploying to App Engine

To get started, you’ll need a new or existing Google Cloud project with an App Engine application. We’re using the Node.js sample from the App Engine samples repo on GitHub. Below you can see how to use the gcloud command line tool to manage projects.

Easy and fast to protect App Engine, or any app

If you have gcloud and a project ready, skip ahead to “Get the code” below. If you don’t already have gcloud, the Google Cloud command line interface, download and update it. Products are improved all the time, so even if you have it installed already, it’s a good idea to run an update:

gcloud components update

Log in to the account you will use for managing your project.

gcloud auth login

This command opens a Chrome tab for authenticating into GCP.
Once logged in, you can create a project using this command:

gcloud app create --project=[YOUR_PROJECT_ID]

We’re calling our project helloworld-portal. Why? Because that’s the first thing that we thought of just now.

gcloud app create --project=helloworld-portal

Get the code

If you don’t have a specific project in mind, here’s when you can grab some sample code.

Clone the sample repository:

git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples

Enter the appropriate sample directory:

cd nodejs-docs-samples/appengine/hello-world/standard

Install the required packages:

npm install

Deploy!

Once the packages have installed, deploy the Node.js app to App Engine using this command:

gcloud app deploy --project=helloworld-portal

You can call this command without the--project flag, but note that in doing so, this will call the command on the default project. If you have lots of projects going, it’s best to include the flag and ensure that you’re deploying the intended application!

To view your project, use this command or copy the link provided in the terminal response:

gcloud app browse --project=helloworld-portal
source

Done?

Alright, we successfully deployed a helloworld app! But uhhh…there’s still the whole security thing we’re supposed to be addressing.

By default we’ve made this app public to anyone on the internet, and that’s not what we want. To make sure only the right people get in, we’ll use Identity-Aware Proxy to control who gets access, based on their individual email or their group membership. That way we limit visibility of our very confidential “Hello, world!”

Only specifically allowed people get past the enforcement

Once we’ve added these controls, the load balancer will restrict who gets to the application and will forbid access to anyone not on the list.

Photo by Kyle Glenn on Unsplash

Configuring Identity-Aware Proxy

In the Cloud Console, navigate to the App Engine tab. There, you’ll find the App Engine settings link on the left. At the bottom of those application settings, select “Configure Now”.

Once enabled, you’ll want to configure the consent screen to inform users of what they’re agreeing to when accessing your application.

For User Type, select Internal. External will allow anyone with a Google account to log in. Our goal is to restrict this app to your specific users.
Choose an icon for your application. I chose Mercury because he’s always in season.

Next, you’ll see fields for authorized domain links. You can leave these fields blank for now.
Finally, select Save.
IAP is now enabled!

Photo by Nicolas Tissot on Unsplash

Uh oh: everyone is now forbidden!

When you go back to visit your app, you will see a Google login screen. Log in with a Google account. You’ll notice that you can no longer see your “hello world” app, which is exactly what should happen, because IAP starts in a default-deny state and we haven’t added anyone to the allowed person list!

YOU SHALL NOT PASS!!

Adding authorized users

It’s great that your app is restricted so not just anyone can use it! But of course, somebody has to be able to access it! In this case, namely, you!
In the Cloud Console, select Security > Identity-Aware Proxy.
Select your App Engine app.

On the right panel, you’ll see the current IAM roles that have been granted.

Select “Add Member”, and choose the email you’d like to use to access the app. For roles, choose Cloud IAP > IAP-secured Web App User.

Only the right people can get to your apps now

Try it out!

Now your email has access to use the App Engine app! Go ahead and access the app again. Log in with the email you just listed.

Success! You now have access to your App Engine app. If you log in using an email address that does not have permission, you’ll notice that you cannot access the application.

What’s next?

Dive deeper into the features of IAP through the documentation, and try it yourself.

IAP works great in this scenario using Google as the identity provider.

But what if your company already has a provider that they use? What if your company uses OIDC, SAML, or Facebook, for example?

In the next post, I’ll show you how to use Identity-Aware Proxy with a different identity provider.

Security
Google Cloud Platform
Identity
Beyondcorp
Google App Engine

--

--

Jen Person
Google Cloud - Community

Written by Jen Person

528 Followers
Writer for

Developer Relations Engineer for Google Cloud. Pun connoisseur.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams