Secure Google Cloud Platform Connections and TLS 1.0

Disabling and mitigating TLS 1.0 connections

Introduction

Google Cloud Platform (GCP) supports TLS 1.0 as well as 1.1 and 1.2; it will perform the authentication handshake using the highest TLS level supported by the client browser. Some organizations consider TLS 1.0 insecure and want to ensure that other mechanisms are used to secure connections.

This article provides information on disabling and mitigating TLS 1.0 authentication to Google Cloud Platform.

Secure connection components

This document describes four core components of addressing these requirements.

• Configure the browser to disable use of TLS 1.0.
• Use a private network to ensure security.
• Expose public APIs via a broker such as Apigee.
• Proxy Google Cloud Platform services that are considered to be insecure, and configure the proxy to disable use of TLS 1.0.

The following sections describe these components in the context of API-based administrative access, and security features for other services.

API-based administrative access

Proxy APIs via a broker such as Apigee and the HTTPS/SSL load balancer.

Apigee APIs

Apigee is a full lifecycle API management platform that enables API providers to design, secure, deploy, monitor, and scale APIs. It protects data in transit with OAuth 2.0, SAML, two-way TLS, and data at rest with encryption; TLS 1.0 and 1.1 were deprecated in August for northbound traffic.

Cloud and developer APIs

Proxy these APIs with the HTTPS/SSL load balancer via VPC Private Access and select the “restricted” profile on the load balancer.

Security features for other services

Client/browser

Use a modern browser and disable TLS 1.0. Chrome Enterprise has supported the SSLVersionMin policy since Chrome 66.

Note that client/browser based enforcement has challenges, particularly in diverse browser environments, eg. for remote and SaaS users.

Network

Google Cloud Interconnect provides secure connections between your network and Google Cloud Platform; you can extend this to your remote users with mechanisms such as VPN. These mechanisms may provide a more secure connection than TLS over open, public networks.

Server

GCE and managed services such as GCS

Select the “restricted” profile on the HTTPS load balancer to enforce modern TLS.

• Managed services such as GCS can be front-ended with the load balancer using VPC Private Access.

GKE/K8S on GCE

The Ingress controller for GKE/K8S on GCE leverages the GCP HTTPS load balancer; Ingress doesn’t support management of the SSL profiles today.

• You can set the “restricted” profile on the HTTPS load balancer and Ingress honors this, but this behaviour isn’t supported and may change in future, so should only be relied on with appropriate regression tests and governance.

Istio uses the Envoy load balancer. Set the TLS approved certificates appropriately.

App Engine Standard and Flex

Either:

• Front-end App Engine with a reverse proxy such as NGINX and configure SSL protocols appropriately.
• Open a case for support to set App Engine minimum TLS level for a particular project/domain (for custom domains only, ie. not *.appspot.com).

Google Cloud Endpoints

• TLS for Cloud Endpoints is provided by the platform hosting the service, so see above according to your endpoints type and proxy, or proxy the endpoints with Apigee.

What’s next

• The PCI Data Security Standard Compliance Architecture Guide helps you learn how to implement the Payment Card Industry Data Security Standard (PCI DSS) for your business on Google Cloud Platform (GCP). The guide provides background about the standard, explains your role in cloud-based compliance, and then gives you the guidelines to design, deploy, and configure a payment-processing app using PCI DSS. The tutorial also discusses methods for monitoring, logging, and validating your app.
• The Google Cloud Platform: PCI Customer Responsibility Matrix can be a helpful reference as you pursue PCI DSS compliance and conduct your own PCI DSS audits.