Secure Google Cloud Platform Connections and TLS 1.0
Disabling and mitigating TLS 1.0 connections
Introduction
Google Cloud Platform (GCP) supports TLS 1.0 as well as 1.1 and 1.2; it will perform the authentication handshake using the highest TLS level supported by the client browser. Some organizations consider TLS 1.0 insecure and want to ensure that other mechanisms are used to secure connections.
This article provides information on disabling and mitigating TLS 1.0 authentication to Google Cloud Platform.
Secure connection components
This document describes four core components of addressing these requirements.
- Configure the browser to disable use of TLS 1.0.
- Use a private network to ensure security.
- Expose public APIs via a broker such as Apigee.
- Proxy Google Cloud Platform services that are considered to be insecure, and configure the proxy to disable use of TLS 1.0.
The following sections describe these components in the context of API-based administrative access, and security features for other services.
API-based administrative access
Proxy APIs via a broker such as Apigee and the HTTPS/SSL load balancer.
Apigee APIs
Apigee is a full lifecycle API management platform that enables API providers to design, secure, deploy, monitor, and scale APIs. It protects data in transit with OAuth 2.0, SAML, two-way TLS, and data at rest with encryption; TLS 1.0 and 1.1 were deprecated in August for northbound traffic.
Cloud and developer APIs
Proxy these APIs with the HTTPS/SSL load balancer via VPC Private Access and select the “restricted” profile on the load balancer.
Security features for other services
Client/browser
Use a modern browser and disable TLS 1.0. Chrome Enterprise has supported the SSLVersionMin policy since Chrome 66.
Note that client/browser based enforcement has challenges, particularly in diverse browser environments, eg. for remote and SaaS users.
Network
Google Cloud Interconnect provides secure connections between your network and Google Cloud Platform; you can extend this to your remote users with mechanisms such as VPN. These mechanisms may provide a more secure connection than TLS over open, public networks.
Server
GCE and managed services such as GCS
Select the “restricted” profile on the HTTPS load balancer to enforce modern TLS.
- Managed services such as GCS can be front-ended with the load balancer using VPC Private Access.
GKE/K8S on GCE
The Ingress controller for GKE/K8S on GCE leverages the GCP HTTPS load balancer; Ingress doesn’t support management of the SSL profiles today.
- You can set the “restricted” profile on the HTTPS load balancer and Ingress honors this, but this behaviour isn’t supported and may change in future, so should only be relied on with appropriate regression tests and governance.
Istio uses the Envoy load balancer. Set the TLS approved certificates appropriately.
App Engine Standard and Flex
Either:
- Front-end App Engine with a reverse proxy such as NGINX and configure SSL protocols appropriately.
- Open a case for support to set App Engine minimum TLS level for a particular project/domain (for custom domains only, ie. not *.appspot.com).
Google Cloud Endpoints
- TLS for Cloud Endpoints is provided by the platform hosting the service, so see above according to your endpoints type and proxy, or proxy the endpoints with Apigee.
What’s next
- The PCI Data Security Standard Compliance Architecture Guide helps you learn how to implement the Payment Card Industry Data Security Standard (PCI DSS) for your business on Google Cloud Platform (GCP). The guide provides background about the standard, explains your role in cloud-based compliance, and then gives you the guidelines to design, deploy, and configure a payment-processing app using PCI DSS. The tutorial also discusses methods for monitoring, logging, and validating your app.
- The Google Cloud Platform: PCI Customer Responsibility Matrix can be a helpful reference as you pursue PCI DSS compliance and conduct your own PCI DSS audits.