Open in app

Sign in

Write

Sign in

Zero Trust Security Implementation -Google Cloud

Sumit K
Google Cloud - Community
Published in
10 min readJul 30, 2023

Zero Trust Model Operates on the principle of “Trust no one, Verify Everything” This means that you should not assume that any device or user is trustworthy, regardless of whether they are inside or outside of your network.

When you are migrating private applications to Public Cloud, how your users and administrators will access them needs to be considered. Making them publicly accessible from the internet is generally not desirable as it opens them up to potential attacks and requires additional infrastructure to protect them. To avoid that exposure, the first impulse may be to utilize the same approach we have followed for years for on-premises private applications–a virtual private network (VPN). While this does allow for the desired access (SSH for administrators or HTTPS for users, for example) it also brings along the same issues that traditional VPNs have.

Traditional network security models rely on a perimeter-based approach, in which all traffic inside the network is considered trusted and all traffic outside the network is considered untrusted. This model is no longer effective in today’s world, where employees are increasingly working from remote locations and accessing corporate resources over the Internet. Users are required to use the specific network to access resources. VPNs do not provide the granular control desired by a Zero Trust approach, as users have access to any resource on the network and not just specific resources they are granted access to.

Problems: Cost, Security, User Experience

Typical VPN

Now, What is Zero-Trust Security?

What is Zero Trust Security Model, why it is widely adopted across organizations, and how has it evolved over time and changed the entire security model framework over the traditional VPNs? I have already explained it in my previous Article with a piece of detailed information. I would highly recommend reading the first part of Zero Trust Security which helps you to understand the terminology and implementation of Zero Trust network access (ZTNA) in Google Cloud using their native service offering.

To implement the “don’t trust any network” principle, you need to implement a number of security controls, such as:

  • Strong authentication and authorization: This means using strong passwords, multi-factor authentication, and role-based access control on user access.
  • Micro-segmentation: This means dividing your network into small, isolated segments.
  • Continuous monitoring: tools to continuously monitor your network for signs of attack.

Google Cloud offers a number of services that can help you implement a zero-trust security model. These services include:

  • BeyondCorp is a comprehensive zero-trust solution that provides secure access to applications and cloud resources from anywhere.
  • Identity-Aware Proxy (IAP) is a service that provides identity-based access control to Google Cloud resources.
  • Context-Aware Access is a service that uses contextual information, such as the user’s device and location, to make access control decisions.
  • Access Context Manager is a service that allows you to control access to Google Cloud resources based on a variety of factors, including the user’s identity, the device they are using, and the location they are accessing the resource from.

These services can be used together to create a comprehensive zero-trust security solution for your Google Cloud environment.

What is BeyondCorp Enterprise?

BeyondCorp is Google’s implementation of the zero trust model. It builds upon a decade of experience at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users, Beyond Corp enables secure work from virtually any location without needing a traditional VPN.

Google Cloud Zero Trust BeyondCorp Enterprise

Benefits:

  • Increased security: By granting access based on user and device identity, BeyondCorp makes it much more difficult for attackers to gain access to corporate resources.
  • Improved user productivity: BeyondCorp allows employees to work from anywhere without needing a VPN. This can improve employeedenideny
  • Reduced costs: BeyondCorp can help organizations reduce the cost of security by eliminating the need for expensive VPN appliances and software.

BeyondCorp Principals:

  • Access to Service must not be determined by the network you connect.
  • Access to services is granted based on the contextual factors from the user and the device
  • Access to service must be authenticated, authorized, and encrypted.

BeyondCorp Allows for:

  • Single Sign-on
  • Access Control Policies
  • Access Proxy
  • user-based authentication
  • Device-based Authentication
  • Authorization

Let’s create a simple demo to comprehend how Zero Trust Model can be implemented in Google Cloud.

Pre-requisite:

  1. A GCP Account with one Project.
  2. Organization. You can create Organization if you have your own domain registered. I already have it so I don’t need to create it.
  3. Google Cloud Identity or Workspace helps you to manage users, devices, and applications in your organization.
  4. Public Domain is needed for organization setup as discussed above.

Demo1:

Let’s Assume that you have a few users from your network department that you want to allow access to the Google Cloud Console Login based on certain conditions like Geo-location, IP range, and with specific Operating Systems running on their Devices. How do you grant secure access using ZTNA Approach? Let’s get started.

Step1. Let’s first create Users and Groups for our network team. Login to Cloud identity console or Workspace https://admin.google.com/ and create users and Groups for your network team. It’s a simple task. Since I have already created two uses and added them to the network-user group as you can see in the following snippet.

Two new users are created
Network-user group is created with two users added.

Step2. Grant Access to the network-users group in your Google project. You can also grant access to folders or organizations depending on needs. Login to the GCP console, Select the Project →Navigate to IAM → grant access as a compute network viewer role.

Access is granted to Group in the project. Role Given Compute Network Viewer

Till now, the Identity and access part is completed. We created the users and added them to the groups and granted them access at the project level. It’s time to implement Zero Trust security. Let’s move on to the next step.

Step3. Navigate to Security → Click on Access Context Manager → Create Access Level.

Access levels are an extra level of security requirements based on request attributes. You can require that incoming requests meet these access levels in order to access resources.

In this Access Level, There is a certain condition that needs to be met for the users to get access. What are those conditions: CIDR IP Range, Geo-Location restriction(United States), and Device Policy(Windows), So, Basically, the user can only access the Google console API only if these conditions are met else the access will be denied. Access Level looks like the as below format.

Once created, It looks like this:

Step 4: Now it’s time to attach the access level which we have created in step number 3 to BeyondCorp. Simply enable BeyondCorp Enterprise Trail Version. This is absolutely Free for one month. To Do this, Navigate to Security → Click on BeyondCorp Enterprise and simply Enable the free trial. Once done, Click on “Manage Access to Cloud Console API” → Click on Add → Select the Group (network-user) on which you want to apply your access level, and then select the Access level we created earlier and that's it. We are all set to verify.

Setp5: Verify user access that belongs to the network-user group. Let’s hit Google Console APIs. As you can see, I tried to access it from India, but it will block my access.

To test it, Lets Login to https://console.cloud.google.com/ in another browser or private mode with the user’s credentials that we have created in cloud identity. your access will be denied because you are coming from the location(IN) that was explicitly set in the Access Level Policy.

Enter network user’s Credentials here
Access Denied

Please note that, if any of the condition is not met, your Access will be denied. For example, let’s say your IP ranges are correct, Device is Windows, but you are accessing it from any country except the United States, this will block your access. please keep this in mind.

Demo2:

Let’s Deploy our custom Application in Google App Engine and see how can you securely protect it with IAP. Basically, we deploy a sample Angular Application and then use an Identity aware proxy along with context-based conditions like in Demo1 and then validate the access. So, without further ado, let’s do it.

Step 1. Deploy Sample Application on App Engine. Open the cloud shell, and clone the following repo.

# Clone the sample repo provided by google cloud
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git

# Go to the Angular directory. will use standard app engine
cd python-docs-samples/appengine/standard/angular/

# To test the application locally before we deploy to the app engine. you can test 
# it in web preview.
dev_appserver.py app.yaml 

#once tested, finally deploy on App engine. the command is:

gcloud app deploy app.yaml

It will take some time and Once deployment is finished, grab the URL and access it in the browser. The following Screen will appear on your screen. it means that your application is up and running. Everyone can freely access it over the internet from anywhere. So far so good right? Now What if this is my internal application and I want to expose it to certain employees based on identity and context? than which service can help us. To solve this, Zero Trust Security comes into the picture.

Step 2: Go to IAP (Identity and Aware Proxy) and to the Application section. You will find nothing here because you need to first sign the OAuth Consent Screen to protect users’ privacy and security. By providing users with clear information about what the application is requesting and how their data will be used. Go ahead and fill it out. it’s quite simple. you just need to name your App, App Engine URL, and authorized domain. put the same domain that App engines provides by default. you can also put your logo if you want :)

Step3. Come back to the IAP section again and switch on the IAP and then you will notice that your application is visible under the resource with green status. now that 50% of your task is completed. if you want to hit the URL again, you can access it.

IAP Enabled for your App Engine

Step4. Now here comes the most important part of this demo. how to tell IAP who are valid users and who should go through in to access the application. Remember we have already added our network-user group in IAM for this project in our demo1. So your users/groups are already in place. now it’s time to grant access to the application by giving them permission under IAP App Engine. if you see carefully, by default only IAP-secured web App users are allowed to access your application. So make sure you add the identity or principal and give this role to make it work. also, you can provide certain conditions of access levels that we have defined earlier, and select them here. This means once you save it, and access your URL, your network users are going to be verified on the defined context before they are granted access to the application. Here I am going to create a new Access level in the context manager to allow my network user to access this application from India and from a certain IP range with the Windows operating system on their device. you can create the same way we have done earlier in our first demo. I already created it with the name “access-allow-network-user”

created Access level for my network users

Once done, select the Access level from the drop-down and save it.

IAP permissions granted to the Network-users

Step 5. let’s verify it. Access this Application by network users and you will see that the access is granted.

Step 6. Let’s see what happens if I try to access this application from my personal identity or personal Gmail id. I tried with my Gmail account and here it denied my access because my Gmail account is not a member of the intended group

Access Denied to my Gmail account.

This concludes our demo. The implementation of zero trust security in Google Cloud is a journey, not a destination. It is an ongoing process of assessment, planning, and implementation. By taking a continuous approach to zero trust security, organizations can help to ensure that their data is always protected.

I hope you like reading this article. if you have any questions or suggestions, feel free to leave your thoughts in the comment section. I will be happy to connect. Thanks For Reading!

Google Cloud Platform
Zero Trust
Cloud Architecture
Networking
Gcp Security Operations

--

--

Sumit K
Google Cloud - Community

Written by Sumit K

420 Followers
Writer for

Humanity is the quality that we lack so much in real life, An Abide leaner, Cloud Architect⛅️, Love DevOps, AWS Community Builder 2023, Proud Hindu 🕉️

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams