Secure Data on Google Cloud Storage
Securing Application Data in Google Cloud Storage using the Virtru SDK
Hello! Today I will be talking about securing application data stored on Google Cloud Storage(GCS) using the Virtru Developer Platform, specifically the Virtru Python SDK. This is the second post on securing application data in a cloud environment. The first post dealt with the Amazon AWS platform, S3. Encrypting application data at creation can easily prevent issues and data leakage related to bucket misconfigurations similar to the Fresh Films Production leak.
Business Problem
Like many developers, I use Google Cloud Platform and with it, Google Cloud Storage to store application data. But what if I have sensitive data? How can I secure it? How hard will it be to integrate? What does the protection look like over time? In searching for answers I decided to use the Virtru Data Protection Platform to protect my data, which in turn offers the entire Virtru Developer Platform. Application data in this scenario is generated by either the client or application layer and the encryption will occur when the application layer calls the storage layer (GCS) to persist the data.
Why Virtru
The Virtru SDK is easy to integrate and once implemented provides a way to manage data-centric protection at-scale. Using the Virtru SDK unlocks the entire Virtru Developer Platform and all of the associated tools.
Environment
The environment for this simple demo will be Python, GCP SDK and the Virtru SDK.
Requirements
- Google Cloud Libraries for Python
- Google Cloud Service Account — Used to authenticate against GCP
- Python 3.7
- Virtru Python SDK Sample Project
- Virtru Python SDK
- Virtru AppId — Used to authenticate against Virtru
GCP Authentication and Authorization
For this example, the account will have too many permissions, but it will get the example working. In production, you will want to minimize project rights.
GCP Service Account
We must create a service account that will be granted access to the bucket. Once the account is created we will download the JSON file that we will reference for authentication. I have created a video to illustrate the steps.
GCP Bucket Rights
We must grant the service accounts rights to the bucket to allow it to upload and download files. I have created a video to illustrate the steps.
Update Keys
The following steps are necessary to facilitate authentication to the Virtru Platform and GCP but they are fairly straight forward.
Virtru Keys
Virtru Keys are in the .virtru file
[{
"virtru_appid":"85daa043-1e63-4406-920f-706d527b0d7d",
"virtru_owner":"email@example.com"
}
]GCP Keys
GCP Keys are in the .gcp file
{
"type": "service_account",
"project_id": "bucket",
"private_key_id": "00000000000000000000",
"private_key": "PRIVATE KEY",
"client_email": "serviceaccount@bucket.iam.gserviceaccount.com",
"client_id": "000000000000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/serviceaccount%40bucket.iam.gserviceaccount.com"
}Bucket Name
GCP Bucket Name is in the .bucket file
[{
"bucket":"bucket name"
}
]Execution
Prerequisites
pip3 install -r requirements.txtExecution
python3 virtru-gcp.pyOutput
Should be similar to:
Upload File: test.jpg
Encrypt File: test.jpg
Policy ID: 088b4fdd-dec2-400b-b9ea-a55fce84fa20
Upload File: test.jpg.tdf.html
Download File: plain-test.jpg
Not a TDF: plain-test.jpg
Download File: decrypted-test.jpgConclusion
In just a few lines of Python, I was able to encrypt the files at both at-rest and in transit. These simple steps enable the full power of the Virtru Data Protection Platform.
While all cloud storage providers offer some level of native encryption capabilities, and developer who stores sensitive data in the cloud should consider adding this extra layer of protection. It’s easy to execute and provides peace of mind against misconfigurations and any other type of mistake that can lead to a costly breach.
