is responsible for the security of the cloud, while the customer is responsible for security in the cloud. ▶ Google secure the underlying infrastructure: manages and control virtualization layer, physical security, OS, encryption at rest by default...etc. ▶ Customers are responsible for the security on the application level, access policies, and even network security for IaaS for instance. ▶ Google also provide capabilities to protect workloads such as access controls in Cloud IAM.
criminal penalties for data breaches, remediation costs, litigation costs ▶ Reputational risk: brand damage, loss of consumer and employee trust ▶ Regulatory risk: fines and penalties, regulatory limitation on business operations ▶ Google provides guides; For example this PCI DSS on GKE guide.
everything’s happening on Google Cloud; very centralized as opposed to on-premise. ▶ Use groups and expressive names for them. Examples: “log-viewers”, “security-admins”...etc. ▶ Understand the folder structure. ▶ Project names. [organization name]-[expanded folder tree]-[environment]. Example: “donware-finance-paymentcards-dev”.
everything’s happening on Google Cloud; very centralized as opposed to on-premise. ▶ Use groups and expressive names for them. Examples: “log-viewers”, “security-admins”...etc. ▶ Understand the folder structure. ▶ Project names. [organization name]-[expanded folder tree]-[environment]. Example: “donware-finance-paymentcards-dev”.
a special kind of account that belongs to an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls. ▶ Service account is an identity as well. ▶ Naming convention; prefix with “sa-”, “srv-”, ”service-”...etc. Example: “sa-payment-statistics-api@donware-finance-payme ntcards-dev.iam.gserviceaccount.com” ▶ Don’t use default service accounts. ▶ One service account for each service. ▶ Scoping; allowing access to only required resources. ▶ Relation between Users, Groups, Roles, Permissions, and Resources; Forseti Explain.
and data model forseti inventory create --import_as <MODEL_NAME> ▶ Tell Forseti to use that data model forseti model use <MODEL_NAME> ▶ Now you can then list the resources in the data model forseti explainer list_resources ▶ List the members forseti explainer list_members Or filter with prefix match for instance forseti explainer list_members --prefix test ▶ List the roles forseti explainer list_roles ▶ List permissions forseti explainer list_permissions --roles <ROLE1> <ROLE2> For example: roles/iam.roleAdmin ▶ List member access ▶ List resource permissions
▶ Federating Active Directory with Cloud Identity by using GCDS and AD FS. ▶ Federating Azure AD with Cloud Identity ▶ Exposing an on-premises AD FS to GCP ▶ Exposing an on-premises LDAP directory to GCP ▶ Replicating an on-premises LDAP directory to GCP ▶ Extending an on-premises Active Directory to GCP ▶ This article discuss those in details
on organizational level; IAM & Admin > Organizational Policies > Skip default network creation. ▶ Limit access to the internet to only those resources that need it. ▶ Database in Cloud SQL ▶ Use Bastion host instead
broader sets when possible ▶ Apply firewall rules that are common across all VMs in the VPC network. ▶ Apply firewall rules that can be grouped across several VMs, like a service instance group or subnet. ▶ Apply firewall rules to individual VMs, such as a NAT gateway or bastion host.
monitor security policies when using tags ▶ Forseti ▶ Use HTTP(S) load balancer ▶ Use Google Cloud Armor ▶ Use Cloud Security Command Center ▶ Security Health Analytics
ashershekhamis
shunta27
taiseiue
mokuo
yahiru
elmetal
irof
yodaka
chettub
fd0
nao_randd
kanmo
mackey0225
eileencodes
smashingmag
addyosmani
pedronauck
lauravandoore
panda_program
kneath
jmmastey
marktimemedia
scottboms
holman
jlugia
