Google Cloud & Your Data

Transcript

1. Mike Fowler ([email protected]) Google Cloud & Your Data

2. • Data encryption • Connecting your network(s) • Accessing your

   Data • Audit Logging • Cost considerations Overview

3. • Your data is always encrypted − Encrypted at rest

   − Encrypted in transit • AES-256 with symmetric keys − Keys are encrypted with a master key − Key rotation is automatic • Some services allow you to use your own keys − Google Compute disks − Cloud Storage Data in the Google Cloud

4. • Interconnect (Access by private address space) − Dedicated Interconnect

   − Cloud VPN • Peering (Access by public IP address) − Direct Peering − Carrier Peering Connecting your network(s)

5. • SLA of 99.9% service availability • IPsec supporting both

   IKEv1 and IKEv2 • Creates a Google managed virtual gateway device • Performs gateway-to-gateway encryption • Allows both static & dynamic routes Cloud VPN

6. Cloud VPN

7. • SLA of 99.9% or 99.99% uptime availability • Physical

   connection in a co-located facility − Traffic does not traverse public internet − Private addresses directly accessible • Between 1-8 10Gbps connections per interconnect • Not encrypted – still consider a VPN • More cost effective for high volume of traffic Dedicated Interconnect

8. Dedicated Interconnect

9. • Users authenticate with a Google account − Can be

   a Gmail or G Suite account • Cloud Identity & Access Management (IAM) − Fine grained set of configurable permissions − Permissions can be collected into a role • Primitive roles • Predefined roles • Custom roles Accessing your Data

10. • Two forms of audit logs for each project −

    Admin Activity − Data Access • Activity can be alerted upon − Define a metric in Stackdriver Logging − Create an alert in Stackdriver Monitoring • Not all services log data access − All will be with many currently in beta Cloud Audit Logging

11. • Retaining all data for all time costs − Use

    Nearline when data is accessed once a month − Use Coldline when data is accessed once a year • Data Access logs will be excessive − Consider logging access only to sensitive data • Set a budget − Budgets can be defined in billing − Alerts can be raised if a budget is exceeded Cost considerations

12. • Your data is always encrypted • Trust Google to

    manage your keys • Cloud VPN is sufficient for most use cases • Judicious use of IAM • Stackdriver is essential for • Audit logging • Cost management Summary
13. None