Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Google Cloud & Your Data

Google Cloud & Your Data

An overview of how to connect your existing data centre to the cloud and considerations for how to keep your data safe.


Mike Fowler

October 12, 2017


  1. Mike Fowler (mike.fowler@claranet.uk) Google Cloud & Your Data

  2. • Data encryption • Connecting your network(s) • Accessing your

    Data • Audit Logging • Cost considerations Overview
  3. • Your data is always encrypted − Encrypted at rest

    − Encrypted in transit • AES-256 with symmetric keys − Keys are encrypted with a master key − Key rotation is automatic • Some services allow you to use your own keys − Google Compute disks − Cloud Storage Data in the Google Cloud
  4. • Interconnect (Access by private address space) − Dedicated Interconnect

    − Cloud VPN • Peering (Access by public IP address) − Direct Peering − Carrier Peering Connecting your network(s)
  5. • SLA of 99.9% service availability • IPsec supporting both

    IKEv1 and IKEv2 • Creates a Google managed virtual gateway device • Performs gateway-to-gateway encryption • Allows both static & dynamic routes Cloud VPN
  6. Cloud VPN

  7. • SLA of 99.9% or 99.99% uptime availability • Physical

    connection in a co-located facility − Traffic does not traverse public internet − Private addresses directly accessible • Between 1-8 10Gbps connections per interconnect • Not encrypted – still consider a VPN • More cost effective for high volume of traffic Dedicated Interconnect
  8. Dedicated Interconnect

  9. • Users authenticate with a Google account − Can be

    a Gmail or G Suite account • Cloud Identity & Access Management (IAM) − Fine grained set of configurable permissions − Permissions can be collected into a role • Primitive roles • Predefined roles • Custom roles Accessing your Data
  10. • Two forms of audit logs for each project −

    Admin Activity − Data Access • Activity can be alerted upon − Define a metric in Stackdriver Logging − Create an alert in Stackdriver Monitoring • Not all services log data access − All will be with many currently in beta Cloud Audit Logging
  11. • Retaining all data for all time costs − Use

    Nearline when data is accessed once a month − Use Coldline when data is accessed once a year • Data Access logs will be excessive − Consider logging access only to sensitive data • Set a budget − Budgets can be defined in billing − Alerts can be raised if a budget is exceeded Cost considerations
  12. • Your data is always encrypted • Trust Google to

    manage your keys • Cloud VPN is sufficient for most use cases • Judicious use of IAM • Stackdriver is essential for • Audit logging • Cost management Summary
  13. None