Security on Cloud

About:me Fon - Kamolphan Liwprasert Senior Machine Learning Engineer @Sertis Master in Computer Science student About:me

What I will cover: ● Cloud security ○ Why it’s important ● Security compliance ○ PDPA / GDPR ● Secured data on GCP ○ IAM & Organizational structure ○ Service Account ○ Object life cycle ○ Cloud Data Loss Prevention (DLP) ○ Data encryption options ○ Secured practice for BigQuery ● Tips & Tricks ● Q&A

Cloud Security

Why it’s important? https://www.cxo-community.com/2018/01/5-reasons-why-cloud-security-is.html 1. Security breaches are always big news 2. All service providers aren’t equal 3. Know where your data is stored 4. Security roles should be clearly defined 5. Backing up data is just as important

How secured a cloud is? https://cloud.google.com/security/

Security Ecosystem

Mitigate the loss https://lifehacker.com/how-to-protect-yourself-in-microsofts-recent-data-breac-1841185226

“Security is Only as Strong as the Weakest Link”

Security Compliance

Data Protection Policy

GDPR

PDPA in Thailand

Data Protection Guideline https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other -Guides/Guide-to-Data-Protection-by-Design-for-ICT-Systems -(310519).pdf https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other -Guides/Technical-Guide-to-Advisory-Guidelines-on-NRIC-Nu mbers---260819.pdf

Secure Data on GCP

1 Cloud IAM and Organizational Structure

Cloud IAM https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

Use Groups, with logical names https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

Organization Structure https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations Organization Resource Projects Folders Resources

Match resources to company structure Organization Resource Projects Folders Resource TIPS: Verbose project names provide clarity on resource structure and ownership i.e. company-sales-clientinsight-prod

2 Service Accounts

Service Account https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

Service Account Tips https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th Don’t rely on default Service Account

How many Service Accounts https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

We should centralize the service account creation and rotation! https://cloud.google.com/blog/products/gcp/help-keep-your-google-cloud-service-account-keys-safe

3 Object Life Cycle

cannot be undeleted. Lifecycle configuration https://cloud.google.com/storage/docs/lifecycle#actions Delete Multi-Regional Storage/ Regional Storage Nearline Storage Coldline Storage Archive Storage OR

Storage Classes

How to add a Lifecycle rule

How to add a Lifecycle rule (2)

How to add a Lifecycle rule (3) Done :)

Bucket Lock & Retention Policy Retention Policy To keep it at a certain amount of time before be able to delete. ** be careful, some action cannot be undone

4 Cloud Data Loss Prevention

What can happen? https://www.youtube.com/watch?v=MY3PjFpI3rE

PII Personally Identifiable Information

● SSN / ID ● Name ● Date of Birth ● Phone number ● Email ● Photos ● . . . Personally Identifiable Information

Redaction https://www.youtube.com/watch?v=MY3PjFpI3rE

Cloud Data Loss Prevention (DLP) Provides methods for detection, risk analysis, and de-identification of privacy-sensitive fragments in text, images, and Google Cloud Platform storage repositories. https://cloud.google.com/solutions/automating-classification-of-data-uploaded-to-cloud-storage

Cloud Data Loss Prevention (DLP) https://cloud.google.com/solutions/automating-classification-of-data-uploaded-to-cloud-storage

5 Data Encryption Options

Data Encryption Options ● Google managed key ○ Encryption by Default ○ AES-256 standard ● Customer-managed encryption keys (CMEK) ○ Store keys within Cloud KMS ● Customer-Supplied Encryption Keys (CSEK) ○ Data encryption key (DEK): A key used to encrypt data. ○ Key encryption key (KEK): A key used to encrypt, or "wrap", a data encryption key. https://cloud.google.com/security/encryption-at-rest/

6 Security Practice for BigQuery

Big Data Reference Architecture Cloud Composer

BigQuery - Project BigQuery workshop

BigQuery - Datasets BigQuery workshop

BigQuery - Tables BigQuery workshop

BigQuery - Jobs BigQuery workshop

Tips and Tricks

New Arrival!

Tips and Tricks 1. Least Privileges! > Only allow the necessity roles. No more than that. 2. Least Privileges. Same to people in project. > Only allow people 3. Don’t use default firewall rule > It allows port 22 (default-allow-ssh). Should be removed 4. Don’t use default service account in production > The permission in default service account can be changed without notice. 5. Delete the unused projects! > Cause it co$t money $$$$! > CONSULT YOUR TEAM, PM, AND ANYONE RELATED FIRST! 6. Keep updating :) https://polleyg.dev/posts/shoot-yourself -gcp/

Resources ● https://cloud.google.com/security/infrastructure/design/res ources/google_infrastructure_whitepaper_fa.pdf ● https://cloud.google.com/docs/enterprise/best-practices-fo r-enterprise-organizations ● https://cloud.google.com/storage/docs/bucket-lock ● https://cloud.google.com/security/encryption-at-rest/custo mer-supplied-encryption-keys/ ● https://cloud.google.com/storage/docs/encryption/custome r-managed-keys ● https://cloud.google.com/blog/products/identity-security/int roducing-google-clouds-secret-manager ● https://cloud.google.com/dlp/ ● https://www.etda.or.th/app/webroot/content_files/13/files/1. PDPA%20Presentation_CyberSecurity%20Week%20201 9.pdf

“Security is Only as Strong as the Weakest Link”

Q & A

Thanks! Kamolphan Liwprasert (Fon) [email protected] linkedin.com/in/fonylew/ Sertis is hiring :)

SERTIS IS HIRING :) Feedback IS A GIFT :) https://forms.gle/cQrUDeJeyvYnDpVw5