Managing GCP Security

GCP’s Approach to Securit

Security empowers innovation. If you put security first, everything else will follow.

  • Security is Paramount at Google.
  • Seven services with over a Billion users.

There have been countless breaches around the world have lost data, customer trust, and millions in fines.

  • Heavy investment in infrastructure security & privacy.
    • Hundreds of dedicated engineers concerned with the best security implementation.
  • Global scale infrastructure for:
    • Secure deployment of services
    • Secure storage of data
    • Secure communications between services
    • Safe operation by Administrators
  • Internet services and relevantly GCP built on this infrastructure.

It is not enough to build something and make it secure after the fact.

Google Infra Security Layers

Security is Fundamental to Google’s Infra Desgin, Designed and built in progressive layers, delivering true defense in Depth.

  • Operational Security
  • Internet Communication
  • Storage Services
  • User Identity
  • Service Deployment
  • Hardware Infrastructure

Hardware Infrastructure

  • State-of-the-art data centers
  • Security of Physical Premises
  • Hardware design and provenance
  • Secure Boot stack and machine identity

Secure Service Deployment

  • Service identity, integrity, and isolation
  • Inter-service access management
  • Encryption of inter-service communication(RPCs encrypted)
  • Access management of end-user data
  • Centralized source code with 2 +1s required on all code changes.
  • Bug bounty programs

Secure User Identity

  • Google login page
  • Authentication
  • Login Abuse Protection
  • MFA, UTF open standard security keys required

Secure data storage

  • Encryption at Rest default
  • Hardware tracking and disposal
  • Deletion of Data: Write all the zeros, or physical destruction

Secure Internet Communication

  • Google Front End(GFE): checks incoming network connections for correct certificates and best practices, and protection against DOS attacks.
  • DoS Protection is multi-layered: Available using the Google Cloud LB,
  • User Authentication: Cloud VPN for establishing IPSec connections, and Direct Interconnect

Operational Security

Security is a factor for all employees starting in the hiring process, on-going training, and company wide events to raise awareness. Google verifies individuals Education and previous employment, perform internal and external reference checks, criminal & credit security checks…

  • Safe software development
  • Keeping Employee devices and credentials safe
  • Reducing insider risk
  • Intrusion detection on physical campuses

GCP is designed for Security

Benefits from being designed and running on Google’s secure Infrastructure.

  • Security baked in.
  • Security is not something added on afterward
  • GCP is technology with security at its core

VPC Networking

Google Virtual Private Cloud(VPC) is your GCP virtual Private network

  • Define resources on a logically isolated network
  • Control public internet ingress, inbound, and egress, outbound traffic via firewall rules.

Operational Monitoring

  • Logging & Monitoring are the cornerstones of application and network security operations
  • Stackdriver enables debugging, monitoring, and diagnostics for applications that run on GCP
  • Identify potential risks to applications in GCP
  • Stackdrivers enables ingestion from other sources.
  • Analyze log data in real time, identify trends, and prevent issues before they happen.

Our products regularly undergo independent verification of security, privacy, and compliance controls achieving certifications against global standards to earn your trust.

  • GCP provides many security controls automatically, reduciting IT security resources required, and reducing the cost of ownership.

GCP’s Shared Security Model

Cloud security requires collaboration

  • Google is responsible for managing its infrastructure security.
  • You are responsible for securing your data.

Data Access

  • You control who has access to your data.

    • GCP provides the mechanisms to control access: Cloud Identity, Access Management, Access Control Lists, Firewall Rules.

  • API requests for data are done via a REST service call

    • Authentication information must be included with requests

  • GCP does not require notification to perform penetration testing.

  • GCP provides some Security assessment services

    • Cloud Security Scanner
    • Forseti Security

Threats Mitigated by GCP

Protecting from large Internet attacks can be very difficult and require a huge amount of resources.

GCP’s scale protects most customers due to providing scale to absorb(and pay for) them.

DDoS

  • Single attack clocked at 1TB/s
  • Whole Internet operates at 200TB/s
  • GCP Data center bandwidth has 1300TB/s capacity

GCP Global HTTP(s) load balancing provides a built-in defense against infrastructure DDoS attacks globally. No additional configuration required. Configures load balancers to drop/block sources of the attack.

Cloud Armor

IPv4|6 whitelisting and blacklisting, XXS & SQL Injection defense with Cloud Armor. Works in conjuction with Global HTTP/HTTPS load balancing and enables you to deploy and customize defenses for your internet facing applications. (Same service defending Gmail..)

Physical Security

  • Data centers protected in layered security model
    • Biometrics, lazers, cameras, fencing, etc…
  • All access tracked and monitoried
    • Access logs, activity records, and camera footage
  • Limited access: Less than %1 of Googlers access DCs

Data access security

Data at Rest

All data at rest is chunked and encrypted automatically. (Storage disks etc)

Additional custom encryption options:

  • Customer managed keys(CMEK)
  • Customer Supplied Keys(CSEK)

Data in Transit

Different protections depending on transmission path.

Data in transit within our physical boundaries is generally authenticated but may not be encrypted by default. You can choose which additional security measures to apply based on your threat model. All data is automatically encrypted and unauthenticated when transmitted outside a physical boundary controlled by or on behalf of Google.

Server and Software Stack

Severs are homogenous custom-built servers w/ security in mind. Purpose built servers and network equipment.

Stripped down and hardened version of Linux OS, continually monitored binary modifications.

Trusted server boot chips; Titan security.

GCP applies patches to vulnerabilities before customers even know about the public security vulnerability.

Data disposal

When customer data is deleted:

  • Data no longer accessible by the service.
  • Data is deleted from all Google’s systems
    • In accordance with applicable laws
    • Maximum of 180 days.

Access Transparency

  • GCP customers own their data, not Google.
  • Google will not process data for any purpose other than to fulfill contractual obligations.
    • Data is NOT scanned for third party profits
  • Inability to audit cloud provider access is often a barrier to moving to the cloud.
  • GCP cloud audit logs provide visibility into the actions of your own administrator

Google Access Transparency product provides near-real-time oversight over data accesses by either Google Support or engineering

Google performs regular audits of access by administrators and check on the effectiveness of our controls.

Data can be exported from GCP by paying the Egress networking charges.

Google Transfer Appliance can also be used to move(hundreds of terabytes) data out or into GCP.

Module 2

Cloud Identity

IDentity as a Service(IDaaS) Solution

Used by 100ks to manage millions of users. Works with any domain which can receive email.

Cloud Identity provides a single-admin console, so users, groups, and domain-wide security settings can be managed for your entire organization from a central location.

  • Used for managing users, groups and (web)domain-wide security settings.
    • Based on email accounts tired to DNS domain
    • Manage users from centralized Google location
  • Tied to a unique DNS domain that is enabled for receiving email
    • Must verify that you own the domain name.

Manage all users from the Google Admin Console.

  • single plane of glass to manage your user’s identity and access permissions across your entire domain.
  • Easily manage security policies and roles

Cloud IDentity Free Edition: Core identity, and endpoint management services, free and managed Google accounts for those who don’t use GSuite Services.

Cloud IDentity Premimum: offers enterprise security, application management, and device management services.

  • Device Management
    • User Provisioning, Application Whitelisting, rules to automate device management.

admin.google.com is a centralized console for managing users, groups, and security settings.

Google Admin Console

You can create Cloud Identity accounts for managing users who do not need G Suite services.

You must register your domain with Cloud Identity and verify ownership.

Administration

Google Admin console at admin.google.com is used to manage users, groups and security settings.

Organization Administrators have central control of all resources. The OrgAdmin IAM role must be assigned to a User or Group.

Consumer accounts such as personal Gmail accounts or consumer accounts with work email IDs are unmanaged accounts and are outside of the GCP Admin control.

Thus they are a security issue. You can create Cloud Identity accounts for these users and assign them proper IAM roles.

Sync w/ M$ Active Directory

Managing users manually can also add significant operational overhead.

Google Cloud Directory Sync tool can synchronize G-Suite accounts to match the data in an existing Active Directory or LDAP. Your Google users, groups and shared contacts are synchronized to match the information in your AD-LDAP server.

How it works

  1. Data is exported as a list from your LDAP server or Active Directory.
    • You set up rules to specify how and when this list is generated.
  2. GCDS connects your Google domain and generatese a list of existing users,groups and shared contacts that you specify.
  3. GCDS compares these lists and updates your Google domain to match the data.
  4. When the synchronization is complete, a report is emailed.

One-way synchronization; the data in your directory server is never modified or compromised. Continue administrating with active directory, updates trickle to Google domain.

GCDS runs as a utility within your server environment. It does not need to run in the cloud. This means that there is no access to your active directory or LDAP server needed outside of your organization’s IT perimeter.

The GCDS auto-provisioning and deprovisioning functions will remove a user’s account and deprovision that account from all cloud apps once the user has been removed from your directory.

Google Auth vs SAML SSO

Two authentication systems: Google AuthN vs Signle Sign On

Google AuthN

Google password stored in Google and can enforce password criteria.

Google Supports SAML. Google operates as a service provider, and your SSL system operates as the identity provider. Allows use of custom AuthN mechanism and management of credentials.

Google SSO requires:

  1. Three URLS: Sign-in, sign-out, password change
  2. Certificate file.

Authentication Best Practices

  • Avoid Managing permissions for Individual Users.
  • Best to assign GCP roles to Groups instead.

For high risk areas, assigning roles individually may be necessary.

Number of OrgAdmins: You should have at least two, but no more than three.

New Projects result in broad access being granted to all users. Remove these permissions to start locking down access at finer granularity.

Multiple domains can be associated with your Organizations Google Account. You can add up to 600 domains, with proof of ownership.

2-Step Verification should be enforced on all Accounts.

At the minimum, 2SV should be enforced for all super admin accounts and elevated privilege accounts.

Cloud Identity and Access Management(IAM)

Cloud Identity and Access Management or Cloud IAM as is known, let’s administrators authorize who can take action on specific resources, giving you full control and visibility to manage your Cloud resources centrally.

Resource Manager

IAM = Who / Can do what / On which resources in GCP.

  • Resources in GCP are hierarchiacally managed by organization, folders, and projects.
    • Organization -> Folders -> Projects
    • eg access control, and configuration settings
  • Resource Manager enables you to programmatically manage these resource containers.

IAM Objects

Resource hierarchy managed by Resource Manager.

  • Organization
  • Folders
  • Projects
  • Resources
  • Members
  • Roles

The organization node is the root node for Google Cloud resource hierarchy. It is a super node for all of your projects, and resources and represent your organization.

Folders can be used to implement organization structure

  • Optional group projects under an organization.
  • Can contain both projects and other folders.
  • Each Folder can have exactly one Parent node/folder/org.
  • Use to assign roles to users which will apply to all downstream projects and resources.

Projects

Projects are required in GCP to any resources deployed, tracking, quotas, billing, and management permissions.

GCP Members

Member roles

  • Permissions are given to members by granting roles.
  • Roles define which permissions are granted.
  • GCP provides predefined roles, and also the ability to create custom roles.

New members can be assigned Cloud IAM roles.

Service Accounts

  • Control server-to-server interactions
    • Used to Authenticate from one service to another
    • Used to control privileges used by resources

eg: Service Account: StorageObjectViewer:Comput Instance -> Cloud Storage(Resource)

GCP ServiceAccounts(VM SAs), credentials are automatically rotated. ServiceAccounts can be used outside of GCP though, with a different key rotation period, and manually created keys can be created.

IAM Roles

  1. Primitive: OG roles, historically available prior to configuration of IAM(Early lytics)
    • Applied at Project or Service level, and manage all parts of that project or service.
    • Three concentric Primitive Roles: Owner > Editor > Viewer
  2. Predefined(Curated): Finer grained access controls to GCP Resources.
    • Granular access for specific Services.
    • Map to predefined role: Network Manager, Security Reviewer, Storage Admin, etc
    • Browser role: provides read access to browse hierarchy in organization
  3. Custom: define roles consisting of chosen permissions to resources.
    • Map specific permissions, to specific job roles
    • Allow specification for a precise set of permissions.

GCP IAM Policies

  • Policy consists of a set of Bindings
  • Binding binds a lits of members to a role.

A role is a named list of permissions defined by Cloud IAM.

A policy is a collection of access statements attached to a resource.

Organization Policies

  • Configuration of restrictions
  • Defined by configuration a constraint with desired restrictions.
  • Applied to the organization node, folders, or projects.

Resource policies are a union of parent and resource, where a less restrictive parent policy will always override a more restrictive resource policy.

Constraints

A type of restriction against a GCP service. Think of a Constraint as a blueprint that defines which behaviors are controlled. This blueprint is then applied to a resource hierarchy node as an organization policy, which implements the rules defined in the constraint.

  • Disable VM serial prot access.
  • Disable service account creation.
  • Disable VM nested virtualization.
  • Define trusted image projects.

IAM Best Practices

  • Adhere to Principle of Least Privilege
    • Always apply only the minimal access level required to get the job done.
    • Prevents accidental modification/damage to resources.
    • Creating policies: Less restriction/more access parent policies -[will always override]-> more restrictive resource policies.
      • eg: If someone is a project editory, then you cannot restrict that access to a specific resource withing the project.
  • Use groups when configuring GCP access.
    • Groups defined & managed by Google Admin Console, using groups drastically reduces the administration needed by GCP admins.
  • Assign roles to groups, not individual users.
    • Manage access by adding or removing Users from defined Groups.

Try to utilize predefined roles if they meet your requirements, as they require less administration. As new features or services are added to GCP, related roles are updated. Custom roles are not controlled by GCP.

Custom roles are not maintained by Google.

Project level permission and policy changes are recorded into audit logs. They can be exported to Google Cloud Storage or BigQuery, and allows them to be stored indefinitely.

Module 2;

VCP Firewalls

Create and control your own private logically isolated network, for deploying GCP resources(GCE, K8s, etc).

Connect to VPC network via IPSec VPN tunnel or Dedicated Interconnect.

Allow or Deny traffic via ingress and egress rules. Defined on the VPC network as a whole. VPC networks can be global in GCP, firewall rules are also global, distributed firewalls.

Firewall rules aare defined at the network level, but allowed and denied on a per instance basis. Act on individual instances within the same network.

Rules can be applied

  • Global Rules
  • Instance tag/label matching
  • Rules associated to Service Accounts.
    • Changing Service Account associated with an instance requires you to stop and start the instance for the change to take effect.

GCP Firewall Rules are stateful, and allow bilateral communication once a connectin is established. ...for each initiated connection that is tracked by allow rules in one direction, the return traffic is automatically allowed regardless of any other rule in place. Established connections are considered active if at least one packet has been sent in a 10minute period.

Parameter Details
Direction Ingress or Egress
Source Source parameter is only applicable to Ingress rules
Destination Destination Parameter is only applicable to Egress rules
Protocol and Port Rules can be restricted to apply to specific protocols only, or combinations of protocols and protocols only.
Action Allow or Deny
Priority 0-65535 The order in which rules are elevated; the first matching rule is applied. 0 is highest priority, and down from there. Default priority is 1000. Deny priority with same priority as an Allow, Deny overrides.

VPC Firewall Defaults

VPC networks have two implied firewall rules. Applied to all instances within the network, but not shown by Cloud Console.

  1. Allow all outgoing traffic.
    • Egress rule: Action: Allow, destination: 0.0.0.0/0, lowest priority: 65535
  2. Block all incoming traffic
    • Ingress rule, Action: Deny, Source: 0.0.0.0/0, Lowest priority: 65535

All projects get a default VPC created automatically, with four rules to provide access. default-allow-internal enables in-bound connections between instances. default-allow-ssh, default-allow-rdp, default-allow-icmp, allow secure shell, Remote Desktop Protocol, and ICMP traffic. All firewall rules have second to lowest priority: 65534.

These rules should be deleted or modified as necessary.

VPC Firewall Best Practices

Some VPC Network traffic is always blocked.

Blocked Traffic Applies to

Best Practices

  1. Follow Principle of Least Privilege, create rules exclusively only traffic necessary.
  2. Minimize direct exposer to the web; avoid allow 0.0.0.0/0 firewall rules.
  3. Prevent ports and protocols from being exposed unnecessarily. Create a firewall which blocks all outbound traffic at the lowest priority for all protocols and ports. Locking down compute engine resources from making outbound connections.
  4. Adopt a standard naming convention for firewall rules.
    • `{direction}-{allow/deny}-{service}-{to-from-location}
    • eg: ingress-allow-ssh-from-openvpn
    • eg: egress-allow-all-to-gcevms
  5. Consider service account firewall rules instead of tag-based rules.
    • The reason for this is that tag-based firewall rules can be applied by any user who has compute engine instance admin role, but a service account requires a user to have explicit cloud IAM rights to be used.

Load Balancing and SSL Policies

SSL == SSL & TSL protocols

GCP Load balancers support: HTTPS & SSL Proxies

Use google managed or self-managed certificates. Client SSL session terminates at the Load balancer, then balances the connections across instances using SSL or TCP protocls.

Cloud SSL proxy is intended for non-HTTPS traffic, use HTTPS load balancer for respective traffic.

SSL Policies Specify:

  • Minimum TLS Version clients can connect with TLS 1.0, 1.1, 1.2
  • Profile of SSL Policy features: Selects the set of SSL features to enable on LB.

Three configurable SSL profiles, fourth is Custom. Defaults to Compatible.

  1. Compatible: Allows broadest set of clients.
  2. Modern: Supports wide set of SSL/TLS features, allowing modern clients to negotiate SSL/TLS.
  3. Restricted: Reduced set of SSL/TLS features, intended for compliance requirements.
  4. Custom SSL Policies, select exact set of SSL to support, but need management of feature sets.

Interconnect & SSL Peering Options

  • Can connect two nonoverlapping VPC networks. RFC 1918 space.
  • Networks do not need to be in the same project. Firewall rules are not imported across peered networks, Firewall rules must be configured to allow traffic between networks.
  • Networks can have up to 25 directly peered networks, and must not have overlapping subnet domains.

Lower network latency than using public IP addresses. Lower network cost; peered networks don’t cost egress traffic.

Shared VPCs to create sharable networking across GCP Projects. Requires a host project.

Connecting to Google

  • Cloud VPN

    • Securly connects your on-pre network to GCP VPC Network. Uses IPSec protocol for end-to-end encryption with IKE v1, v2 shared secrets.
    • Supports site-to-site VPN.
    • Supports 3 GB/s traffic via direct peering. 1.5 GB/s over open web.

  • Cloud Router

    • Enables dynamic exchange routes between VPC network and on-prem network using Border Gateway Protocol(BGP). Changes to network topology get automatically updated between the two networks.

Cloud Interconnect

Two options for connecting on-premisses network to GCP

  • Dedicated Interconnect
  • Parter Interconnect

RSC-1918: internal private IP addresses are directly accessible from both networks.

Dedicated Interconnect

Direct physical connection between on-prem and GCP VPC Network.

Dedicated Interconnect Parter Interconnect
Minimum bandwidth: 10Gbps Minimum bandwidth of 50 Mbps
Requires routing equipment in a colocation facility that supports the regions you want to connect to. Use any supported service provider to connect to Google
Traffic flows directly between networks, not through public internet Traffic flows through a service provider, not through the public internet.
Google provides an end-to-end SLA for the connection. Google provides an SLA for the connection between google and the service provider. An end-to-end SLA for the connection depends on the service provider.

Best practices for VPC Networking

  • Don’t use the default network for production project.
  • Create a new network with the regions, firewall rules, IP addresses needed.
  • Place GCE resources that require network communication on the same VPC network. Create separate subnets within network for each tier(frontend, backend, etc).
  • Place Load Balancer with SSL policies in front of Web Service.
    • Provides Global Anycast IP addressing, and DDoS mitigation.
    • SSL Policies provide control of SSL encryption in transit.
  • Private Google API access
    • Allows GCE instances without external IP address to reach Google APIs & Services
    • w/ Private Google API, the API call is resolved to public IP, but the traffic is all internal and Private.
      • Private API routeable services: BigQuery, Cloud BigTable, Container Registry, Cloud Data proc, Cloud Datastore, Cloud PubSub, Cloud Spanner, and Cloud Storage.
      • Is Enabled/Disabled on VPC subnets.
        • Disabled by default.
      • Subnet must still have route to default-internet-gateway set.
      • Enables access to Google APIs on VMs which have only internal IP address.

Lab: Experiment with VPC connection log management in stackdriver.

Module 5

Stackdriver Monitoring and Logging

  • Integrated monitoring, logging, diagnostics
    • Metrics, logs, and events
  • Manages across platforms

User trust depends on incident response, which requires an effective response plan. Effective response plan requires tooling such as:

  • Monitoring Dashboard
  • Alerting Regimen
  • Plans and tools for responding to issues

Stackdriver can monitor multiple projects from one “Workspace”. All projects you need to monitor should be in one Workspace. Acquires the name of th hosting account project. AWS connects can be linked via GCP projects.

Stackdriver products:

  • Monitoring
  • Debugger
  • Trace
  • Logging
  • Error Reporting
  • Profiler

Stackdriver Components

  • Monitoring

    • Platform, system, and appliation metrics
    • Uptime/health checks
    • Dashboards
    • Alerts

  • GCP Built in Stackdriver Monitoring

    • App Engin
    • K8s
    • Stackdriver Agents for GCP vms and AWS

  • Stackdriver monitoring Agents can monitor various 3rd Part Applications

    • eg: Cassandra, Elasticsdarch, Kafka, Postgres, etc

  • Debugger

    • Production debug snapshots
    • Conditional snapshots
    • Does not impact users when the snapshot is captured. Enables analysis by setting breakpoints, producting a snapshot w/o interrupting opertaion, which enables analysis later.

  • Trace

    • Latency reporting /sampling
    • Per URL statistcis

  • Error Reporting

    • Error Notifications
    • Error Dashboard
    • Aggregates errors and notifies when new errors appear.

  • Profiler

    • Continuous CPU & Heap profiling
    • Broad platform support
    • Identify and eliminate performance issues.

Stackdriver Logging

  • Platform, system, and app logs

  • Log search/view/filter

  • Logs-based metrics

  • GCP Services w/ Logging built in

    • App Engine
    • GKE
    • Cloud Functions
    • Cloud Dataflow

  • Stackdriver Agents can collect logs from Compute Engine and AWS EC2.

    • App based on FluentD which forwards logs to Stackdriver

  • Log Retention

    • Stackdriver stores logs for limited number of days
    • You can export logs for analysis or long term storage.
    • Admin Activity Audit logs kept 400 days. Data access audit logs kept for 30 days.
    • Long term storage: GCS, CPubSub, BigQuery

  • Analyzing Logs

    • Advanced log filters
    • BigQuery
    • Third-party analysis tools

Stackdriver Agent Lab

Cloud Audit Logging

Audit logs for each Project, Folder, and Organization.

Cloud audit logging records GCP account activity including actions performed within the GCP console, command line tools, APIs and other AWS services.

Who, did What, When in GCP Projects. Types of logs stored:

  1. Admin Activity Logs
    • Record administrative actions that modify the configuration or metadata of resources.
    • Always Enabled. No charge.
  2. System Event Logs
    • Record when GCE performs a system event.
    • Always enabled. No charge.
  3. Data Access Logs
    • Api calls that create, modify, or read -user-provided data.
    • Disabled by default. Charged for storage.
    • Do not record data-access operations on publically shared data.
  • Viewing Logs
    • Project Activity Pge
    • Stackdriver Logging
    • Stackdriver Logging API
    • Cloud SDK
Audit Log Type Retention Period
Admin Activity 400 Days
System Events 400 Days
Data Access 30 Days

Can be kept longer by exporting them to GCS.

Also exportable to Cloud Storage, Big Query, and PubSub(3rd Part analysis tools).

Deploying Forseti

Forseti Security is a collection of community-driven open source tools to help you improve the security of your Google Cloud Platform, GCP environment.

  • When security at scale is needed.
  • To ensure that your security is governed by consistent, intelliglbe rules.

Notifications if rules are broken, and can revert state if necessary. When installed Forseti takes a snapshot of Organization GCP resources for monitoring and notification of changes. Codify your security stance.

  • Foreseti Security Modules
    • Inventory
      • Saves snapshot of GCP resources for historical archival.
      • Saves an inventory snapshot of GCP resources to SQL.
    • Scanner
      • Regularly compares role-based access policies for your GCP resources.
      • Scans: Cloud IAM policies, Bucket ACLs, BigQuery ACLs, Cloud SQL auth networks.
      • Detects breaches to scanner rules; can notify via email or chat of violations.
    • Enforcer
      • Uses polices you create to compare the current state to the desired state.
      • Makes changes via Google APIs.
      • Supports Google Firewall Rules. More in development…
    • Explain
      • Provides visibility into your Cloud IAM policies.
    • Notifier
      • Provides ability to notify
        • Inventory Summary
        • Violations
      • Email, slack, cloud storage

Review

In this course, Managing Security in Google Cloud Platform, we first covered Google Secure from the core foundational approach to security. We then showed you how Cloud Identity and Cloud IAM allow you to fine tune roles and policies to meet your business needs. How you could configure VPC networks for maximum isolation and security, and how you can use monitoring, auditing, and logging to help keep your network and application safe from exploits. Let’s spend a few minutes reviewing some of the highlights from these topics. Google has seven services with more than a billion users and GCP connects to more than a billion IPs everyday. This means security is of paramount importance to Google and its users. Therefore, Google invests heavily in security in its state of the art datacenters combining security best practices with Google design hardware. Access to these datacenters is limited to only a very small fraction of Google employees. Google server machines also use cryptographic signatures to make sure that they are only booting the correct software. In addition, Google’s infrastructure has enough spare capacity to simply absorb many common DDoS attacks and applications and services running on our platform are protected by our central DDoS mitigation service. Google has a vibrant and inclusive security culture where all potential employees are background screened. Security is also an important part of employee onboarding, and is regularly emphasized with ongoing training and company-wide security awareness events. When you move an application to Google Cloud Platform, Google handles many of the lower layers of the overall security stack. Because of its scale, Google can deliver a higher level of security at these layers than most of its customers could afford to do on their own. The upper layers of the security stack remained the customer’s responsibility. Google does provide tools such as Cloud Identity and Access Management or Cloud IAM, to help customers implement the policies they choose at these layers. Google Cloud Identity is an identity as a service solution for managing who has appropriate access to your organization’s cloud resources and services. The admin console provides a central management location or a single plane of glass to manage your user identities and access permissions across your entire domain. This allows you to easily enforce security policies and roles. Cloud Identity is available as both a free and premium edition. The Cloud Identity Free Edition includes core identity and endpoint management services for users who don’t need GSuite services. The Cloud Identity Premium Edition offers enterprise security, application management, and device management services. Cloud IAM Objects together allow you to create a resource hierarchy matching your logical business structure that can be managed using the resource manager. The organizational node is the root node for the Google Cloud resource hierarchy. Folders can be used to implement organizational structure and/or group projects by department, team, application, or environment. A folder can contain projects or other folders or a combination of both. The use of folders is not required, projects, however, are required in GCP and any resource that is deployed must be associated with a project. This GCP resource hierarchy also allows you to map your organization’s onto appropriate GCP objects and presents logical attach points for access management policies. A VPC network on GCP lets you create and control your own private, logically isolated network where you can deploy your Google compute resources. So, Compute Engine instances, Kubernetes Engine instances and so on. Each VPC network in your project provides private communication among your GCP compute resources. You can control individual ingress and egress traffic for compute resources using firewall rules. You can also connect your on-premise network with your VPC network using VPN IPsec tunnels or dedicated interconnect. Collecting, processing, aggregating, and displaying real-time quantitative data about a system is helpful in supplying raw input into business analytics and in facilitating analysis of security breaches. For example, Stackdriver provides performance and diagnostic data in the form of monitoring, logging, tracing, error reporting and alerting. These diagnostic features are well integrated with each other. This helps you connect and correlate diagnostics data easily. Stackdriver provides a single pane of glass to monitor multiple cloud projects from one location. If you want to systematically monitor many GCP resources at scale to ensure that access controls are set as you intended, Forseti will allow creating rule based policies to codify your security stance. With Forseti, if something is in your system and changes unexpectedly, action will be taken including notifying you, and you can also set policies to automatically revert a potentially compromised resource back to a known safe state. Thank you for taking the course Managing Security in Google Cloud platform, which is part one of the security in Google Cloud Platform Specialization. We hope this course has provided you with a good overview of security in GCP and useful knowledge of tools you can work with, to analyze and secure your own systems and applications.