Compliance and observability

  1. Home
  2. Compliance and observability

Go back to GCP Tutorials

In this tutorial we will learn and understand about compliance and observability.

Manage risk with controls

Prior to creating and deploying resources on Google Cloud, assess the security features you need to meet your internal security requirements and external regulatory requirements. However, three control areas focus on mitigating risk are:

  • Firstly, technical controls refer to the features and technologies that you use to protect your environment. These include native cloud security controls, such as firewalls and enabling logging, and can also encompass third-party tools and vendors to reinforce or support your security strategy.
  • Secondly, Contractual protections refer to the legal commitments made by the cloud vendor around Google Cloud services.
  • Lastly, third-party verifications or attestations refer to having a third party audit the cloud provider to ensure that the provider meets compliance requirements. For example, Google was audited by a third party for ISO 27017 compliance.

Technical controls

We start from the fundamental premise that Google Cloud customers own their data and control how it is used. The data a customer stores and manages on Google Cloud systems is only used to provide that customer with Google Cloud services and to make those services work better for them. Further, we have robust internal controls and auditing to protect against insider access to customer data.

Contractual controls

Google Cloud is committed to maintaining and expanding our compliance portfolio. The Data Processing and Security Terms (DPST) document defines our commitment to maintaining our ISO 27001, 27017, 27018 certifications. And also updating our SOC 2 and SOC 3 reports every 12 months. Further, the DPST also outlines the access controls in place to limit Google support engineers’ access to customers’ environments.

Implement compute security controls

It is always a best practice to secure how you expose your resources to the network. Here are controls availabe in Google Kubernetes Engine (GKE) and Compute Engine.

Private IPs
You can disable External IP access to your production VMs using organization policies. Moreover, you can deploy private clusters with Private IPs within GKE to limit possible network attacks.

Compute instance usage
It’s also important to know who can spin up instances and access control using IAM because you can incur significant cost if there is a break-in. Further, Google Cloud lets you define custom quotas on projects to limit such activity.

Compute OS images
Google provides you with curated OS images that are maintained and patched regularly. Although you can bring your own custom images and run them on Compute Engine, you still have to patch, update, and maintain them.

GKE and Docker
App Engine flexible runs application instances within Docker containers, letting you run any runtime. You can also enable SSH access to the underlying instances, we do not recommend this unless you have a valid business use case. Further, to provide infrastructure security for your cluster, GKE provides the ability to use IAM with role-based access control (RBAC) to manage access to your cluster and namespaces.

Runtime security
GKE integrates with various partner solutions for runtime security to provide you with robust solutions to monitor and manage your deployment. However, all these solutions can be built to integrate with Security Command Center, providing you with a single pane of glass.

Partner solutions for host-protection
In addition to using curated hardened OS images provided by Google, you can use various Google Cloud partner solutions for host protection. Most partner solutions offered on Google Cloud integrate with Security Command Center, from where you can go to the partner portal for advanced threat analysis or extra runtime security.

Secure your network

When you create a new project, it automatically provisions a default Google Cloud Virtual Private Cloud (VPC) with an RFC 1918 IP address. For production deployment, we recommend that you avoid this default VPC. Instead, delete it and provision a new VPC with the subnets you want. Because VPC lets you use any private IP addresses. Moreover, Virtual Private Cloud provides centralized deployment, management, and control. You can use it to build a robust production deployment that gives you a single network and isolates workloads into individual projects managed by different teams.

gcp cloud architect practice tests

Virtual Private Cloud consists of host and service projects.

  • Firstly, a host project is the main project with a well-thought out VPC and subnets.
  • Secondly, a service project attaches to the host project subnets and allows you to isolate users on the project level by using IAM.
Firewalls

Firewalls in Google Cloud scale very well, so you can define them on the project level and they are evaluated on the attached instance level. Firewall rules help you define multiple rules that target ingress and egress network traffic. Further, the more secure way to deploy firewall rules is to use firewall rules with a service account. But if you’re using Virtual Private Cloud deployments, always define firewalls on your host project for centralized management.

Network intrusion detection

Many customers use advanced security and traffic inspection tools on-premises, and need the same tools to be available in the cloud for certain applications. VPC packet mirroring lets you troubleshoot your existing Virtual Private Clouds (VPCs). However, with Google Cloud packet mirroring, you can use third-party tools to collect and inspect network traffic at scale, provide intrusion detection, application performance monitoring, and better security controls.

Network connectivity

Within Google Cloud, choose Virtual Private Cloud or use VPC peering. Network tags and service accounts don’t translate over peered projects, but Virtual Private Cloud can help centralize them on the host project. Virtual Private Cloud makes it easier to centralize service accounts and network tags. But, we recommend that you carefully plan how to manage quotas and limitations. Further, for external access, evaluate your bandwidth needs and choose between Cloud VPN, Cloud Interconnect, or Partner Interconnect.

Key services

  • Firstly, VPC Service Controls helps improve your ability to mitigate the risk of data exfiltration from Google-managed services like Cloud Storage and BigQuery.
  • Secondly, Traffic Director is Google Cloud’s fully managed traffic control plane for service meshes. However, using Traffic Director, you can deploy global load balancing across clusters and VM instances in multiple regions. And alo soffload health checking from the service proxies, and configure sophisticated traffic control policies.
  • Thirdly, Security Command Center provides visibility into what resources are in Google Cloud and their security state. Security Command Center helps make it easier for you to prevent, detect, and respond to threats. Further, it helps you identify security misconfigurations in virtual machines, networks, applications, and storage buckets from a centralized dashboard. And, further, take action on them before they can potentially result in business damage or loss.
  • Next, Event Threat Detection automatically scans various types of logs for suspicious activity in your Google Cloud environment. Using industry-leading threat intelligence, you can quickly detect high-risk and costly threats. This can be malware or unauthorized access to Google Cloud resources.
  • Then, Istio is an open service mesh that provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data.
  • Lastly, Packet Mirroring allows lets you to mirror your network traffic and send it to a third-party security solution. Thus can be an Intrusion Detection Solution (IDS) for proactively detecting threats and responding to intrusions.

Build apps with supply chain security controls

Without automated tools, increasingly complex application environments that are deployed, updated, or patched make it hard to meet consistent security requirements. Building a CI/CD pipeline solves many of these issues.

Further, Automated pipelines remove manual errors, provide standardized development feedback loops and enable fast product iterations. Therefore, it is important to secure these pipelines. However, if an attacker can compromise your pipeline, your entire stack could be affected.

Container security

  • Firstly, Container Analysis helps vulnerability scanning and fixing issues before container deployments. Container Analysis stores metadata for scanned images that can help identify the latest vulnerabilities and patch or update them.
  • Secondly, Binary Authorization helps sign containers with one or multiple unique attestations. Such attestations along with policy definitions help you identify, control, and only deploy approved containers during runtime. However, it’s a best practice to set up a strict policy model and at least one signer to approve and sign-off on container deployment.
  • Lastly, Web Security Scanner scans your deployed application for vulnerabilities during runtime. However, you can configure Web Security Scanner to interact with your application as a signed user that navigates and crawls through various pages scanning for vulnerabilities.
Compliance and observability GCP cloud architect  online course

Reference: Google Documentation

Go back to GCP Tutorials

Menu