Google Cloud Security Best Practices

1. Google Cloud Security Best Practices Google has made big breakthroughs with its expansion into the cloud. As with AWS and Azure, developers can easily adopt Google Cloud Platform (GCP), looking for features to use in their application stacks. The following are eight challenges and best practices to assist you mitigate risk in Google Cloud.. 1. Visibility:Like other clouds, GCP resources can be ephemeral, making it difficult to track assets. According to research, the average lifespan of a cloud resource is two hours and seven minutes. And many companies have environments that involve multiple cloud regions and accounts. This leads to decentralized visibility, and since you cannot secure what you cannot see, it makes it difficult to detect risks. Best Practice:Use a cloud security offering that gives visibility into the quantity and kinds of resources (virtual machines, load balancers, virtual firewalls, users, etc.) across multiple projects and regions in a single window. The visibility and understanding of your environment allows you to implement more granular policies and reduce risks. 2. Resource hierarchy: One of the basic principles of GCP is the hierarchy of resources. While other clouds have hierarchical resource systems, GCP is very flexible, allowing administrators to create nodes in different ways and apply for permissions accordingly. This can create sprawl and confusion very quickly when determining where in the hierarchy the authorization has been applied. To demonstrate, GCP allows the creation of files, teams, projects, and resources under an organization. Best Practice:Create a hierarchy that closely matches the corporate structure of your organization. Or, if you don't currently have a well-defined business structure, create one that makes sense and takes into account future growth and expansion. 3. Privilege and scope: GCP IAM allows you to control access by defining who has which access to which resource. The IAM resources involved are users, roles, and resources. It will be important to understand how to apply policies to these resources to implement least privilege access in your GCP environment. Best Practice:Instead of applying permissions directly to users, add users to well-defined groups and assign roles to those groups, granting permission to only appropriate resources. Be sure to use custom roles, as the built-in roles can change scope. 4. Identity management: One of the main causes of cloud security incidents is lost or stolen credentials. It is not uncommon to find credentials for accessing public cloud environments exposed on the Internet. Organizations should detect these account compromises. Best Practice:Strong password policies and multi-factor authentication (MFA) should always be applied. GCP supports MFA for Cloud Identity and companies. Additionally, you can integrate Cloud Identity support with single sign-on for your corporate identities to inherit corporate MFA policies. 5. Access: It goes without saying that humans are not the only users of GCP resources. Development tools and applications will need to make API calls to access GCP resources.

2. Best Practice: Create descriptive service accounts so that you know the purpose of these accounts and be sure to protect service account keys with Cloud KMS and store them encrypted in Cloud Storage or another storage repository that does not have public access. Finally, make sure to rotate your keys regularly, for example, 90 days or less. 6. Managing firewalls and unrestricted traffic: VPC firewalls are stateful virtual firewalls that manage network traffic to VPC networks, virtual machines, and other computing resources in these networks. Unfortunately, administrators often assign IP ranges to firewalls, inbound and outbound, which are larger than necessary.Industry best practices require that outbound access be restricted to prevent accidental data loss or data exfiltration in the event of a breach. Best Practice: Limit the IP address ranges that you assign to each firewall to only the networks that need access to these resources. GCP's advanced VPC features allow you to get very precise traffic by assigning targets by tag and service accounts. This allows you to logically express traffic flows in a way that you can identify later. 7. Setup and review of activity logs: Organizations should monitor user activities to reveal account compromises, internal threats, and other risks. Virtualization is that the backbone of cloud networks and therefore the ability to use the infrastructure of a really and experienced third-party provider provides agility, as privileged users can make changes to the environment as needed. To avoid this risk, user activities should be tracked to identify account compromises and internal threats, and to ensure that a malicious third party has not hijacked an account. Best Practice:Monitoring administrator activity logs is essential to understanding what's going on with your GCP resources. Administrator activity logs are stored for 400 days, data access logs for 30 days; so be sure to export the logs if you want to keep them longer for regulatory or legal purposes. RedLock ingests alerts based on activity log issues. For More Information about Google Cloud Platform Online Training Click Here