Automated, governed infrastructure pipeline using Infrastructure as Code (IaC)
Components
Best practices for accounts and organizations
Landing zone design in Google Cloud
Resource Manager
IAM and Org policies are inherited from parent Org/folders.
Policies
Organizational policies
Why these should be used
Preventative Guardrails
Set policies that restrict or enforce resource configurations
eg: VM’s must not have public Ips
eg: Buckets must be provisioned in US-West1
Identity Agnostic
Applies to all users
Platform-level
Enforcements
Enforced regardless if entry point is Cloud Console, GCloud, or API
Config-rime
Enforcement
Majority of enforcement done during config-time
Config-time policies are non-retroactive
Existing workloads won’t suddenly break
Built-in
Constraints
Constraints are available in the platform and currently not extensible
Foundational
Set
Prevent access to Google Cloud services except from managed identities in domains allow
Enforce Public Access Prevention
Domain restricted sharing
Domain restricted contacts
Enforce uniform bucket-level access
Require OS Login
Enforce additional security policies for service accounts
Disable service account key creation
Disable Automatic IAM Grants for Default Service Accounts
Disable Service Account Key Upload
Prevent the creation of less secure VPC network configurations
Disable VM serial port access
Restrict shared VPC project lien removal
Define allowed external IPs for VM instances
Skip default network creation
Sets the internal DNS setting for new projects to Zonal DNS Only
Restrict Public IP access on Cloud SQL instances
Restrict Authorized Networks on Cloud SQL instances
Restrict Protocol Forwarding Based on type of IP Address
Disable VPC External IPv6 usage
Disable VM nested virtualization
New default org policies for new Organizations created after Feb 13 2024
Disable Service Account key creation
Prevent users from creating persistent keys for Service Accounts.
Decreases the risk of exposed Service Account credentials.
Disable Service Account key upload
Prevent the upload of external public keys to Service Accounts.
Decreases the risk of exposed Service Account credentials.
Disable automatic IAM grants for default Service Accounts
Prevent default Service Accounts from receiving the overly-permissive IAM role Editor at creation.
The Editor role lets the Service Account create and delete resources for most Google Cloud services, which creates a vulnerability if the Service Account gets compromised.
Enforce Domain Restricted Sharing
Limit IAM policies to only allow managed user identities in selected domain(s) to access resources inside this Organization.
Leaving the Organization open to access by actors with domains other than the customers’ own creates a vulnerability.
Allow only domain restricted contacts
Limit Essential Contacts to only allow managed user identities in selected domain(s) to receive platform notifications.
A bad actor with a different domain might get added as an Essential Contact, leading to a compromised security posture.
Enforce uniform bucket-level access
Prevent GCS buckets from using per-object ACL (a separate system from IAM policies) to provide access.
Enforces consistency for access management and auditing.
Set the internal DNS setting for new projects to zonal DNS only.
Set guardrails that application developers cannot choose legacy DNS settings for Compute instances.
Legacy DNS settings (global) have lower service reliability than modern DNS settings (zonal).
Crating & managing custom constraints
Specific guidance (Section 4.3 has 18+ recommended policies to consider)
Additional Policy Controls
(Specific guidance from Section 4.4)
Limit session and gcloud timeouts
Disable Cloud Shell
Use phishingresistant security keys
Enable access transparency
Enable access approval
Setup Trusted Images project
Manage Compute Engine resources using custom constraints
Policy Intelligence
IAM Recommender
(ML used to help achieve least privilege)
Policy Troubleshooter
(Why principal doesn't have access?)
IAM Policy Analyzer
(Who has access to what?)
Org Policy Analyzer
Policy Simulator
(Simulate before breaking app/process)
Not just IaC, but also Policy as Code
Declarative
Validate
Automate
Roll back
Scale
VPC Service Controls
Benefits
Mitigate data exfiltration risks
Keep data private inside the VPC
Deliver independent data access controls
Features
Coverage of services
VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.
Rich security logging
Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.
Support for hybrid environments
Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.
Secure communication
Securely share data across service perimeters with full control over what resource can connect to others or to the outside.
Context-aware access
Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.
Perimeter security for managed Google Cloud services
Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.
Use cases
Mitigate threats such as data exfiltration
VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
Isolate parts of the environment by trust level
VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.
Secure access to multi-tenant services
VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE, BigQuery, etc. It enables clients to keep their entire data processing pipeline private.
Visual Example
(Google Cloud official youtube video link)
Notifications
Contacts & Notifications
Audit Logging
Billing Alerts
Assured Workloads
Data residency
To help comply with data residency requirements, Google Cloud gives you the ability to control the regions where data at rest is stored.
During Assured Workloads setup, you create an environment and select your compliance program. When you create resources in the environment, Assured Workloads restricts the regions you can select for those resources based on the compliance program you chose using Organization Policy.
Cryptographic control over data access
Google Cloud applies encryption at rest and in transit by default. To gain more control over how data is encrypted, Google Cloud customers can use Cloud Key Management Service to generate, use, rotate, and destroy encryption keys according to their own policies.
Cryptographic control over data access is achieved through the use of Key Access Justifications (KAJ) together with our Cloud External Key Manager (EKM).
Assured Workloads configures the appropriate encryption services per workload depending on the compliance program you chose.
Assured Support
Regulated customers’ compliance obligations extend to support services. Assured Support is a value-added service to Premium or Enhanced Support to ensure only Google support personnel meeting specific geographical locations and personnel conditions support their workload when raising a support case or needing technical assistance.
By delivering the same features and benefits of Premium or Enhanced Support (including response times) with an added layer of controls and transparency, Assured Support helps customers meet compliance requirements without compromising on the level and quality of support.
Assured Workloads monitoring
Assured Workloads monitoring scans your environment in real time and provides alerts whenever organization policy changes violate the defined compliance posture. The monitoring dashboard shows which policy is being violated and provides instructions on how to resolve the finding.
Assured Workloads Quick Start Guide
Specific Frameworks
FedRamp implementation guide
PCI DSS
Limiting scope of compliance for PCI environments in Google Cloud
PCI Data Security Standard compliance
PCI DSS compliance on GKE
Security blueprint: PCI on GKE
Tokenizing sensitive cardholder data for PCI DSS
Active Assist portfolio
Cost
VM machine type recommender
Committed use discount recommender
Idle VM recommender
Cloud SQL overprovisioned instance recommender
Security
IAM recommender
Firewall insights
Cloud Run recommender
Performance
VM machine type recommender
Managed instance group machine type recommender
Reliability
Compute Engine predictive autoscaling
Cloud SQL out-of-disk recommender
Policy Troubleshooter
Policy Analyzer
Manageability
Network Intelligence Center
Product suggestion recommender
Policy Simulator
Sustainability
Unattended project recommender
Access Transparency and Access Approval
Customer data is not accessed for any reason other than to fulfill contractual obligations
Valid business justification required for any access by support or engineering personnel
Near real-time logs offer insight when Google Cloud administrators access your content
Approve or dismiss requests for access by Google employees working to support your service
Audit Manager (Private Preview)
2- Identity and Access Management
Ideal State
Unified, federated identity. Least privilege policies based on user/service, role, resource, condition.
Only short-term credentials - for everything, everywhere.
Components
Identities in Google Cloud
Google Cloud Identity
Best practices for federating Google Cloud with an external identity provider
Workforce Identity Federation
Workload Identify Federation
Manage just-in-time privileged access to projects
MFA/2FA/2SV for admin accounts
Hardware Keys
(prefered)
Least-privilege roles
& permissions
IAM Policy Intelligence
Troubleshooter
Simulator
Recommender
Analyzer
Service Accounts
When to use service accounts
4-min video
Best practices for managing
Service Account Keys
Provide alternatives to creating service account keys.
Use organization policy constraints to limit which projects can create service account keys.
Don't leave service account keys in temporary locations.
Don't pass service account keys between users.
Don't submit service account keys to source code repositories.
Don't embed service account keys in program binaries.
Use insights and metrics to identify unused service account keys.
Rotate service account keys to reduce security risk caused by leaked keys.
Use uploaded keys to let keys expire automatically.
Best Practices for using service accounts
Best practices for using service accounts in pipelines
Migrate away from service account keys
Assess: In this phase, you assess your existing environment to understand where service account keys exist and whether the keys are in use.
Plan: In this phase, you decide which controls you will eventually deploy and communicate the migration plan to stakeholders.
Deploy: In this phase, you begin refactoring workloads to authenticate with more secure alternatives to service account keys. You also build additional capabilities to continuously monitor your environment and mitigate future risk.
Identity Aware Proxy (IAP)
(leverage identity instead
of network access)
Common proxies
App Engine
Cloud Run
Compute Engine
GKE
On-premises
Overview of TCP forwarding
IAP for TCP forwarding
(enable admin access to VM's without external IP address or no direct Internet access)
Secure IAP for TCP forwarding with VPC Service Controls
Can be extended with access levels
(Access Context Manager)
Advanced Red Teaming Techniques: Malware Authoring and Repurposing
Malware Analysis Master Course
Advanced Acquisition and
Testing Techniques Courses
Creative Red Teaming
Practical Mobile Application Security
Workshops
Business Email Compromise
Exercises and Preparedness
ThreatSpace: Real-World Attack Scenarios
Senior Executive Mentorship Program
Upcoming Public Courses
On-Demand Courses
Mandiant Certifications
ThreatSpace Cyber Range
BeyondCorp & Zero Trust
BeyondCorp Access in one minute
Operate with Zero Trust using
BeyondCorp Enterprise
Context-aware access
BeyondCorp Alliance
Additional references
An overview: "A New Approach to Enterprise Security"
How Google did it: "Design to Deployment at Google"
Google's frontend infrastructure: "The Access Proxy"
Migrating to BeyondCorp: "Maintaining Productivity while Improving Security"
The human element: "The User Experience"
Secure your endpoints: "Building a Healthy Fleet"
Security Partners
Ecosystem
Infrastructure Protection
Next-gen firewalls
Web application firewalls (WAFs)
Web proxies and cloud gateways
Server endpoint protection
DDoS protection
Container security
Data Protection
Encryption and key management
Data/information loss protection
Logging and monitoring
Logging and monitoring
Configuration, vulnerability, risk, and compliance
Configuration, vulnerability, risk, and compliance
Vulnerability scanners
Governance, risk management, and compliance
5 - Data Protection
Ideal
Identify and protect your most important data.
Components
Data Security Guidance
Encryption of data at rest
Default Encryption
Enabled by default - Google manages encryption keys
Cloud KMS
Customer can manage their own keys, hosted by Google
Cloud HSM
Customer can manage their own keys, hosted by Google on a dedicated hardware module
Cloud EKM
Customer manages & hosts their own keys externally from Google
Sensitive Data Protection
(includes Data Loss Prevention)
Features
API Driven &
GCP Console
Cover use cases anywhere, on or off cloud with the DLP API
De-identification, masking, tokenization, and bucketing
Powerful and flexible masking of your AI/ML workloads
Streaming content API
Automated sensitive data discovery and classification (for BigQuery)
Sensitive data intelligence for security assessments
Results can be imported into BigQuery for analysis or imported into other systems
With direct feeds into Chronicle and Security Command Center, you can leverage sensitive data intelligence to reduce noise and prioritize threats, vulnerabilities, and security investigations.
Inspection/Analysis
Learn about your data
Discovery/data profiling
(for BigQuery)
Get continuous visibility into all your sensitive data.
Deep inspection
Inspect your data in storage systems exhaustively and investigate individual findings.
Risk Analysis
(for BigQuery)
Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
Sensitive information about individuals being revealed
Help determine effective de-identification strategy
Help monitor for any changes or outliers, after de-identification
Methods
Content (streaming data)
Leveraging the DLP API
InspectContent
DeidentifyContent
ReidentifyContent
RedactImage
OUTPUT:
Inspection Findings
De-Id transformed content
Storage (Native GCP sources)
Shards data and
works in parallel
Cloud Storage
BigQuery
Datastore
Hybrid (streaming data)
Hybrid jobs and job triggers
(requires custom application)
Other cloud providers
On-premises servers or other data repositories
Non-native storage systems, such as systems running inside a virtual machine
Web and mobile apps
Google Cloud-based solutions
Workflow
You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
Supported actions
Save findings to Sensitive Data Protection and Save findings to BigQuery
Send Pub/Sub
Send Email
Publish to Cloud Monitoring
Actions from inspection results
On-demand vs continuous profiling
Discovery
(continuous profiling)
BigQuery
BigLake
On-demand
inspection
BigQuery
Cloud Storage
Datastore
Hybrid
How
(Inspection template)
InfoTypes
Built-in (150+)
Country, region-specific sensitive data types
Globally applicable data types
Custom
Regular dictionary detectors
Stored dictionary detectors
Regular expression (regex)
Inspection Rules
Fine-tune
Exclusion rules
Hotword rules
Likelihood Value
Likelihood Unspecified
Very Unlikely
Unlikely
Possible
Likely
Very Likely
Protection/De-Identification
De-identification techniques
Redaction: Deletes all or part of a detected sensitive value.
Replacement: Replaces a detected sensitive value with a specified surrogate value.
Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
Date shifting: Shifts sensitive date values by a random amount of time.
Time extraction: Extracts or preserves specified portions of date and time values.
De-identify examples
De-identify data stored in Cloud Storage
De-identify data from any source
De-identify BigQuery data at query time
De-identification and re-identification of PII in large-scale datasets in Cloud Storage
Redact sensitive data from PDF files
Use Sensitive Data Protection with AWS S3
How
(De-identification template)
Resources
Documentation
How-to guides
"Traditional" DLP via BeyondCorp Enterprise
Implement DLP with Chrome
Uploads
Downloads
Content copied and pasted
Content dragged and dropped
90+ content detectors
Visual
Sensitive Data Protection
(includes Data Loss Prevention)
1) Understand/Inspection/Analysis
Learn about your data
Discovery/data profiling
Get continuous visibility into all your sensitive data.
BigQuery - GA
BigLake - GA
Cloud SQL - Preview
Deep inspection
Inspect your data in storage systems exhaustively and investigate individual findings.
Risk Analysis
(for BigQuery)
Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
Sensitive information about individuals being revealed
Help determine effective de-identification strategy
Help monitor for any changes or outliers, after de-identification
Report Credentials & Secrets to SCC
detailed list
Methods
Content (streaming data)
Leveraging the DLP API
InspectContent
DeidentifyContent
ReidentifyContent
RedactImage
OUTPUT:
Inspection Findings
De-Id transformed content
Storage (Native GCP sources)
Shards data and
works in parallel
Cloud Storage
BigQuery
Datastore
Hybrid (streaming data)
Hybrid jobs and job triggers
(requires custom application)
Other cloud providers
On-premises servers or other data repositories
Non-native storage systems, such as systems running inside a virtual machine
Web and mobile apps
Google Cloud-based solutions
Workflow
You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
Supported actions
Save findings to Sensitive Data Protection and Save findings to BigQuery
Send Pub/Sub
Send Email
Publish to Cloud Monitoring
Actions from inspection results
On-demand vs continuous profiling
Discovery
(continuous profiling)
BigQuery
BigLake
On-demand
inspection
BigQuery
Cloud Storage
Datastore
Hybrid
How
(Inspection template)
InfoTypes
Built-in (150+)
Country, region-specific sensitive data types
Globally applicable data types
Custom
Regular dictionary detectors
Stored dictionary detectors
Regular expression (regex)
Inspection Rules
Fine-tune
Exclusion rules
Hotword rules
Likelihood Value
Likelihood Unspecified
Very Unlikely
Unlikely
Possible
Likely
Very Likely
2) Protect/De-Identification
De-identification techniques
Redaction: Deletes all or part of a detected sensitive value.
Replacement: Replaces a detected sensitive value with a specified surrogate value.
Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
Date shifting: Shifts sensitive date values by a random amount of time.
Time extraction: Extracts or preserves specified portions of date and time values.
De-identify examples
De-identify data stored in Cloud Storage
De-identify data from any source
De-identify BigQuery data at query time
De-identification and re-identification of PII in large-scale datasets in Cloud Storage
Redact sensitive data from PDF files
Use Sensitive Data Protection with AWS S3
How
(De-identification template)
3) Resources
Documentation
How-to guides
IAM roles required
4) "Traditional" DLP via BeyondCorp Enterprise
Implement DLP with Chrome
Uploads
Downloads
Content copied and pasted
Content dragged and dropped
90+ content detectors
Visual
Google Secrets Manager
Common use cases
API Keys
Certificates
Private Keys
Passwords
Highlights
Replication policies
Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.
First-class versioning
Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."
Cloud IAM integration
Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.
Audit logging
With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
Encrypted by default
Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.
VPC Service Controls support
Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.
Powerful and extensible
Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.
Best Practices
BigQuery data security and governance
Spanner Security
Access Control
Fine-grained access control
Encryption
Bigtable Security
Authentication
Access Control
Create and manage tags
Audit logging
Encryption
GCP Security, Compliance, Governance, and
Architecture resources
Google Cloud Solutions Center
Discoveries
Cloud Capability Assessment
The Cloud Capability Assessment helps determine where you are in your cloud journey and how you can develop new competencies across your business, financial and technology plans.
AI Readiness Quick Check
A quick assessment to understand an organization's AI capabilities across 6 pillars. Provide best practices and recommended learnings to advance the organization's AI practice.
Security and Resilience Framework
This discovery helps you evaluate your overall security maturity against five NIST functions: Identify, Protect, Detect, Respond and Recover. Use this discovery for recommendations on how to improve your security posture.
Data Foundations for AI Benchmarking
Help customers understand the robustness of their data analytics foundations and its readiness for AI adoption. The output of the assessment is a gap analysis of current data foundation capabilities with set of Google recommendations and PoV to create a transformational data platform.
Cloud FinOps Assessment
A cloud FinOps capability maturity assessment to help organizations better understand their cloud financial processes, culture, skillset, tooling, and technical competency. There are 13 questions which span the 5 pillars of cloud FinOps: 1. Accountability & Enablement, 2. Measurement & Realization, 3. Cost Optimization, 4. Planning & Forecasting, and 5. Tools & Accelerators. For each of the questions, the responses range between 1-5 with increasing maturity. If you have any issues taking the survey contact the Cloud FinOps team at pso-finops@google.com
Partner Excellence Framework (PEF) - PreDelivery
Partners can use the PreDelivery assessment before the delivery of the project has started. This assessment evaluates the technical readiness of the partner team for any project/workload on Google Cloud. The assessment report helps to identify and capture any potential gaps in architecture and provide prescriptive guidance aligned with Google Cloud architectural best practices to remediate those gaps. Additionally, the assessment also provides questions and assets that partners can use during the project discovery.
Data & AI Cloud for Marketing - Benchmarking
Understand your current marketing analytics capabilities to address the convergence of forces between shifting customer expectations and economic pressures putting more focus on growth and ROI of marketing activities.
Data & AI Cloud for Supply Chain - Benchmarking
A benchmarking survey to understand the critical capabilities required across Supply Chains to reduce risks & disruptions, and solving for resiliency and sustainability amidst global disruptions.
Autonomic Security Operations
Autonomic Security Operations is a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of our best-in-class technology stack built on Chronicle and Google’s deep security operations expertise.
The Defender’s Advantage: Mandiant Cyber Defense
Self-assessment of capabilities tied to the six critical functions of cyber defense as detailed in The Defender's Advantage by Mandiant including Intel, Command and Control, Hunt, Detect, Respond and Validate.
Solutions
(links in the solutions center)
Google Cloud Architecture Center
(Best Practices for Google Cloud)
Google Cloud Architecture Framework
Review shared responsibility and shared fate on Google Cloud
Understand security principles
Manage risks with controls
Manage your assets
Manage identity and access
Implement compute and container security
Secure your network
Implement data security
Deploy applications security
Manage compliance obligations
Implement data residency and sovereignty requirements
Implement privacy requirements
Implement logging and detective controls
Enterprise foundations blueprint
Google Cloud deployment archetypes
Migrate to Google Cloud
Assess and discover your workloads
Build your foundation
Transfer your large datasets
Deploy your workloads
Migrate from manual deployments to automated, containerized deployments
Optimize your environment
Best practices for validating a migration plan
Minimize costs
Hybrid and multicloud architecture guidance
Migrate across Google Cloud regions
GCP Architecture Guides
GenAI-Vertex-workbench-security
Network Firewall Microsegmentation
Google Cloud Certificate Authority Service deployment
Securing User Managed Vertex-AI Workbench
Deploying IL4 Assured Workload
Deploying Australia Regions with Assured Support Workload
SCC Cryptomining Program
Secure Web Proxy
Security and resilience framework
Landing zone design in Google Cloud
Google Cloud Infrastructure Reliability Guide
Google Cloud security foundations
blueprint guide
Best practices for cloud
security products
Anthos security blueprints
Secured Data Warehouse
security blueprint
AI Platform Notebooks
security blueprint
Container security
best practices
Security best
practice checklists
(Google Workspace)
Deployable security blueprints
and landing zones
Security foundations
deployable assets
Secured Data Warehouse
blueprint GitHub repository
AI Platform Notebooks
blueprint GitHub repository
Cloud Foundation Toolkit
deployable assets
Anthos security blueprints
GitHub repository
Security whitepapers
and references
Security transformation
resources
CISO’s guide to cloud
security transformation
Strengthening operational
resilience for FinServ
Building secure and
reliable systems
NEW! Risk governance
of digital transformation
Google Cloud
security whitepapers
Google security
Google Workspace security
Google infrastructure
security design overview
Encryption at rest
Encryption in transit
Google Workspace encryption
Cloud Key Management
(KMS) deep dive
BeyondProd: New approach
to cloud-native security
Binary Authorization for Borg
BeyondCorp: A new approach
to enterprise security
Privileged access
management in GCP
GCP Compliance
resource center
Data governance
Data regions
Data residency
For European
customers on
Google Cloud
Privacy Resource Center
Cloud DPIA
Resource Center
Find a Google Partner
Shared Fate Responsibility Model
Security & Governance topics
from our CISO (Phil Venables)
Questions from CEO's and Boards
Current Risk and Threat Outlook
There's a lot going on in the world, can you give us a quick grand tour of the cyber threat landscape?
How are Companies Positioned
Are companies always playing defense and catch-up, is there an end to this?
Is Cloud More Secure than prior IT?
Is cloud more secure than traditional on-premise IT, what's the future here and how should companies select vendors in all this uncertainty?
Enterprise Risk Management
How should organizations think about managing cyber risk with all their other risks - what's the efficient frontier here? Is this a technology problem or a business problem or both?
Board Conversations
What is the right security conversation a Board should have?
What should they be asking the CEO, the CIO, the CISO?
Personal Wishful Thinking
You've had experience on both sides of the Board room, what do you wish you'd have done better either as a Board Director or a Chief Risk Officer / Chief Information Security Officer?
We talk a lot about using security to deliver business enablement, is that viable?
Wishful Thinking for Others
If you could make a wish and ask all our Boards or executives to do one thing that would benefit their security and make the lives of their CISOs easier, what would it be?
Crucial Questions from CIOs and CTOs
Moving to Cloud Quicker
How do I get security, risk, compliance and audit more comfortable with an acceleration to the cloud - so I can deliver on objectives and in fact mitigate technology, security and resiliency risk more quickly?
Security vs. All Technology Risks
Is cybersecurity the most significant risk and how should I prioritize security vs. all my other technology risks?
CISO Function Alignment
How do I ensure the CISO function is integrated into IT / business processes / activities?
Forward Planning for Security
I’d like to plan ahead but things coming from the security team seem so unpredictable
How Much Security is Enough?
No amount of effort ever seems enough for the security team, what should I do?
Developer Agility and Security
How do I ensure developer agility and productivity in the face of security?
Legacy Systems
How should I deal with legacy systems and architectures that are hard to secure?
Crucial Questions from CISOs and Security Teams
Hybrid Multi-Cloud
How do we manage security across our hybrid on-premise and multi-cloud / multi-SaaS environments?
Threat Intelligence
How can we obtain, curate and act on threat intelligence in more effective ways?
Security Monitoring
How can I scale security monitoring to deal with increased attack surface and increased sensory coverage?
Workforce Challenges
How do I fill the positions I have with the right skills and people? How do I nurture my leaders and build a succession plan?
Board and Executive Relationships
How do we keep the Board and executive leadership informed and on-side with our efforts?
IT Modernization
How do I ensure IT prioritizes necessary security upgrades and IT systems modernization?
Benchmarking
How do I know if I’m doing enough and if my risk profile is about right?
Crucial Questions from Governments and Regulators
Risk Tradeoffs
How do we think about the trade-offs between security, resilience, privacy and other risks?
Principle vs. Objective Standards
How stringent should we be in setting prescriptive standards for security?
Information Sharing
What is the right amount and type of information to share between the public and private sector to what effect?
Supply Chain Risk
How should we think about 3rd party, 4th party or even deeper supply chain risks?
Cybersecurity Workforce
How we do ensure we are growing skills and jobs in our local market?
Nation State vs. Criminal Threats
How should we prioritize dealing with nation state threats vs. organized criminal threats against businesses?
Reporting and Transparency
How do we become aware of incidents affecting our domestic enterprises or those under our regulatory charge?
Risk Governance
of Digital
Transformation
in the Cloud
XDR - Extended or enhanced approach to endpoint detection and response (EDR) in which the “X” serves as a wildcard operator to connote extending threat detection and response measures across endpoints, networks, SaaS applications, and cloud infrastructure.
MDR - Managed Detection and Response (more analysis and threat intelligence compared to traditional MSSP's
MXDR - Managed extended detection and response - extends MRD services across the enterprise. Security analytics, operations, advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.
SIEM - Security Information and Event Management
SOAR - Security Orchestration, Automation, and Response - more automation compared to a traditional SIEM
CSPM - Cloud security posture management
CASB - Cloud access security broker - proxy
between users and cloud/Internet
Visibility
Threat Detection
Compliance
Data Security
DLP - Data Loss Prevention
Additional resources
Security Scorecard
NICCS
Global Knowledge
Learning resources
Google Cloud security
showcase
Cloud Security Podcast
GCP CIS Benchmarks™
GCP MITRE ATT&CK®
Professional Cloud Security
Certification
Coursera: Google Cloud Security
Pluralsight: Security Best
Practices in Google Cloud
Security Summit 2022 recordings
Next OnAir Security session
recordings 2020
Next Security session
recordings 2019
8 - Secure Software Supply Chain
Ideal
Shift security left in the software CI/CD pipeline.
High-level Model
Detailed Model
Design secure deployment pipelines
Software Delivery Shield
Cloud Workstations
(managed development environments)
Cloud Code source protect
Artifact Registry & Container Analysys
Assured Open Source Software
Code Build
GKE security posture
Cloud Run security insights
Binary Authorization
Leveraging the SLSA ("salsa") framework
Deploy an enterprise developer platform on Google Cloud
7- Secure App Delivery
Ideal
Protect external facing applications with DDoS defense, web application firewalling.
Components
Compute
GKE Security
GCE Security
Shielded VMs
Confidential VMs
Leveraging VPC Service Controls
Disk Encryption
Deploy a secured serverless architecture using Cloud Functions
Deploy a secured serverless architecture using Cloud Run
Compute and container security
Access
Network & Application Security in Google Cloud
Traffic Director
(Advanced Traffic Management)
Cloud Armor
DDoS protection
WAF protection
Adaptive Protection
Managed SSL Certs
Best practices for securing applications and API's using Apigee