-
1 - Cloud Governance
-
Ideal State
- Automated, governed infrastructure pipeline using Infrastructure as Code (IaC)
-
Components
- Best practices for accounts and organizations
- Landing zone design in Google Cloud
-
Resource Manager
- IAM and Org policies are inherited from parent Org/folders.
-
Policies
-
Organizational policies
- Why these should be used
- Preventative Guardrails
- Set policies that restrict or enforce resource configurations
- eg: VM’s must not have public Ips
- eg: Buckets must be provisioned in US-West1
- Identity Agnostic
- Applies to all users
- Platform-level
Enforcements
- Enforced regardless if entry point is Cloud Console, GCloud, or API
- Config-rime
Enforcement
- Majority of enforcement done during config-time
- Config-time policies are non-retroactive
- Existing workloads won’t suddenly break
- Built-in
Constraints
- Constraints are available in the platform and currently not extensible
- Foundational
Set
- Prevent access to Google Cloud services except from managed identities in domains allow
- Enforce Public Access Prevention
- Domain restricted sharing
- Domain restricted contacts
- Enforce uniform bucket-level access
- Require OS Login
- Enforce additional security policies for service accounts
- Disable service account key creation
- Disable Automatic IAM Grants for Default Service Accounts
- Disable Service Account Key Upload
- Prevent the creation of less secure VPC network configurations
- Disable VM serial port access
- Restrict shared VPC project lien removal
- Define allowed external IPs for VM instances
- Skip default network creation
- Sets the internal DNS setting for new projects to Zonal DNS Only
- Restrict Public IP access on Cloud SQL instances
- Restrict Authorized Networks on Cloud SQL instances
- Restrict Protocol Forwarding Based on type of IP Address
- Disable VPC External IPv6 usage
- Disable VM nested virtualization
- New default org policies for new Organizations created after Feb 13 2024
- Disable Service Account key creation
- Prevent users from creating persistent keys for Service Accounts.
- Decreases the risk of exposed Service Account credentials.
- Disable Service Account key upload
- Prevent the upload of external public keys to Service Accounts.
- Decreases the risk of exposed Service Account credentials.
- Disable automatic IAM grants for default Service Accounts
- Prevent default Service Accounts from receiving the overly-permissive IAM role Editor at creation.
- The Editor role lets the Service Account create and delete resources for most Google Cloud services, which creates a vulnerability if the Service Account gets compromised.
- Enforce Domain Restricted Sharing
- Limit IAM policies to only allow managed user identities in selected domain(s) to access resources inside this Organization.
- Leaving the Organization open to access by actors with domains other than the customers’ own creates a vulnerability.
- Allow only domain restricted contacts
- Limit Essential Contacts to only allow managed user identities in selected domain(s) to receive platform notifications.
- A bad actor with a different domain might get added as an Essential Contact, leading to a compromised security posture.
- Enforce uniform bucket-level access
- Prevent GCS buckets from using per-object ACL (a separate system from IAM policies) to provide access.
- Enforces consistency for access management and auditing.
- Set the internal DNS setting for new projects to zonal DNS only.
- Set guardrails that application developers cannot choose legacy DNS settings for Compute instances.
- Legacy DNS settings (global) have lower service reliability than modern DNS settings (zonal).
- Crating & managing custom constraints
- Specific guidance (Section 4.3 has 18+ recommended policies to consider)
- Additional Policy Controls
(Specific guidance from Section 4.4)
- Limit session and gcloud timeouts
- Disable Cloud Shell
- Use phishingresistant security keys
- Enable access transparency
- Enable access approval
- Setup Trusted Images project
- Manage Compute Engine resources using custom constraints
-
Policy Intelligence
- IAM Recommender
(ML used to help achieve least privilege)
- Policy Troubleshooter
(Why principal doesn't have access?)
- IAM Policy Analyzer
(Who has access to what?)
- Org Policy Analyzer
- Policy Simulator
(Simulate before breaking app/process)
-
Not just IaC, but also Policy as Code
- Declarative
- Validate
- Automate
- Roll back
- Scale
-
VPC Service Controls
-
Benefits
- Mitigate data exfiltration risks
- Keep data private inside the VPC
- Deliver independent data access controls
-
Features
- Coverage of services
- VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.
- Rich security logging
- Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.
- Support for hybrid environments
- Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.
- Secure communication
- Securely share data across service perimeters with full control over what resource can connect to others or to the outside.
- Context-aware access
- Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.
- Perimeter security for managed Google Cloud services
- Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.
-
Use cases
- Mitigate threats such as data exfiltration
- VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
- Isolate parts of the environment by trust level
- VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.
- Secure access to multi-tenant services
- VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE, BigQuery, etc. It enables clients to keep their entire data processing pipeline private.
-
Visual Example
- (Google Cloud official youtube video link)
-
Notifications
- Contacts & Notifications
- Audit Logging
- Billing Alerts
-
Assured Workloads
-
Data residency
- To help comply with data residency requirements, Google Cloud gives you the ability to control the regions where data at rest is stored.
- During Assured Workloads setup, you create an environment and select your compliance program. When you create resources in the environment, Assured Workloads restricts the regions you can select for those resources based on the compliance program you chose using Organization Policy.
-
Cryptographic control over data access
- Google Cloud applies encryption at rest and in transit by default. To gain more control over how data is encrypted, Google Cloud customers can use Cloud Key Management Service to generate, use, rotate, and destroy encryption keys according to their own policies.
- Cryptographic control over data access is achieved through the use of Key Access Justifications (KAJ) together with our Cloud External Key Manager (EKM).
- Assured Workloads configures the appropriate encryption services per workload depending on the compliance program you chose.
-
Assured Support
- Regulated customers’ compliance obligations extend to support services. Assured Support is a value-added service to Premium or Enhanced Support to ensure only Google support personnel meeting specific geographical locations and personnel conditions support their workload when raising a support case or needing technical assistance.
- By delivering the same features and benefits of Premium or Enhanced Support (including response times) with an added layer of controls and transparency, Assured Support helps customers meet compliance requirements without compromising on the level and quality of support.
-
Assured Workloads monitoring
- Assured Workloads monitoring scans your environment in real time and provides alerts whenever organization policy changes violate the defined compliance posture. The monitoring dashboard shows which policy is being violated and provides instructions on how to resolve the finding.
- Assured Workloads Quick Start Guide
-
Specific Frameworks
- FedRamp implementation guide
-
PCI DSS
- Limiting scope of compliance for PCI environments in Google Cloud
- PCI Data Security Standard compliance
- PCI DSS compliance on GKE
- Security blueprint: PCI on GKE
- Tokenizing sensitive cardholder data for PCI DSS
-
Active Assist portfolio
-
Cost
- VM machine type recommender
- Committed use discount recommender
- Idle VM recommender
- Cloud SQL overprovisioned instance recommender
-
Security
- IAM recommender
- Firewall insights
- Cloud Run recommender
-
Performance
- VM machine type recommender
- Managed instance group machine type recommender
-
Reliability
- Compute Engine predictive autoscaling
- Cloud SQL out-of-disk recommender
- Policy Troubleshooter
- Policy Analyzer
-
Manageability
- Network Intelligence Center
- Product suggestion recommender
- Policy Simulator
-
Sustainability
- Unattended project recommender
-
Access Transparency and Access Approval
- Customer data is not accessed for any reason other than to fulfill contractual obligations
- Valid business justification required for any access by support or engineering personnel
- Near real-time logs offer insight when Google Cloud administrators access your content
- Approve or dismiss requests for access by Google employees working to support your service
- Audit Manager (Private Preview)
-
2- Identity and Access Management
-
Ideal State
- Unified, federated identity. Least privilege policies based on user/service, role, resource, condition.
- Only short-term credentials - for everything, everywhere.
-
Components
-
Identities in Google Cloud
- Google Cloud Identity
- Best practices for federating Google Cloud with an external identity provider
- Workforce Identity Federation
- Workload Identify Federation
- Manage just-in-time privileged access to projects
-
MFA/2FA/2SV for admin accounts
- Hardware Keys
(prefered)
-
Least-privilege roles
& permissions
-
IAM Policy Intelligence
- Troubleshooter
- Simulator
- Recommender
- Analyzer
-
Service Accounts
-
When to use service accounts
- 4-min video
-
Best practices for managing
Service Account Keys
- Provide alternatives to creating service account keys.
- Use organization policy constraints to limit which projects can create service account keys.
- Don't leave service account keys in temporary locations.
- Don't pass service account keys between users.
- Don't submit service account keys to source code repositories.
- Don't embed service account keys in program binaries.
- Use insights and metrics to identify unused service account keys.
- Rotate service account keys to reduce security risk caused by leaked keys.
- Use uploaded keys to let keys expire automatically.
- Best Practices for using service accounts
- Best practices for using service accounts in pipelines
-
Migrate away from service account keys
- Assess: In this phase, you assess your existing environment to understand where service account keys exist and whether the keys are in use.
- Plan: In this phase, you decide which controls you will eventually deploy and communicate the migration plan to stakeholders.
- Deploy: In this phase, you begin refactoring workloads to authenticate with more secure alternatives to service account keys. You also build additional capabilities to continuously monitor your environment and mitigate future risk.
-
Identity Aware Proxy (IAP)
(leverage identity instead
of network access)
-
Common proxies
- App Engine
- Cloud Run
- Compute Engine
- GKE
- On-premises
-
Overview of TCP forwarding
- IAP for TCP forwarding
(enable admin access to VM's without external IP address or no direct Internet access)
- Secure IAP for TCP forwarding with VPC Service Controls
- Can be extended with access levels
(Access Context Manager)
- IAP Best Practices
-
Leveraging external identities
- Email/password
- OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.)
- SAML
- OIDC
- Phone number
- Custom
- Anonymous
-
Access Context Manager
-
Create access levels for
projects and resources
- Permit access based on contextual information about the request
-
Methods
- Basic
- Collection of conditions
- Custom
(Google Workspace Premium)
- Created using Common Expression Language
-
Conditions
- IP subnetworks
(excludes private IP ranges)
- Geographic locations
- Device policy/
endpoint verification
(Google Workspace Premium)
- Supported computers
- Apple Mac OS X El Capitan (10.11) and later
- Devices running ChromeOS 110 and later
- Linux Debian and Ubuntu
- Note: CPU must support AES instructions.
- Microsoft Windows 10 and 11
- Criteria
- Screen lock
- Require admin approval
- Require corp owned device
- Storage encryption
- Operating system policy
- Access level dependencies
-
Leveraged with the
following GCP services
- VPC Service Controls
- Identity-Aware Proxy
- Context-Aware Access for Google Workspace
- Identity and Access Management (IAM) conditions
-
Context Aware Access (Google Workspace)
- Allow access to apps only from company-issued devices
- Allow access to Drive only if a user storage device is encrypted
- Restrict access to apps from outside the corporate network
- Best practices for securing SSH access to VM instances
-
Leverage OS Login to manage instances
- short video
- Setup OS Login
- Enforce OS Login at org level
- Troubleshooting access problems on Google Cloud
- Identity Platform
(authenticate users to apps and services)
-
3 - Logging & Monitoring
-
Ideal State
- Aggregated platform, system, and audit logs.
-
Components
-
Log types
- Admin Activity Audit Logs
- Data Access Audit Logs
-
Access Transparency Logs &
Access Aproval
- Enabling Access Transparency
-
Architecture
- Cloud Logging
- Log Analytics
- Cloud Monitoring
- FinOps
- Logging best practices
- Four steps to managing your Cloud Logging costs on a budget
-
4 - Security Operations
-
Ideal State
- Continuosly detect and act on vulnerabilities, threats, & misconfigurations.
-
Components
-
Native Cloud Signals & Alerts
-
Security Command Center
- Features
- Attack path simulation
- Duet AI
- Cloud Asset Inventory
- Supported Asset Types
- Services
- Web Security Scanner
- Overview
- OWASP Top 10
- Scans
- Custom Scans
- Managed Scans
- Finding Types
- Best Practices
- Findings
- Security Health Analytics
- Using SHA
- Detectors
- Findings
- Remediating Security Health Analytics findings
- Event Threat Detection
- Overview
- Using ETD
- Log Scoping Tool
- Rules
- Container Threat Detection
- Overview
- Using CTD
- Detectors
- Testing CTD
- Virtual Machine Threat Detection
- Overview
- Using VMTD
- Findings
- Google internal feeds
- Anomaly Detection
- Cloud Armor
- Security Command Center findings
- Data Loss Prevention
- Send Cloud DLP scan results to Security Command Center
- VM Manager
- Pricing
- Findings
- Vulnerability reports
- Secured Landing Zone
- Overview
- Using SLZ
- Remediating SLZ Findings
- Findings
- Environmental Findings
- Behavioral Findings
- Stateful findings
- Compliance
- CIS Benchmarks
- Additional standards
- Using the Compliance dashboard
- Third Party Services
- Forseti Security
- Notifications
- Get Help
- GitHub
- About
- Ansible
- Tenable
- McAfee
- Prisma Cloud
- Qualys
- Acalvio
- Capsule8
- SysDig
- CrowdStrike
- Chef
- Security sources
- Cloud-native application protection platforms (CNAPP)
- Cloud Security Posture Management (CSPM)
- Vulnerabilities
- Web Security Scanner
- Security Health Analytics
- VM Manager
- Cloud Workload Protection Platform (CWPP)
- Threats
- Anomaly Detection
- Container Threat Detection
- Data Loss Prevention
- Event Threat Detection
- Forseti Security
- Virtual Machine Threat Detection
- Errors
- Inadvertent actions
- Integrations
- API
- Risk Manager
- Remediate findings
- Manage Reports
- Big Query
- SIEM/SOAR
- Cortex XSOAR
- Elastic Stack
- Elastic Stack via Docker
- Splunk
- QRadar
- Chronicle
- Investigate findings in Chronicle
- Using Security Command Center
- Access Control
- Security Marks
- Configuration
- Mute Rules
- Dashboard
- Exporting Data
- One-time exports
- Continuous Exports
- Enable finding notifications for Pub/Sub
- Export findings to BigQuery for analysis
- Installing Security Command Center tools
- Investigating and responding to threats
- Enabling real-time email and chat notifications
- Documentation
- Evaluation Guide
- Pricing
- Release Notes
- Latency
- Support
- Training
- Qwiklabs
- Securing Web Applications with Web Security Scanner
- Getting Started with Security Command Center - YouTube Playlist
- Quickstarts
- Set up Security Command Center
- Optimize Security Command Center
- How do I detect malicious activity in my Google Cloud environment?
- Improve cloud security posture guide
- Optimize Securitiy Command Center
-
Respond to security & governance issues
-
Chronicle Suite
(SIEM & SOAR)
- Why Chronicle?
- Integration into Enterprise
SOC Ecosustems
- Case Management
- Playbooks
- Investigation
- Threat Intel Platform
- Collaboration
- Crisis Management
- Business Intelligence
- All your data - fast!
- Hunt for threats 90% faster
than traditional SOC tools
- Detect by correlating petabytes of your telemetry and identity malicious activity/patters
- DNS
- Vulnerability data
- Cloud data
- Threat Intel
- EDR/XDR
- Authentication
- Identity
- Firewalls
- VPN
- Network
- Intelligent Data Fusion
- Unified data model
- Rich, extensible data model spanning Asset, User and IoC dimensions and attributes
- IP to host correlation
- Automated IP to host correlation enables instant asset and IoC analytics
- Canonical event deduplication
- Logical event layer (user logins, network connections etc.) and visualization simplifies and expedites analysis
- At a disruptive cost
- Eliminate the tradeoffs between cost and security with fixed and predictable pricing that is decoupled from capacity, compute and log source count.
- SecOps Services
- Solutions
- SecOps Transformation
- SIEM Augmentation
- Cloud Detection & Response
- Service Providers
- Knowledge base
- Data Sheets
- Chronicle SIEM
- Chronicle SOAR
- Blogs
- Case Studies
- Third-party Reports
-
DIY / manual
- SCC + Cloud Logging
- Pub/Sub
- Cloud Functions
-
Be prepared with best of breed
-
Mandiant
- Mandiant Advantage Platform
- Threat Intelligence
(know who's targeting you)
- What are the threats and how I detect them?
- How do threats affect me?
- How do I use threat intelligence effectively?
- Attack Surface Management
(know what is exposed on the Internet)
- Identify and remove sprawl
- Reduce software and cloud risk
- Monitor and Enforce security policies
- Security Validation
(know if you're prepared)
- Are we prepared?
- Proactive Security Validation
- Validation as a service
- Managed or co-managed validation
- Prioritize, Measure, Optimize,
Rationalize, Monitor
- Alert Investigation and Prioritization
(formerly Automated Defense)
- Alert Investigation and Prioritization
- Managed Defense
- 24/7 monitoring
- Attacker behavior investigation & analysis
- Advanced Detection & Hunting
- Response & Remediation
- Breach Analytics for Chronicle
(are we compromised?)
- Consulting Services
- Incident Response
- Incident Response Service
- Incident Response Retainer
- Compromise Assessment
- Cyber Defense Assessment
- Ransomware
- Ransomware Defense Assessment
- Red Team for Ransomware
- Purple Team for Ransomware
- Tabletop Exercise
- Threatspace Cyber Range Simulation Exercise
- Risk Management
- Cyber Security Due Diligence
- Cyber Security Program Assessment
- Cyber Risk Management Operations
- Crown Jewels Assessment
- Threat and Vulnerability Assessment
- Threat Modeling Security Service
- Targeted Attack Testing
- Red Team Assessment
- Purple Team Assessment
- Continuous Purple Team Assessment
- Tabletop Exercise
- Embedded Device Assessment
- Penetration Testing
- Red Team – TIBER-EU
- ThreatSpace Cyber Range Simulation Exercise
- Cyber Security Transformation
- Cyber Defense Center Development
- Cyber Defense Operations
- Threat Intelligence, Threat Hunting and Incident Response Training
- Identity-First Security
- Insider Threat Assessment
- Insider Threat as a Service
- Remote Security Assessment
- Active Directory Assessment
- Penetration Testing for Internal Attacks
- Penetration Testing for Social Engineering
- Industrial Control Systems (ICS) & Operational Technology (OT)
- Explore all OT/ICS Solutions
- Industrial Control Systems (ICS) Healthcheck
- Penetration Testing for ICS
- Penetration Testing for Embedded/IoT
- Cloud Security
- Cloud Security Assessments
- Microsoft Office 365 Assessment
- Cloud Architecture Assessment: Azure, AWS, GCP
- Cloud Penetration Testing
- Cyber Security Due Diligence
- Cyber Security Due Diligence
- Penetration Testing for Web Applications
- Penetration Testing for Mobile
- Penetration Testing for Wireless
- Penetration Testing for Physical Security
- Threat Intelligence Services
- Applied Intelligence
- Cyber Threat Profile
- Intelligence Capability Development
- Executive Intelligence Briefings
- Mandiant Resources
- Blog
- Customer Stories
- Webinars
- Events
- Datasheets
- White Papers
- Podcasts
- Reports
- Cyber Security forecast 2023
- Global Perspectives on
Threat Intelligence Report
- Insights
- Infographics
- eBooks
- Mandiant Academy
- Course Catalog
- Introductory Courses
- Introduction to Cyber Crime for Executives
- Cyber Security Awareness
- Fundamentals of Industrial Control Systems (ICS) Security
- Fundamentals of Cyber Security
- Cyber Security Policy and Implementation
- Audits and Compliance in the Cyber Domain
- Introduction to the Mandiant Security Instrumentation Platform
- Intelligence and Attribution Courses
- Introduction to Threat Intelligence and Attribution
- Cyber Intelligence Foundations
- Intelligence Research I—Scoping
- Intelligence Research II—Open Source Intelligence (OSINT)
- Cyber Intelligence Production
- Incident Response Courses
- Incident Response for Everyone
- Windows Enterprise Incident Response
- Linux Enterprise Incident Response
- Combined Windows-Linux Enterprise Incident Response
- Network Traffic Analysis
- Practical Threat Hunting
- Digital Forensics and Incident Response for PLCs
- Malware Analysis Courses
- Malware Analysis Fundamentals
- Malware Analysis Crash Course
- Malicious Documents Analysis
- Advanced Red Teaming Techniques: Malware Authoring and Repurposing
- Malware Analysis Master Course
- Advanced Acquisition and
Testing Techniques Courses
- Creative Red Teaming
- Practical Mobile Application Security
- Workshops
- Business Email Compromise
- Exercises and Preparedness
- ThreatSpace: Real-World Attack Scenarios
- Senior Executive Mentorship Program
- Upcoming Public Courses
- On-Demand Courses
- Mandiant Certifications
- ThreatSpace Cyber Range
-
BeyondCorp & Zero Trust
- BeyondCorp Access in one minute
- Operate with Zero Trust using
BeyondCorp Enterprise
- Context-aware access
-
BeyondCorp Alliance
-
-
Additional references
- An overview: "A New Approach to Enterprise Security"
- How Google did it: "Design to Deployment at Google"
- Google's frontend infrastructure: "The Access Proxy"
- Migrating to BeyondCorp: "Maintaining Productivity while Improving Security"
- The human element: "The User Experience"
- Secure your endpoints: "Building a Healthy Fleet"
-
Security Partners
-
Ecosystem
-
Infrastructure Protection
- Next-gen firewalls
- Web application firewalls (WAFs)
- Web proxies and cloud gateways
- Server endpoint protection
- DDoS protection
- Container security
-
Data Protection
- Encryption and key management
- Data/information loss protection
-
Logging and monitoring
- Logging and monitoring
- Configuration, vulnerability, risk, and compliance
-
Configuration, vulnerability, risk, and compliance
- Vulnerability scanners
- Governance, risk management, and compliance
-
5 - Data Protection
-
Ideal
- Identify and protect your most important data.
-
Components
- Data Security Guidance
-
Encryption of data at rest
-
Default Encryption
- Enabled by default - Google manages encryption keys
-
Cloud KMS
- Customer can manage their own keys, hosted by Google
-
Cloud HSM
- Customer can manage their own keys, hosted by Google on a dedicated hardware module
-
Cloud EKM
- Customer manages & hosts their own keys externally from Google
-
Sensitive Data Protection
(includes Data Loss Prevention)
- Features
- API Driven &
GCP Console
- Cover use cases anywhere, on or off cloud with the DLP API
- De-identification, masking, tokenization, and bucketing
- Powerful and flexible masking of your AI/ML workloads
- Streaming content API
- Automated sensitive data discovery and classification (for BigQuery)
- Sensitive data intelligence for security assessments
- Results can be imported into BigQuery for analysis or imported into other systems
- With direct feeds into Chronicle and Security Command Center, you can leverage sensitive data intelligence to reduce noise and prioritize threats, vulnerabilities, and security investigations.
- Inspection/Analysis
- Learn about your data
- Discovery/data profiling
(for BigQuery)
- Get continuous visibility into all your sensitive data.
- Deep inspection
- Inspect your data in storage systems exhaustively and investigate individual findings.
- Risk Analysis
(for BigQuery)
- Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
- Sensitive information about individuals being revealed
- Help determine effective de-identification strategy
- Help monitor for any changes or outliers, after de-identification
- Methods
- Content (streaming data)
- Leveraging the DLP API
- InspectContent
- DeidentifyContent
- ReidentifyContent
- RedactImage
- OUTPUT:
- Inspection Findings
- De-Id transformed content
- Storage (Native GCP sources)
- Shards data and
works in parallel
- Cloud Storage
- BigQuery
- Datastore
- Hybrid (streaming data)
- Hybrid jobs and job triggers
(requires custom application)
- Other cloud providers
- On-premises servers or other data repositories
- Non-native storage systems, such as systems running inside a virtual machine
- Web and mobile apps
- Google Cloud-based solutions
- Workflow
- You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
- You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
- Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
- Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
- Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
- Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
- Supported actions
- Save findings to Sensitive Data Protection and Save findings to BigQuery
- Send Pub/Sub
- Send Email
- Publish to Cloud Monitoring
- Actions from inspection results
- On-demand vs continuous profiling
- Discovery
(continuous profiling)
- BigQuery
- BigLake
- On-demand
inspection
- BigQuery
- Cloud Storage
- Datastore
- Hybrid
- How
(Inspection template)
- InfoTypes
- Built-in (150+)
- Country, region-specific sensitive data types
- Globally applicable data types
- Custom
- Regular dictionary detectors
- Stored dictionary detectors
- Regular expression (regex)
- Inspection Rules
- Fine-tune
- Exclusion rules
- Hotword rules
- Likelihood Value
- Likelihood Unspecified
- Very Unlikely
- Unlikely
- Possible
- Likely
- Very Likely
- Protection/De-Identification
- De-identification techniques
- Redaction: Deletes all or part of a detected sensitive value.
- Replacement: Replaces a detected sensitive value with a specified surrogate value.
- Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
- Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
- Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
- Date shifting: Shifts sensitive date values by a random amount of time.
- Time extraction: Extracts or preserves specified portions of date and time values.
- De-identify examples
- De-identify data stored in Cloud Storage
- De-identify data from any source
- De-identify BigQuery data at query time
- De-identification and re-identification of PII in large-scale datasets in Cloud Storage
- Redact sensitive data from PDF files
- Use Sensitive Data Protection with AWS S3
- How
(De-identification template)
- Resources
- Documentation
- How-to guides
- "Traditional" DLP via BeyondCorp Enterprise
- Implement DLP with Chrome
- Uploads
- Downloads
- Content copied and pasted
- Content dragged and dropped
- 90+ content detectors
- Visual
-
Sensitive Data Protection
(includes Data Loss Prevention)
-
1) Understand/Inspection/Analysis
- Learn about your data
- Discovery/data profiling
- Get continuous visibility into all your sensitive data.
- BigQuery - GA
- BigLake - GA
- Cloud SQL - Preview
- Deep inspection
- Inspect your data in storage systems exhaustively and investigate individual findings.
- Risk Analysis
(for BigQuery)
- Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
- Sensitive information about individuals being revealed
- Help determine effective de-identification strategy
- Help monitor for any changes or outliers, after de-identification
- Report Credentials & Secrets to SCC
- detailed list
- Methods
- Content (streaming data)
- Leveraging the DLP API
- InspectContent
- DeidentifyContent
- ReidentifyContent
- RedactImage
- OUTPUT:
- Inspection Findings
- De-Id transformed content
- Storage (Native GCP sources)
- Shards data and
works in parallel
- Cloud Storage
- BigQuery
- Datastore
- Hybrid (streaming data)
- Hybrid jobs and job triggers
(requires custom application)
- Other cloud providers
- On-premises servers or other data repositories
- Non-native storage systems, such as systems running inside a virtual machine
- Web and mobile apps
- Google Cloud-based solutions
- Workflow
- You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
- You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
- Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
- Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
- Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
- Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
- Supported actions
- Save findings to Sensitive Data Protection and Save findings to BigQuery
- Send Pub/Sub
- Send Email
- Publish to Cloud Monitoring
- Actions from inspection results
- On-demand vs continuous profiling
- Discovery
(continuous profiling)
- BigQuery
- BigLake
- On-demand
inspection
- BigQuery
- Cloud Storage
- Datastore
- Hybrid
- How
(Inspection template)
- InfoTypes
- Built-in (150+)
- Country, region-specific sensitive data types
- Globally applicable data types
- Custom
- Regular dictionary detectors
- Stored dictionary detectors
- Regular expression (regex)
- Inspection Rules
- Fine-tune
- Exclusion rules
- Hotword rules
- Likelihood Value
- Likelihood Unspecified
- Very Unlikely
- Unlikely
- Possible
- Likely
- Very Likely
-
2) Protect/De-Identification
- De-identification techniques
- Redaction: Deletes all or part of a detected sensitive value.
- Replacement: Replaces a detected sensitive value with a specified surrogate value.
- Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
- Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
- Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
- Date shifting: Shifts sensitive date values by a random amount of time.
- Time extraction: Extracts or preserves specified portions of date and time values.
- De-identify examples
- De-identify data stored in Cloud Storage
- De-identify data from any source
- De-identify BigQuery data at query time
- De-identification and re-identification of PII in large-scale datasets in Cloud Storage
- Redact sensitive data from PDF files
- Use Sensitive Data Protection with AWS S3
- How
(De-identification template)
-
3) Resources
- Documentation
- How-to guides
- IAM roles required
-
4) "Traditional" DLP via BeyondCorp Enterprise
- Implement DLP with Chrome
- Uploads
- Downloads
- Content copied and pasted
- Content dragged and dropped
- 90+ content detectors
- Visual
-
Google Secrets Manager
-
Common use cases
- API Keys
- Certificates
- Private Keys
- Passwords
-
Highlights
- Replication policies
- Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.
- First-class versioning
- Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."
- Cloud IAM integration
- Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.
- Audit logging
- With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
- Encrypted by default
- Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.
- VPC Service Controls support
- Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.
- Powerful and extensible
- Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.
- Best Practices
- BigQuery data security and governance
-
Spanner Security
- Access Control
- Fine-grained access control
- Encryption
-
Bigtable Security
- Authentication
- Access Control
- Create and manage tags
- Audit logging
- Encryption
-
GCP Security, Compliance, Governance, and
Architecture resources
-
Google Cloud Solutions Center
-
Discoveries
-
Cloud Capability Assessment
- The Cloud Capability Assessment helps determine where you are in your cloud journey and how you can develop new competencies across your business, financial and technology plans.
-
AI Readiness Quick Check
- A quick assessment to understand an organization's AI capabilities across 6 pillars. Provide best practices and recommended learnings to advance the organization's AI practice.
-
Security and Resilience Framework
- This discovery helps you evaluate your overall security maturity against five NIST functions: Identify, Protect, Detect, Respond and Recover. Use this discovery for recommendations on how to improve your security posture.
-
Data Foundations for AI Benchmarking
- Help customers understand the robustness of their data analytics foundations and its readiness for AI adoption. The output of the assessment is a gap analysis of current data foundation capabilities with set of Google recommendations and PoV to create a transformational data platform.
-
Cloud FinOps Assessment
- A cloud FinOps capability maturity assessment to help organizations better understand their cloud financial processes, culture, skillset, tooling, and technical competency. There are 13 questions which span the 5 pillars of cloud FinOps: 1. Accountability & Enablement, 2. Measurement & Realization, 3. Cost Optimization, 4. Planning & Forecasting, and 5. Tools & Accelerators. For each of the questions, the responses range between 1-5 with increasing maturity. If you have any issues taking the survey contact the Cloud FinOps team at pso-finops@google.com
-
Partner Excellence Framework (PEF) - PreDelivery
- Partners can use the PreDelivery assessment before the delivery of the project has started. This assessment evaluates the technical readiness of the partner team for any project/workload on Google Cloud. The assessment report helps to identify and capture any potential gaps in architecture and provide prescriptive guidance aligned with Google Cloud architectural best practices to remediate those gaps. Additionally, the assessment also provides questions and assets that partners can use during the project discovery.
-
Data & AI Cloud for Marketing - Benchmarking
- Understand your current marketing analytics capabilities to address the convergence of forces between shifting customer expectations and economic pressures putting more focus on growth and ROI of marketing activities.
-
Data & AI Cloud for Supply Chain - Benchmarking
- A benchmarking survey to understand the critical capabilities required across Supply Chains to reduce risks & disruptions, and solving for resiliency and sustainability amidst global disruptions.
-
Autonomic Security Operations
- Autonomic Security Operations is a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of our best-in-class technology stack built on Chronicle and Google’s deep security operations expertise.
-
The Defender’s Advantage: Mandiant Cyber Defense
- Self-assessment of capabilities tied to the six critical functions of cyber defense as detailed in The Defender's Advantage by Mandiant including Intel, Command and Control, Hunt, Detect, Respond and Validate.
-
Solutions
- (links in the solutions center)
-
Google Cloud Architecture Center
(Best Practices for Google Cloud)
-
Google Cloud Architecture Framework
- Review shared responsibility and shared fate on Google Cloud
- Understand security principles
- Manage risks with controls
- Manage your assets
- Manage identity and access
- Implement compute and container security
- Secure your network
- Implement data security
- Deploy applications security
- Manage compliance obligations
- Implement data residency and sovereignty requirements
- Implement privacy requirements
- Implement logging and detective controls
-
Enterprise foundations blueprint
- Google Cloud deployment archetypes
-
Migrate to Google Cloud
- Assess and discover your workloads
- Build your foundation
- Transfer your large datasets
- Deploy your workloads
- Migrate from manual deployments to automated, containerized deployments
- Optimize your environment
- Best practices for validating a migration plan
- Minimize costs
- Hybrid and multicloud architecture guidance
- Migrate across Google Cloud regions
-
GCP Architecture Guides
- GenAI-Vertex-workbench-security
- Network Firewall Microsegmentation
- Google Cloud Certificate Authority Service deployment
- Securing User Managed Vertex-AI Workbench
- Deploying IL4 Assured Workload
- Deploying Australia Regions with Assured Support Workload
- SCC Cryptomining Program
- Secure Web Proxy
- Security and resilience framework
- Landing zone design in Google Cloud
- Google Cloud Infrastructure Reliability Guide
- Google Cloud security foundations
blueprint guide
-
Best practices for cloud
security products
- Anthos security blueprints
- Secured Data Warehouse
security blueprint
- AI Platform Notebooks
security blueprint
- Container security
best practices
- Security best
practice checklists
(Google Workspace)
-
Deployable security blueprints
and landing zones
- Security foundations
deployable assets
- Secured Data Warehouse
blueprint GitHub repository
- AI Platform Notebooks
blueprint GitHub repository
- Cloud Foundation Toolkit
deployable assets
- Anthos security blueprints
GitHub repository
-
Security whitepapers
and references
-
Security transformation
resources
- CISO’s guide to cloud
security transformation
- Strengthening operational
resilience for FinServ
- Building secure and
reliable systems
- NEW! Risk governance
of digital transformation
-
Google Cloud
security whitepapers
- Google security
- Google Workspace security
- Google infrastructure
security design overview
- Encryption at rest
- Encryption in transit
- Google Workspace encryption
- Cloud Key Management
(KMS) deep dive
- BeyondProd: New approach
to cloud-native security
- Binary Authorization for Borg
- BeyondCorp: A new approach
to enterprise security
- Privileged access
management in GCP
-
GCP Compliance
resource center
-
Data governance
- Data regions
-
Data residency
- For European
customers on
Google Cloud
-
Privacy Resource Center
- Cloud DPIA
Resource Center
- Find a Google Partner
-
Shared Fate Responsibility Model
-
Security & Governance topics
from our CISO (Phil Venables)
-
Questions from CEO's and Boards
-
Current Risk and Threat Outlook
- There's a lot going on in the world, can you give us a quick grand tour of the cyber threat landscape?
-
How are Companies Positioned
- Are companies always playing defense and catch-up, is there an end to this?
-
Is Cloud More Secure than prior IT?
- Is cloud more secure than traditional on-premise IT, what's the future here and how should companies select vendors in all this uncertainty?
-
Enterprise Risk Management
- How should organizations think about managing cyber risk with all their other risks - what's the efficient frontier here? Is this a technology problem or a business problem or both?
-
Board Conversations
- What is the right security conversation a Board should have?
- What should they be asking the CEO, the CIO, the CISO?
-
Personal Wishful Thinking
- You've had experience on both sides of the Board room, what do you wish you'd have done better either as a Board Director or a Chief Risk Officer / Chief Information Security Officer?
- We talk a lot about using security to deliver business enablement, is that viable?
-
Wishful Thinking for Others
- If you could make a wish and ask all our Boards or executives to do one thing that would benefit their security and make the lives of their CISOs easier, what would it be?
-
Crucial Questions from CIOs and CTOs
-
Moving to Cloud Quicker
- How do I get security, risk, compliance and audit more comfortable with an acceleration to the cloud - so I can deliver on objectives and in fact mitigate technology, security and resiliency risk more quickly?
-
Security vs. All Technology Risks
- Is cybersecurity the most significant risk and how should I prioritize security vs. all my other technology risks?
-
CISO Function Alignment
- How do I ensure the CISO function is integrated into IT / business processes / activities?
-
Forward Planning for Security
- I’d like to plan ahead but things coming from the security team seem so unpredictable
-
How Much Security is Enough?
- No amount of effort ever seems enough for the security team, what should I do?
-
Developer Agility and Security
- How do I ensure developer agility and productivity in the face of security?
-
Legacy Systems
- How should I deal with legacy systems and architectures that are hard to secure?
-
Crucial Questions from CISOs and Security Teams
-
Hybrid Multi-Cloud
- How do we manage security across our hybrid on-premise and multi-cloud / multi-SaaS environments?
-
Threat Intelligence
- How can we obtain, curate and act on threat intelligence in more effective ways?
-
Security Monitoring
- How can I scale security monitoring to deal with increased attack surface and increased sensory coverage?
-
Workforce Challenges
- How do I fill the positions I have with the right skills and people? How do I nurture my leaders and build a succession plan?
-
Board and Executive Relationships
- How do we keep the Board and executive leadership informed and on-side with our efforts?
-
IT Modernization
- How do I ensure IT prioritizes necessary security upgrades and IT systems modernization?
-
Benchmarking
- How do I know if I’m doing enough and if my risk profile is about right?
-
Crucial Questions from Governments and Regulators
-
Risk Tradeoffs
- How do we think about the trade-offs between security, resilience, privacy and other risks?
-
Principle vs. Objective Standards
- How stringent should we be in setting prescriptive standards for security?
-
Information Sharing
- What is the right amount and type of information to share between the public and private sector to what effect?
-
Supply Chain Risk
- How should we think about 3rd party, 4th party or even deeper supply chain risks?
-
Cybersecurity Workforce
- How we do ensure we are growing skills and jobs in our local market?
-
Nation State vs. Criminal Threats
- How should we prioritize dealing with nation state threats vs. organized criminal threats against businesses?
-
Reporting and Transparency
- How do we become aware of incidents affecting our domestic enterprises or those under our regulatory charge?
- Risk Governance
of Digital
Transformation
in the Cloud
-
CISO's Guide to Cloud Security Transformation
- Google Cybersecurity Action Team
-
Security Terminology,
Technologies, Solutions & Vendors
-
Cybersecurity Ecosystem mindmap
- by Strategy of Security
-
Cybersecurity Landscape
(solutions and vendors)
- CyberScape mapping (2021)
-
Terminology
- EDR - End Point Detection and response
- XDR - Extended or enhanced approach to endpoint detection and response (EDR) in which the “X” serves as a wildcard operator to connote extending threat detection and response measures across endpoints, networks, SaaS applications, and cloud infrastructure.
- MDR - Managed Detection and Response (more analysis and threat intelligence compared to traditional MSSP's
- MXDR - Managed extended detection and response - extends MRD services across the enterprise. Security analytics, operations, advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.
- SIEM - Security Information and Event Management
- SOAR - Security Orchestration, Automation, and Response - more automation compared to a traditional SIEM
- CSPM - Cloud security posture management
-
CASB - Cloud access security broker - proxy
between users and cloud/Internet
- Visibility
- Threat Detection
- Compliance
- Data Security
- DLP - Data Loss Prevention
-
Additional resources
- Security Scorecard
- NICCS
- Global Knowledge
-
Learning resources
- Google Cloud security
showcase
- Cloud Security Podcast
- GCP CIS Benchmarks™
- GCP MITRE ATT&CK®
- Professional Cloud Security
Certification
- Coursera: Google Cloud Security
- Pluralsight: Security Best
Practices in Google Cloud
- Security Summit 2022 recordings
- Next OnAir Security session
recordings 2020
- Next Security session
recordings 2019
-
8 - Secure Software Supply Chain
-
Ideal
- Shift security left in the software CI/CD pipeline.
-
High-level Model
-
Detailed Model
- Design secure deployment pipelines
-
Software Delivery Shield
- Cloud Workstations
(managed development environments)
- Cloud Code source protect
- Artifact Registry & Container Analysys
- Assured Open Source Software
- Code Build
- GKE security posture
- Cloud Run security insights
- Binary Authorization
-
Leveraging the SLSA ("salsa") framework
- Deploy an enterprise developer platform on Google Cloud
-
7- Secure App Delivery
-
Ideal
- Protect external facing applications with DDoS defense, web application firewalling.
-
Components
-
Compute
- GKE Security
-
GCE Security
- Shielded VMs
- Confidential VMs
- Leveraging VPC Service Controls
- Disk Encryption
- Deploy a secured serverless architecture using Cloud Functions
- Deploy a secured serverless architecture using Cloud Run
- Compute and container security
-
Access
- Network & Application Security in Google Cloud
- Traffic Director
(Advanced Traffic Management)
-
Cloud Armor
- DDoS protection
- WAF protection
- Adaptive Protection
- Managed SSL Certs
- Best practices for securing applications and API's using Apigee
-
6 - Network Security
-
Ideal
- Centrally manage network resources, establish scalable segmentation and detect network threats.
-
Components
-
Virtual Private Cloud
- Shared VPC
- Serverless VPC Connectivity
(Ingress and Egress)
-
Cloud Firewall
- Firewall Policies
- Firewall Insights
- Google Cloud Load Balancing
- Google Cloud IDS
- Best practices for VPC design
- Best practices for GKE networking
- Networking for hybrid and multi-cloud workloads: Reference architectures
- Networking for secure intra-cloud access: Reference architectures
- Networking for internet-facing application delivery: Reference architectures