-
1 - Cloud Governance
-
Ideal State
- Automated, governed infrastructure pipeline using Infrastructure as Code (IaC)
-
Components
- Best practices for accounts and organizations
- Landing zone design in Google Cloud
-
Resource Manager
- IAM and Org policies are inherited from parent Org/folders.
-
Policies
-
Organizational policies
- Why these should be used
- Preventative Guardrails
- Set policies that restrict or enforce resource configurations
- eg: VM’s must not have public Ips
- eg: Buckets must be provisioned in US-West1
- Identity Agnostic
- Applies to all users
- Platform-level
Enforcements
- Enforced regardless if entry point is Cloud Console, GCloud, or API
- Config-rime
Enforcement
- Majority of enforcement done during config-time
- Config-time policies are non-retroactive
- Existing workloads won’t suddenly break
- Built-in
Constraints
- Constraints are available in the platform and currently not extensible
- Foundational
Set
- Prevent access to Google Cloud services except from managed identities in domains allow
- Enforce Public Access Prevention
- Domain restricted sharing
- Domain restricted contacts
- Enforce uniform bucket-level access
- Require OS Login
- Enforce additional security policies for service accounts
- Disable service account key creation
- Disable Automatic IAM Grants for Default Service Accounts
- Disable Service Account Key Upload
- Prevent the creation of less secure VPC network configurations
- Disable VM serial port access
- Restrict shared VPC project lien removal
- Define allowed external IPs for VM instances
- Skip default network creation
- Sets the internal DNS setting for new projects to Zonal DNS Only
- Restrict Public IP access on Cloud SQL instances
- Restrict Authorized Networks on Cloud SQL instances
- Restrict Protocol Forwarding Based on type of IP Address
- Disable VPC External IPv6 usage
- Disable VM nested virtualization
- New default org policies for new Organizations created after Feb 13 2024
- Disable Service Account key creation
- Prevent users from creating persistent keys for Service Accounts.
- Decreases the risk of exposed Service Account credentials.
- Disable Service Account key upload
- Prevent the upload of external public keys to Service Accounts.
- Decreases the risk of exposed Service Account credentials.
- Disable automatic IAM grants for default Service Accounts
- Prevent default Service Accounts from receiving the overly-permissive IAM role Editor at creation.
- The Editor role lets the Service Account create and delete resources for most Google Cloud services, which creates a vulnerability if the Service Account gets compromised.
- Enforce Domain Restricted Sharing
- Limit IAM policies to only allow managed user identities in selected domain(s) to access resources inside this Organization.
- Leaving the Organization open to access by actors with domains other than the customers’ own creates a vulnerability.
- Allow only domain restricted contacts
- Limit Essential Contacts to only allow managed user identities in selected domain(s) to receive platform notifications.
- A bad actor with a different domain might get added as an Essential Contact, leading to a compromised security posture.
- Enforce uniform bucket-level access
- Prevent GCS buckets from using per-object ACL (a separate system from IAM policies) to provide access.
- Enforces consistency for access management and auditing.
- Set the internal DNS setting for new projects to zonal DNS only.
- Set guardrails that application developers cannot choose legacy DNS settings for Compute instances.
- Legacy DNS settings (global) have lower service reliability than modern DNS settings (zonal).
- Crating & managing custom constraints
- Specific guidance
- compute.disableNestedVirtualization
- Nested virtualization on Compute Engine VMs can evade monitoring and other security tools for your VMs if poorly configured. This constraint prevents the creation of nested virtualization.
- compute.disableSerialPortAccess
- IAM roles like compute.instanceAdmin allow privileged access to an instance's serial port using SSH keys. If the SSH key is exposed, an attacker could access the serial port and bypass network and firewall controls. This constraint prevents serial port access.
- compute.disableVpcExternalIpv6
- External IPv6 subnets can be exposed to unauthorized internet access if they are poorly configured. This constraint prevents the creation of external IPv6 subnets.
- compute.requireOsLogin
- The default behavior of setting SSH keys in metadata can allow unauthorized remote access to VMs if keys are exposed. This constraint enforces the use of OS Login instead of metadata-based SSH keys.
- compute.restrictProtocolForwardingCreationForTypes
- VM protocol forwarding for external IP addresses can lead to unauthorized internet egress if forwarding is poorly configured. This constraint allows VM protocol forwarding for internal addresses only.
- compute.restrictXpnProjectLienRemoval
- Deleting a Shared VPC host project can be disruptive to all the service projects that use networking resources. This constraint prevents accidental or malicious deletion of the Shared VPC host projects by preventing the removal of the project lien on these projects.
- compute.setNewProjectDefaultToZonalDNSOnly
- A legacy setting for global (project-wide) internal DNS is not recommended because it reduces service availability. This constraint prevents the use of the legacy setting.
- compute.skipDefaultNetworkCreation
- A default VPC network and overly permissive default VPC firewall rules are created in every new project that enables the Compute Engine API. This constraint skips the creation of the default network and default VPC firewall rules.
- compute.vmExternalIpAccess
- By default, a VM is created with an external IPv4 address that can lead to unauthorized internet access. This constraint configures an empty allowlist of external IP addresses that the VM can use and denies all others.
- essentialcontacts.allowedContactDomains
- By default, Essential Contacts can be configured to send notifications about your domain to any other domain. This constraint enforces that only email addresses in approved domains can be set as recipients for Essential Contacts.
- iam.allowedPolicyMemberDomains
- By default, allow policies can be granted to any Google Account, including unmanaged accounts, and accounts belonging to external organizations. This constraint ensures that allow policies in your organization can only be granted to managed accounts from your own domain. Optionally, you can allow additional domains.
- iam.automaticIamGrantsForDefaultServiceAccounts
- By default, default service accounts are automatically granted overly permissive roles. This constraint prevents the automatic IAM role grants to default service accounts.
- iam.disableServiceAccountKeyCreation
- Service account keys are a high-risk persistent credential, and in most cases a more secure alternative to service account keys can be used. This constraint prevents the creation of service account keys.
- iam.disableServiceAccountKeyUpload
- Uploading service account key material can increase risk if key material is exposed. This constraint prevents the uploading of service account keys.
- sql.restrictAuthorizedNetworks
- Cloud SQL instances can be exposed to unauthenticated internet access if the instances are configured to use authorized networks without a Cloud SQL Auth Proxy. This policy prevents the configuration of authorized networks for database access and forces the use of the Cloud SQL Auth Proxy instead.
- sql.restrictPublicIp
- Cloud SQL instances can be exposed to unauthenticated internet access if the instances are created with public IP addresses. This constraint prevents public IP addresses on Cloud SQL instances.
- storage.uniformBucketLevelAccess
- By default, objects in Cloud Storage can be accessed through legacy Access Control Lists (ACLs) instead of IAM, which can lead to inconsistent access controls and accidental exposure if misconfigured. Legacy ACL access is not affected by the iam.allowedPolicyMemberDomains constraint. This constraint enforces that access can only be configured through IAM uniform bucket-level access, not legacy ACLs.
- storage.publicAccessPrevention
- Cloud Storage buckets can be exposed to unauthenticated internet access if misconfigured. This constraint prevents ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers.
- Additional Policy Controls
- Limit session and gcloud timeouts
- Disable Cloud Shell
- Use phishingresistant security keys
- Enable access transparency
- Enable access approval
- Setup Trusted Images project
- Manage Compute Engine resources using custom constraints
-
Policy Intelligence
- IAM Recommender
(ML used to help achieve least privilege)
- Policy Troubleshooter
(Why principal doesn't have access?)
- IAM Policy Analyzer
(Who has access to what?)
- Org Policy Analyzer
- Policy Simulator
(Simulate before breaking app/process)
-
Not just IaC, but also Policy as Code
- Declarative
- Validate
- Automate
- Roll back
- Scale
-
VPC Service Controls
-
Benefits
- Mitigate data exfiltration risks
- Keep data private inside the VPC
- Deliver independent data access controls
-
Features
- Coverage of services
- VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.
- Rich security logging
- Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.
- Support for hybrid environments
- Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.
- Secure communication
- Securely share data across service perimeters with full control over what resource can connect to others or to the outside.
- Context-aware access
- Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.
- Perimeter security for managed Google Cloud services
- Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.
-
Use cases
- Mitigate threats such as data exfiltration
- VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
- Isolate parts of the environment by trust level
- VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.
- Secure access to multi-tenant services
- VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE, BigQuery, etc. It enables clients to keep their entire data processing pipeline private.
-
Visual Example
- (Google Cloud official youtube video link)
-
Notifications
- Contacts & Notifications
- Audit Logging
- Billing Alerts
-
Assured Workloads
-
Data residency
- To help comply with data residency requirements, Google Cloud gives you the ability to control the regions where data at rest is stored.
- During Assured Workloads setup, you create an environment and select your compliance program. When you create resources in the environment, Assured Workloads restricts the regions you can select for those resources based on the compliance program you chose using Organization Policy.
-
Cryptographic control over data access
- Google Cloud applies encryption at rest and in transit by default. To gain more control over how data is encrypted, Google Cloud customers can use Cloud Key Management Service to generate, use, rotate, and destroy encryption keys according to their own policies.
- Cryptographic control over data access is achieved through the use of Key Access Justifications (KAJ) together with our Cloud External Key Manager (EKM).
- Assured Workloads configures the appropriate encryption services per workload depending on the compliance program you chose.
-
Assured Support
- Regulated customers’ compliance obligations extend to support services. Assured Support is a value-added service to Premium or Enhanced Support to ensure only Google support personnel meeting specific geographical locations and personnel conditions support their workload when raising a support case or needing technical assistance.
- By delivering the same features and benefits of Premium or Enhanced Support (including response times) with an added layer of controls and transparency, Assured Support helps customers meet compliance requirements without compromising on the level and quality of support.
-
Assured Workloads monitoring
- Assured Workloads monitoring scans your environment in real time and provides alerts whenever organization policy changes violate the defined compliance posture. The monitoring dashboard shows which policy is being violated and provides instructions on how to resolve the finding.
- Assured Workloads Quick Start Guide
-
Specific Frameworks
- FedRamp implementation guide
-
PCI DSS
- Limiting scope of compliance for PCI environments in Google Cloud
- PCI Data Security Standard compliance
- PCI DSS compliance on GKE
- Security blueprint: PCI on GKE
- Tokenizing sensitive cardholder data for PCI DSS
-
Active Assist portfolio
-
Cost
- VM machine type recommender
- Committed use discount recommender
- Idle VM recommender
- Cloud SQL overprovisioned instance recommender
-
Security
- IAM recommender
- Firewall insights
- Cloud Run recommender
-
Performance
- VM machine type recommender
- Managed instance group machine type recommender
-
Reliability
- Compute Engine predictive autoscaling
- Cloud SQL out-of-disk recommender
- Policy Troubleshooter
- Policy Analyzer
-
Manageability
- Network Intelligence Center
- Product suggestion recommender
- Policy Simulator
-
Sustainability
- Unattended project recommender
-
Access Transparency and Access Approval
- Customer data is not accessed for any reason other than to fulfill contractual obligations
- Valid business justification required for any access by support or engineering personnel
- Near real-time logs offer insight when Google Cloud administrators access your content
- Approve or dismiss requests for access by Google employees working to support your service
- Audit Manager (Private Preview)
- Consider a Zero Trust Architecture
-
Google Cloud Architecture Center
- Deployment archetypes
- Infrastructure reliability guide
- Landing zone design
- Enterprise foundations blueprint
-
2- Identity and Access Management
-
Ideal State
- Unified, federated identity. Least privilege policies based on user/service, role, resource, condition.
- Only short-term credentials - for everything, everywhere.
-
Components
-
Identities in Google Cloud
- Google Cloud Identity
- Best practices for federating Google Cloud with an external identity provider
- Workforce Identity Federation
- Workload Identify Federation
- Manage just-in-time privileged access to projects
-
* Propagate employee suspension events
- To fully revoke access to Google services, propagate suspension events to Cloud Identity or Google Workspace in the following ways:
- Ensure that whenever a user account is suspended in your external IdP, the corresponding user account in Cloud Identity or Google Workspace is suspended as well. Suspending a user in Cloud Identity or Google Workspace terminates active browser sessions, invalidates tokens, and revokes all other access.
- Similarly, when you reactivate a user account in your external IdP, make sure that you also reactivate the corresponding user account in Cloud Identity or Google Workspace.
-
MFA/2FA/2SV for admin accounts
- Hardware Keys
(prefered)
-
Least-privilege roles
& permissions
-
IAM Policy Intelligence
- Troubleshooter
- Simulator
- Recommender
- Analyzer
-
Service Accounts
-
When to use service accounts
- 4-min video
-
Best practices for managing
Service Account Keys
- Provide alternatives to creating service account keys.
- Use organization policy constraints to limit which projects can create service account keys.
- Don't leave service account keys in temporary locations.
- Don't pass service account keys between users.
- Don't submit service account keys to source code repositories.
- Don't embed service account keys in program binaries.
- Use insights and metrics to identify unused service account keys.
- Rotate service account keys to reduce security risk caused by leaked keys.
- Use uploaded keys to let keys expire automatically.
- Best Practices for using service accounts
- Best practices for using service accounts in pipelines
-
Migrate away from service account keys
- Assess: In this phase, you assess your existing environment to understand where service account keys exist and whether the keys are in use.
- Plan: In this phase, you decide which controls you will eventually deploy and communicate the migration plan to stakeholders.
- Deploy: In this phase, you begin refactoring workloads to authenticate with more secure alternatives to service account keys. You also build additional capabilities to continuously monitor your environment and mitigate future risk.
-
Identity Aware Proxy (IAP)
(leverage identity instead
of network access)
-
Common proxies
- App Engine
- Cloud Run
- Compute Engine
- GKE
- On-premises
-
Overview of TCP forwarding
- IAP for TCP forwarding
(enable admin access to VM's without external IP address or no direct Internet access)
- Secure IAP for TCP forwarding with VPC Service Controls
- Can be extended with access levels
(Access Context Manager)
- IAP Best Practices
-
Leveraging external identities
- Email/password
- OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.)
- SAML
- OIDC
- Phone number
- Custom
- Anonymous
-
Access Context Manager
-
Create access levels for
projects and resources
- Permit access based on contextual information about the request
-
Methods
- Basic
- Collection of conditions
- Custom
(Google Workspace Premium)
- Created using Common Expression Language
-
Conditions
- IP subnetworks
(excludes private IP ranges)
- Geographic locations
- Device policy/
endpoint verification
(Google Workspace Premium)
- Supported computers
- Apple Mac OS X El Capitan (10.11) and later
- Devices running ChromeOS 110 and later
- Linux Debian and Ubuntu
- Note: CPU must support AES instructions.
- Microsoft Windows 10 and 11
- Criteria
- Screen lock
- Require admin approval
- Require corp owned device
- Storage encryption
- Operating system policy
- Access level dependencies
-
Leveraged with the
following GCP services
- VPC Service Controls
- Identity-Aware Proxy
- Context-Aware Access for Google Workspace
- Identity and Access Management (IAM) conditions
-
Context Aware Access (Google Workspace)
- Allow access to apps only from company-issued devices
- Allow access to Drive only if a user storage device is encrypted
- Restrict access to apps from outside the corporate network
- Best practices for securing SSH access to VM instances
-
Leverage OS Login to manage instances
- short video
- Setup OS Login
- Enforce OS Login at org level
- Troubleshooting access problems on Google Cloud
- Identity Platform
(authenticate users to apps and services)
- Secure the Google Cloud console and Google Cloud API's by leveraging BeyondCorp Enterprise
-
Leverage temporary access as much as possible
- Privileged Access Manager
(PAM)
- JIT (just-in-time privileged access to projects
-
3 - Logging & Monitoring
-
Ideal State
- Aggregated platform, system, and audit logs.
-
Components
-
Log types
- Admin Activity Audit Logs
- Data Access Audit Logs
-
Access Transparency Logs &
Access Aproval
- Enabling Access Transparency
-
Architecture
- Cloud Logging
- Log Analytics
- Cloud Monitoring
- FinOps
- Logging best practices
- Four steps to managing your Cloud Logging costs on a budget
-
4 - Security Operations
-
Ideal State
- Continuosly detect and act on vulnerabilities, threats, & misconfigurations.
-
Components
-
Supercharge security with AI
- Gemini for Google Cloud
- Security Command Center Enterprise
-
Google Security Operations
- Why SecOps?
- Integration into Enterprise
SOC Ecosustems
- Case Management
- Playbooks
- Investigation
- Threat Intel Platform
- Collaboration
- Crisis Management
- Business Intelligence
- All your data - fast!
- Hunt for threats 90% faster
than traditional SOC tools
- Detect by correlating petabytes of your telemetry and identity malicious activity/patters
- DNS
- Vulnerability data
- Cloud data
- Threat Intel
- EDR/XDR
- Authentication
- Identity
- Firewalls
- VPN
- Network
- Intelligent Data Fusion
- Unified data model
- Rich, extensible data model spanning Asset, User and IoC dimensions and attributes
- IP to host correlation
- Automated IP to host correlation enables instant asset and IoC analytics
- Canonical event deduplication
- Logical event layer (user logins, network connections etc.) and visualization simplifies and expedites analysis
- At a disruptive cost
- Eliminate the tradeoffs between cost and security with fixed and predictable pricing that is decoupled from capacity, compute and log source count.
- SecOps Services
- Solutions
- SecOps Transformation
- SIEM Augmentation
- Cloud Detection & Response
- Service Providers
- Knowledge base
- Data Sheets
- Chronicle SIEM
- Chronicle SOAR
- Blogs
- Case Studies
- Third-party Reports
-
Google Threat Intelligence
- Know who’s targeting you with unmatched visibility
- Turn insights into action
- Make Google part of your security team
- Supercharge your team with Gemini
- Simplify workflows and collaboration with a workbench
- Trust a unified verdict
- AI-powered security whitepaper
-
Mandiant
-
Mandiant Advantage Platform
- Threat Intelligence
(know who's targeting you)
- What are the threats and how I detect them?
- How do threats affect me?
- How do I use threat intelligence effectively?
- Attack Surface Management
(know what is exposed on the Internet)
- Identify and remove sprawl
- Reduce software and cloud risk
- Monitor and Enforce security policies
- Security Validation
(know if you're prepared)
- Are we prepared?
- Proactive Security Validation
- Validation as a service
- Managed or co-managed validation
- Prioritize, Measure, Optimize,
Rationalize, Monitor
- Alert Investigation and Prioritization
(formerly Automated Defense)
- Alert Investigation and Prioritization
- Managed Defense
- 24/7 monitoring
- Attacker behavior investigation & analysis
- Advanced Detection & Hunting
- Response & Remediation
- Breach Analytics for Chronicle
(are we compromised?)
-
Consulting Services
- Incident Response
- Incident Response Service
- Incident Response Retainer
- Compromise Assessment
- Cyber Defense Assessment
- Ransomware
- Ransomware Defense Assessment
- Red Team for Ransomware
- Purple Team for Ransomware
- Tabletop Exercise
- Threatspace Cyber Range Simulation Exercise
- Risk Management
- Cyber Security Due Diligence
- Cyber Security Program Assessment
- Cyber Risk Management Operations
- Crown Jewels Assessment
- Threat and Vulnerability Assessment
- Threat Modeling Security Service
- Targeted Attack Testing
- Red Team Assessment
- Purple Team Assessment
- Continuous Purple Team Assessment
- Tabletop Exercise
- Embedded Device Assessment
- Penetration Testing
- Red Team – TIBER-EU
- ThreatSpace Cyber Range Simulation Exercise
- Cyber Security Transformation
- Cyber Defense Center Development
- Cyber Defense Operations
- Threat Intelligence, Threat Hunting and Incident Response Training
- Identity-First Security
- Insider Threat Assessment
- Insider Threat as a Service
- Remote Security Assessment
- Active Directory Assessment
- Penetration Testing for Internal Attacks
- Penetration Testing for Social Engineering
- Industrial Control Systems (ICS) & Operational Technology (OT)
- Explore all OT/ICS Solutions
- Industrial Control Systems (ICS) Healthcheck
- Penetration Testing for ICS
- Penetration Testing for Embedded/IoT
- Cloud Security
- Cloud Security Assessments
- Microsoft Office 365 Assessment
- Cloud Architecture Assessment: Azure, AWS, GCP
- Cloud Penetration Testing
- Cyber Security Due Diligence
- Cyber Security Due Diligence
- Penetration Testing for Web Applications
- Penetration Testing for Mobile
- Penetration Testing for Wireless
- Penetration Testing for Physical Security
- Threat Intelligence Services
- Applied Intelligence
- Cyber Threat Profile
- Intelligence Capability Development
- Executive Intelligence Briefings
-
Mandiant Resources
- Blog
- Customer Stories
- Webinars
- Events
- Datasheets
- White Papers
- Podcasts
- Reports
- Cyber Security forecast 2023
- Global Perspectives on
Threat Intelligence Report
- Insights
- Infographics
- eBooks
- Mandiant Academy
- Course Catalog
- Introductory Courses
- Introduction to Cyber Crime for Executives
- Cyber Security Awareness
- Fundamentals of Industrial Control Systems (ICS) Security
- Fundamentals of Cyber Security
- Cyber Security Policy and Implementation
- Audits and Compliance in the Cyber Domain
- Introduction to the Mandiant Security Instrumentation Platform
- Intelligence and Attribution Courses
- Introduction to Threat Intelligence and Attribution
- Cyber Intelligence Foundations
- Intelligence Research I—Scoping
- Intelligence Research II—Open Source Intelligence (OSINT)
- Cyber Intelligence Production
- Incident Response Courses
- Incident Response for Everyone
- Windows Enterprise Incident Response
- Linux Enterprise Incident Response
- Combined Windows-Linux Enterprise Incident Response
- Network Traffic Analysis
- Practical Threat Hunting
- Digital Forensics and Incident Response for PLCs
- Malware Analysis Courses
- Malware Analysis Fundamentals
- Malware Analysis Crash Course
- Malicious Documents Analysis
- Advanced Red Teaming Techniques: Malware Authoring and Repurposing
- Malware Analysis Master Course
- Advanced Acquisition and
Testing Techniques Courses
- Creative Red Teaming
- Practical Mobile Application Security
- Workshops
- Business Email Compromise
- Exercises and Preparedness
- ThreatSpace: Real-World Attack Scenarios
- Senior Executive Mentorship Program
- Upcoming Public Courses
- On-Demand Courses
- Mandiant Certifications
- ThreatSpace Cyber Range
-
BeyondCorp & Zero Trust
- BeyondCorp Access in one minute
- Operate with Zero Trust using
BeyondCorp Enterprise
- Context-aware access
-
BeyondCorp Alliance
-
-
Additional references
- An overview: "A New Approach to Enterprise Security"
- How Google did it: "Design to Deployment at Google"
- Google's frontend infrastructure: "The Access Proxy"
- Migrating to BeyondCorp: "Maintaining Productivity while Improving Security"
- The human element: "The User Experience"
- Secure your endpoints: "Building a Healthy Fleet"
-
Security Partners
-
Ecosystem
-
Infrastructure Protection
- Next-gen firewalls
- Web application firewalls (WAFs)
- Web proxies and cloud gateways
- Server endpoint protection
- DDoS protection
- Container security
-
Data Protection
- Encryption and key management
- Data/information loss protection
-
Logging and monitoring
- Logging and monitoring
- Configuration, vulnerability, risk, and compliance
-
Configuration, vulnerability, risk, and compliance
- Vulnerability scanners
- Governance, risk management, and compliance
-
5 - Data Protection
-
Ideal
- Identify and protect your most important data.
-
Components
- Data Security Guidance
-
Encryption of data at rest
-
Default Encryption
- Enabled by default - Google manages encryption keys
-
Cloud KMS
- Customer can manage their own keys, hosted by Google
-
Cloud HSM
- Customer can manage their own keys, hosted by Google on a dedicated hardware module
-
Cloud EKM
- Customer manages & hosts their own keys externally from Google
-
Sensitive Data Protection
(includes Data Loss Prevention)
- Features
- API Driven &
GCP Console
- Cover use cases anywhere, on or off cloud with the DLP API
- De-identification, masking, tokenization, and bucketing
- Powerful and flexible masking of your AI/ML workloads
- Streaming content API
- Automated sensitive data discovery and classification (for BigQuery)
- Sensitive data intelligence for security assessments
- Results can be imported into BigQuery for analysis or imported into other systems
- With direct feeds into Chronicle and Security Command Center, you can leverage sensitive data intelligence to reduce noise and prioritize threats, vulnerabilities, and security investigations.
- Inspection/Analysis
- Learn about your data
- Discovery/data profiling
(for BigQuery)
- Get continuous visibility into all your sensitive data.
- Deep inspection
- Inspect your data in storage systems exhaustively and investigate individual findings.
- Risk Analysis
(for BigQuery)
- Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
- Sensitive information about individuals being revealed
- Help determine effective de-identification strategy
- Help monitor for any changes or outliers, after de-identification
- Methods
- Content (streaming data)
- Leveraging the DLP API
- InspectContent
- DeidentifyContent
- ReidentifyContent
- RedactImage
- OUTPUT:
- Inspection Findings
- De-Id transformed content
- Storage (Native GCP sources)
- Shards data and
works in parallel
- Cloud Storage
- BigQuery
- Datastore
- Hybrid (streaming data)
- Hybrid jobs and job triggers
(requires custom application)
- Other cloud providers
- On-premises servers or other data repositories
- Non-native storage systems, such as systems running inside a virtual machine
- Web and mobile apps
- Google Cloud-based solutions
- Workflow
- You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
- You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
- Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
- Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
- Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
- Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
- Supported actions
- Save findings to Sensitive Data Protection and Save findings to BigQuery
- Send Pub/Sub
- Send Email
- Publish to Cloud Monitoring
- Actions from inspection results
- On-demand vs continuous profiling
- Discovery
(continuous profiling)
- BigQuery
- BigLake
- On-demand
inspection
- BigQuery
- Cloud Storage
- Datastore
- Hybrid
- How
(Inspection template)
- InfoTypes
- Built-in (150+)
- Country, region-specific sensitive data types
- Globally applicable data types
- Custom
- Regular dictionary detectors
- Stored dictionary detectors
- Regular expression (regex)
- Inspection Rules
- Fine-tune
- Exclusion rules
- Hotword rules
- Likelihood Value
- Likelihood Unspecified
- Very Unlikely
- Unlikely
- Possible
- Likely
- Very Likely
- Protection/De-Identification
- De-identification techniques
- Redaction: Deletes all or part of a detected sensitive value.
- Replacement: Replaces a detected sensitive value with a specified surrogate value.
- Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
- Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
- Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
- Date shifting: Shifts sensitive date values by a random amount of time.
- Time extraction: Extracts or preserves specified portions of date and time values.
- De-identify examples
- De-identify data stored in Cloud Storage
- De-identify data from any source
- De-identify BigQuery data at query time
- De-identification and re-identification of PII in large-scale datasets in Cloud Storage
- Redact sensitive data from PDF files
- Use Sensitive Data Protection with AWS S3
- How
(De-identification template)
- Resources
- Documentation
- How-to guides
- "Traditional" DLP via BeyondCorp Enterprise
- Implement DLP with Chrome
- Uploads
- Downloads
- Content copied and pasted
- Content dragged and dropped
- 90+ content detectors
- Visual
-
Sensitive Data Protection
(includes Data Loss Prevention)
-
1) Understand/Inspection/Analysis
- Learn about your data
- Discovery/data profiling
- Get continuous visibility into all your sensitive data.
- BigQuery - GA
- BigLake - GA
- Cloud SQL - Preview
- Deep inspection
- Inspect your data in storage systems exhaustively and investigate individual findings.
- Risk Analysis
(for BigQuery)
- Process of analyzing sensitive data to find properties that might increase the risk of subjects being identified
- Sensitive information about individuals being revealed
- Help determine effective de-identification strategy
- Help monitor for any changes or outliers, after de-identification
- Report Credentials & Secrets to SCC
- detailed list
- Methods
- Content (streaming data)
- Leveraging the DLP API
- InspectContent
- DeidentifyContent
- ReidentifyContent
- RedactImage
- OUTPUT:
- Inspection Findings
- De-Id transformed content
- Storage (Native GCP sources)
- Shards data and
works in parallel
- Cloud Storage
- BigQuery
- Datastore
- Hybrid (streaming data)
- Hybrid jobs and job triggers
(requires custom application)
- Other cloud providers
- On-premises servers or other data repositories
- Non-native storage systems, such as systems running inside a virtual machine
- Web and mobile apps
- Google Cloud-based solutions
- Workflow
- You write a script or create a workflow that sends data to Sensitive Data Protection for inspection along with some metadata.
- You configure and create a hybrid job resource or trigger and enable it to activate when it receives data.
- Your script or workflow runs on the client side and sends data to Sensitive Data Protection in the form of a hybridInspect request. The data includes an activation message and the job or job trigger's identifier, which triggers the inspection.
- Sensitive Data Protection inspects the data according to the criteria you set in the hybrid job or trigger.
- Sensitive Data Protection saves the results of the scan to the hybrid job resource, along with metadata that you provide. You can examine the results using the Sensitive Data Protection UI in Google Cloud console.
- Optionally, Sensitive Data Protection can run post-scan actions, such as saving inspection results data to a BigQuery table or notifying you by email or Pub/Sub.
- Supported actions
- Save findings to Sensitive Data Protection and Save findings to BigQuery
- Send Pub/Sub
- Send Email
- Publish to Cloud Monitoring
- Actions from inspection results
- On-demand vs continuous profiling
- Discovery
(continuous profiling)
- BigQuery
- BigLake
- On-demand
inspection
- BigQuery
- Cloud Storage
- Datastore
- Hybrid
- How
(Inspection template)
- InfoTypes
- Built-in (150+)
- Country, region-specific sensitive data types
- Globally applicable data types
- Custom
- Regular dictionary detectors
- Stored dictionary detectors
- Regular expression (regex)
- Inspection Rules
- Fine-tune
- Exclusion rules
- Hotword rules
- Likelihood Value
- Likelihood Unspecified
- Very Unlikely
- Unlikely
- Possible
- Likely
- Very Likely
-
2) Protect/De-Identification
- De-identification techniques
- Redaction: Deletes all or part of a detected sensitive value.
- Replacement: Replaces a detected sensitive value with a specified surrogate value.
- Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
- Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
- Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
- Date shifting: Shifts sensitive date values by a random amount of time.
- Time extraction: Extracts or preserves specified portions of date and time values.
- De-identify examples
- De-identify data stored in Cloud Storage
- De-identify data from any source
- De-identify BigQuery data at query time
- De-identification and re-identification of PII in large-scale datasets in Cloud Storage
- Redact sensitive data from PDF files
- Use Sensitive Data Protection with AWS S3
- How
(De-identification template)
-
3) Resources
- Documentation
- How-to guides
- IAM roles required
-
4) "Traditional" DLP via BeyondCorp Enterprise
- Implement DLP with Chrome
- Uploads
- Downloads
- Content copied and pasted
- Content dragged and dropped
- 90+ content detectors
- Visual
-
Google Secrets Manager
-
Common use cases
- API Keys
- Certificates
- Private Keys
- Passwords
-
Highlights
- Replication policies
- Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.
- First-class versioning
- Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."
- Cloud IAM integration
- Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.
- Audit logging
- With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
- Encrypted by default
- Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.
- VPC Service Controls support
- Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.
- Powerful and extensible
- Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.
- Best Practices
- BigQuery data security and governance
-
Spanner Security
- Access Control
- Fine-grained access control
- Encryption
-
Bigtable Security
- Authentication
- Access Control
- Create and manage tags
- Audit logging
- Encryption
-
Bonus: GenAI Security
&
Governance Considerations
-
Google Guidance & Resources
-
Generative AI Introduction
-
Terminology and data classification
- Foundation Models
(Trained on data not owned by GCP customers)
- Owned by Google
- Prompt datasets
(Datasets provided by GCP customers)
- Owned by Customer
- Fully-tuned or fine-tuned models
(Trained on prompt dataset data provided by GCP customers)
- Owned by Customer
- Adapter models
(Trained on prompt dataset provided by GCP customers, but simpler and less costly to train & serve)
- Owned by Customer
- Google's Secure AI Framework (SAIF)
-
Cloud Architecture Center
-
Generative AI
- Jump Start Solution: Generative AI document summarization
- Jump Start Solution: Generative AI RAG with Cloud SQL
- Build and deploy generative AI and machine learning models in an enterprise
- Jump Start Solution: Generative AI Knowledge Base
- Infrastructure for a RAG-capable generative AI application using GKE
- Infrastructure for a RAG-capable generative AI application using Vertex AI
- Use generative AI for utilization management
-
Model Training
- Best practices for implementing machine learning on Google Cloud
- Cross-silo and cross-device federated learning on Google Cloud
- Model development and data labeling with Google Cloud and Labelbox
-
ML Ops
- Build and deploy generative AI and machine learning models in an enterprise
- Architecture for MLOps using TensorFlow Extended, Vertex AI Pipelines, and Cloud Build
- Guidelines for developing high-quality, predictive ML solutions
-
AI and ML applications
- Jump Start Solution: AI/ML image processing on Cloud Functions
- Build an ML vision analytics solution with Dataflow and Cloud Vision API
- Design storage for AI and ML workloads in Google Cloud
- Scalable TensorFlow inference system
- Serve Spark ML models using Vertex AI
- Use Vertex AI Pipelines for propensity modeling on Google Cloud
-
Third-party product integrations
- C3 AI architecture on Google Cloud
- Data Governance and Generative AI
-
Google Cloud Security Controls
- VPC-SC
(VPC Service Controls)
- AXT
(Access Transparency Logs)
- DRZ
(Data Residence Controls)
- CMEK
(Customer Managed Encryption Keys)
- Ephemerality: In-use customer core content destroyed upon expiry without undue delay.
-
Consulting Services
-
Mandiant AI Security Consulting
- Securing the use of AI
- Red teaming for AI
- Applying AI for defenders
-
Google Cloud Consulting
- Automate with GenAI
- Automate with GenAI
- Back Office of the Future: Phase 1: MVP and Architecture
- Back Office of the Future: Phase 2: MVP to Production Technical Guidance
- CCAI Advisory Services Subscription
- CX Transformation with CCAIP
- Contact Center Modernization
- Converse with GenAI
- Create with GenAI
- Customer Service Modernization
- Customer Service Modernization: Customer Service Platform Modernization
- Customer Service Modernization: Customer Service Search & Discover
- Customer Service Modernization: Frontline Agent Experience Evolution
- Customer Service Modernization: RealTime Insights
- Customer Service Modernization: Virtual Assistant & Digital Concierge
- Developer Productivity with GenAI: Develop like Google
- Developer Productivity with GenAI: Manage like Google
- Developer Productivity with GenAI: Run like Google
- Discover with GenAI
- GenAI Ops: GenAI Continuous Tuning and Feedback
- GenAI Ops: GenAI Model Optimization
- GenAI for Digital Commerce: Catalog & Content Enrichment
- GenAI for Digital Commerce: Conversational Commerce
- GenAI for Marketing: Creative & Content Generation
- GenAI for Marketing: Insights & Measurement
- GenAI for Marketing: Personalization & Media Performance
- Improve Agent Productivity using LLMs
- ML Model Management & Ops
- MLOps Foundations on Vertex AI
- Productionize GenAI
- Summarize with GenAI
- Vertex AI Search and Conversation
- Website Modernization: Enhance Web Navigation
- Website Modernization: Improve SelfService and Deflection Rates
- Website Modernization: Streamline Content Generation
-
Training
-
Generative AI Learning Path - no cost training
- Introduction to Generative AI
- Introduction to Large Language Models
- Introduction to Responsible AI
- Generative AI Fundamentals
- Introduction to Image Generation
- Encoder-Decoder Architecture
- Attention Mechanism
- Transformer Models and BERT Model
- Create Image Captioning Models
- Introduction to Generative AI Studio
-
Additional AI/ML training - varying learning credits required to complete on Google Cloud Skills Boost
-
Introductory level
- [Course with completion badge] How Google Does Machine Learning (1 day)
- [Course with completion badge] MLOps: Getting Started (1 day)
- [Skill badge] Get started with TensorFlow on Google Cloud (8 hours)
- [Skill badge] Perform foundational ML, AI and data tasks in Google Cloud (7 hours)
- [Course with completion badge] Language, Speech, Text, and Translation with Google Cloud APIs (5 hours)
-
Intermediate/Multi-level
- [Learning Path] Machine Learning Engineer (Collection of 15 video courses and labs)
- [Skill badge] Build and Deploy Machine Learning Solutions on Vertex AI (1 day)
-
Advanced
- [Training + certification exam] Google Cloud Professional ML Engineer Certification (varied time)
- [Skill badge] Machine Learning with TensorFlow in Vertex AI (90 minutes)
- [Course with completion badge] Natural Language Processing in Google Cloud (1 day)
-
Additional Resources
- Supercharge security with generative AI
- Advancing the art of AI-driven security with Google Cloud
- Securing the AI Pipeline (Mandiant)
- Threat Actors are Interested in Generative AI, but Use Remains Limited (Mandiant)
- AI and Cybersecurity: How Mandiant Consultants and Analysts are Leveraging AI Today (Mandiant)
- Google Cloud Whitepaper: Adaptations of Large Foundation Models
- Red Teams and AI Systems
-
Industry resources
- MITRE | ATLAS™ - Adversarial Threat Landscape for Artificial-Intelligence System
- OWASP Top 10 List for Large Language Models version 1.0
- AI Vulnerability Database
-
GCP Security, Compliance, Governance, and
Architecture resources
-
Google Cloud Solutions Center
-
Discoveries
-
Cloud Capability Assessment
- The Cloud Capability Assessment helps determine where you are in your cloud journey and how you can develop new competencies across your business, financial and technology plans.
-
AI Readiness Quick Check
- A quick assessment to understand an organization's AI capabilities across 6 pillars. Provide best practices and recommended learnings to advance the organization's AI practice.
-
Security and Resilience Framework
- This discovery helps you evaluate your overall security maturity against five NIST functions: Identify, Protect, Detect, Respond and Recover. Use this discovery for recommendations on how to improve your security posture.
-
Data Foundations for AI Benchmarking
- Help customers understand the robustness of their data analytics foundations and its readiness for AI adoption. The output of the assessment is a gap analysis of current data foundation capabilities with set of Google recommendations and PoV to create a transformational data platform.
-
Cloud FinOps Assessment
- A cloud FinOps capability maturity assessment to help organizations better understand their cloud financial processes, culture, skillset, tooling, and technical competency. There are 13 questions which span the 5 pillars of cloud FinOps: 1. Accountability & Enablement, 2. Measurement & Realization, 3. Cost Optimization, 4. Planning & Forecasting, and 5. Tools & Accelerators. For each of the questions, the responses range between 1-5 with increasing maturity. If you have any issues taking the survey contact the Cloud FinOps team at pso-finops@google.com
-
Partner Excellence Framework (PEF) - PreDelivery
- Partners can use the PreDelivery assessment before the delivery of the project has started. This assessment evaluates the technical readiness of the partner team for any project/workload on Google Cloud. The assessment report helps to identify and capture any potential gaps in architecture and provide prescriptive guidance aligned with Google Cloud architectural best practices to remediate those gaps. Additionally, the assessment also provides questions and assets that partners can use during the project discovery.
-
Data & AI Cloud for Marketing - Benchmarking
- Understand your current marketing analytics capabilities to address the convergence of forces between shifting customer expectations and economic pressures putting more focus on growth and ROI of marketing activities.
-
Data & AI Cloud for Supply Chain - Benchmarking
- A benchmarking survey to understand the critical capabilities required across Supply Chains to reduce risks & disruptions, and solving for resiliency and sustainability amidst global disruptions.
-
Autonomic Security Operations
- Autonomic Security Operations is a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of our best-in-class technology stack built on Chronicle and Google’s deep security operations expertise.
-
The Defender’s Advantage: Mandiant Cyber Defense
- Self-assessment of capabilities tied to the six critical functions of cyber defense as detailed in The Defender's Advantage by Mandiant including Intel, Command and Control, Hunt, Detect, Respond and Validate.
-
Solutions
- (links in the solutions center)
-
Google Cloud Architecture Center
(Best Practices for Google Cloud)
-
Google Cloud Architecture Framework
- Review shared responsibility and shared fate on Google Cloud
- Understand security principles
- Manage risks with controls
- Manage your assets
- Manage identity and access
- Implement compute and container security
- Secure your network
- Implement data security
- Deploy applications security
- Manage compliance obligations
- Implement data residency and sovereignty requirements
- Implement privacy requirements
- Implement logging and detective controls
-
Enterprise foundations blueprint
- Google Cloud deployment archetypes
-
Migrate to Google Cloud
- Assess and discover your workloads
- Build your foundation
- Transfer your large datasets
- Deploy your workloads
- Migrate from manual deployments to automated, containerized deployments
- Optimize your environment
- Best practices for validating a migration plan
- Minimize costs
- Hybrid and multicloud architecture guidance
- Migrate across Google Cloud regions
-
GCP Architecture Guides
- GenAI-Vertex-workbench-security
- Network Firewall Microsegmentation
- Google Cloud Certificate Authority Service deployment
- Securing User Managed Vertex-AI Workbench
- Deploying IL4 Assured Workload
- Deploying Australia Regions with Assured Support Workload
- SCC Cryptomining Program
- Secure Web Proxy
- Security and resilience framework
- Landing zone design in Google Cloud
- Google Cloud Infrastructure Reliability Guide
- Google Cloud security foundations
blueprint guide
-
Best practices for cloud
security products
- Anthos security blueprints
- Secured Data Warehouse
security blueprint
- AI Platform Notebooks
security blueprint
- Container security
best practices
- Security best
practice checklists
(Google Workspace)
-
Deployable security blueprints
and landing zones
- Security foundations
deployable assets
- Secured Data Warehouse
blueprint GitHub repository
- AI Platform Notebooks
blueprint GitHub repository
- Cloud Foundation Toolkit
deployable assets
- Anthos security blueprints
GitHub repository
-
Security whitepapers
and references
-
Security transformation
resources
- CISO’s guide to cloud
security transformation
- Strengthening operational
resilience for FinServ
- Building secure and
reliable systems
- NEW! Risk governance
of digital transformation
-
Google Cloud
security whitepapers
- Google security
- Google Workspace security
- Google infrastructure
security design overview
- Encryption at rest
- Encryption in transit
- Google Workspace encryption
- Cloud Key Management
(KMS) deep dive
- BeyondProd: New approach
to cloud-native security
- Binary Authorization for Borg
- BeyondCorp: A new approach
to enterprise security
- Privileged access
management in GCP
-
GCP Compliance
resource center
-
Data governance
- Data regions
-
Data residency
- For European
customers on
Google Cloud
-
Privacy Resource Center
- Cloud DPIA
Resource Center
- Find a Google Partner
-
Shared Fate Responsibility Model
-
Security & Governance topics
from our CISO (Phil Venables)
-
Questions from CEO's and Boards
-
Current Risk and Threat Outlook
- There's a lot going on in the world, can you give us a quick grand tour of the cyber threat landscape?
-
How are Companies Positioned
- Are companies always playing defense and catch-up, is there an end to this?
-
Is Cloud More Secure than prior IT?
- Is cloud more secure than traditional on-premise IT, what's the future here and how should companies select vendors in all this uncertainty?
-
Enterprise Risk Management
- How should organizations think about managing cyber risk with all their other risks - what's the efficient frontier here? Is this a technology problem or a business problem or both?
-
Board Conversations
- What is the right security conversation a Board should have?
- What should they be asking the CEO, the CIO, the CISO?
-
Personal Wishful Thinking
- You've had experience on both sides of the Board room, what do you wish you'd have done better either as a Board Director or a Chief Risk Officer / Chief Information Security Officer?
- We talk a lot about using security to deliver business enablement, is that viable?
-
Wishful Thinking for Others
- If you could make a wish and ask all our Boards or executives to do one thing that would benefit their security and make the lives of their CISOs easier, what would it be?
-
Crucial Questions from CIOs and CTOs
-
Moving to Cloud Quicker
- How do I get security, risk, compliance and audit more comfortable with an acceleration to the cloud - so I can deliver on objectives and in fact mitigate technology, security and resiliency risk more quickly?
-
Security vs. All Technology Risks
- Is cybersecurity the most significant risk and how should I prioritize security vs. all my other technology risks?
-
CISO Function Alignment
- How do I ensure the CISO function is integrated into IT / business processes / activities?
-
Forward Planning for Security
- I’d like to plan ahead but things coming from the security team seem so unpredictable
-
How Much Security is Enough?
- No amount of effort ever seems enough for the security team, what should I do?
-
Developer Agility and Security
- How do I ensure developer agility and productivity in the face of security?
-
Legacy Systems
- How should I deal with legacy systems and architectures that are hard to secure?
-
Crucial Questions from CISOs and Security Teams
-
Hybrid Multi-Cloud
- How do we manage security across our hybrid on-premise and multi-cloud / multi-SaaS environments?
-
Threat Intelligence
- How can we obtain, curate and act on threat intelligence in more effective ways?
-
Security Monitoring
- How can I scale security monitoring to deal with increased attack surface and increased sensory coverage?
-
Workforce Challenges
- How do I fill the positions I have with the right skills and people? How do I nurture my leaders and build a succession plan?
-
Board and Executive Relationships
- How do we keep the Board and executive leadership informed and on-side with our efforts?
-
IT Modernization
- How do I ensure IT prioritizes necessary security upgrades and IT systems modernization?
-
Benchmarking
- How do I know if I’m doing enough and if my risk profile is about right?
-
Crucial Questions from Governments and Regulators
-
Risk Tradeoffs
- How do we think about the trade-offs between security, resilience, privacy and other risks?
-
Principle vs. Objective Standards
- How stringent should we be in setting prescriptive standards for security?
-
Information Sharing
- What is the right amount and type of information to share between the public and private sector to what effect?
-
Supply Chain Risk
- How should we think about 3rd party, 4th party or even deeper supply chain risks?
-
Cybersecurity Workforce
- How we do ensure we are growing skills and jobs in our local market?
-
Nation State vs. Criminal Threats
- How should we prioritize dealing with nation state threats vs. organized criminal threats against businesses?
-
Reporting and Transparency
- How do we become aware of incidents affecting our domestic enterprises or those under our regulatory charge?
- Risk Governance
of Digital
Transformation
in the Cloud
-
CISO's Guide to Cloud Security Transformation
- Google Cybersecurity Action Team
-
Security Terminology,
Technologies, Solutions & Vendors
-
Cybersecurity Ecosystem mindmap
- by Strategy of Security
-
Cybersecurity Landscape
(solutions and vendors)
- CyberScape mapping (2021)
-
Terminology
- EDR - End Point Detection and response
- XDR - Extended or enhanced approach to endpoint detection and response (EDR) in which the “X” serves as a wildcard operator to connote extending threat detection and response measures across endpoints, networks, SaaS applications, and cloud infrastructure.
- MDR - Managed Detection and Response (more analysis and threat intelligence compared to traditional MSSP's
- MXDR - Managed extended detection and response - extends MRD services across the enterprise. Security analytics, operations, advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.
- SIEM - Security Information and Event Management
- SOAR - Security Orchestration, Automation, and Response - more automation compared to a traditional SIEM
- CSPM - Cloud security posture management
-
CASB - Cloud access security broker - proxy
between users and cloud/Internet
- Visibility
- Threat Detection
- Compliance
- Data Security
- DLP - Data Loss Prevention
-
Additional resources
- Security Scorecard
- NICCS
- Global Knowledge
-
Learning resources
- Google Cloud security
showcase
- Cloud Security Podcast
- GCP CIS Benchmarks™
- GCP MITRE ATT&CK®
- Professional Cloud Security
Certification
- Coursera: Google Cloud Security
- Pluralsight: Security Best
Practices in Google Cloud
- Security Summit 2022 recordings
- Next OnAir Security session
recordings 2020
- Next Security session
recordings 2019
-
Google Cloud Springboard (github)
- GenAI-Vertex-workbench-security
- CSA-DevSecOps
- Network Firewall Microsegmentation
- Google Cloud Certificate Authority Service deployment
- Securing User Managed Vertex-AI Workbench
- Deploying IL4 Assured Workload
- Deploying Australia Regions with Assured Support Workload
- SCC Cryptomining Program
- Secure Web Proxy
-
8 - Secure Software Supply Chain
-
Ideal
- Shift security left in the software CI/CD pipeline.
-
High-level Model
-
Detailed Model
- Design secure deployment pipelines
-
Software Delivery Shield
- Cloud Workstations
(managed development environments)
- Cloud Code source protect
- Artifact Registry & Container Analysys
- Assured Open Source Software
- Code Build
- GKE security posture
- Cloud Run security insights
- Binary Authorization
-
Leveraging the SLSA ("salsa") framework
- Deploy an enterprise developer platform on Google Cloud
-
7- Secure App Delivery
-
Ideal
- Protect external facing applications with DDoS defense, web application firewalling.
-
Components
-
Compute
- GKE Security
-
GCE Security
- Shielded VMs
- Confidential VMs
- Leveraging VPC Service Controls
- Disk Encryption
- Deploy a secured serverless architecture using Cloud Functions
- Deploy a secured serverless architecture using Cloud Run
- Compute and container security
-
Access
- Network & Application Security in Google Cloud
- Traffic Director
(Advanced Traffic Management)
-
Cloud Armor
- DDoS protection
- WAF protection
- Adaptive Protection
- Managed SSL Certs
- Best practices for securing applications and API's using Apigee
-
6 - Network Security
-
Ideal
- Centrally manage network resources, establish scalable segmentation and detect network threats.
-
Components
-
Virtual Private Cloud
- Shared VPC
- Serverless VPC Connectivity
(Ingress and Egress)
-
Cloud Firewall
- Firewall Policies
- Firewall Insights
- Google Cloud Load Balancing
- Google Cloud IDS
- Best practices for VPC design
- Best practices for GKE networking
- Networking for hybrid and multi-cloud workloads: Reference architectures
- Networking for secure intra-cloud access: Reference architectures
- Networking for internet-facing application delivery: Reference architectures