Skip to main content

Chapter 14: Hardening the Perimeter - Security and Compliance

Security in Google Cloud is built on the concept of Defense in Depth. While Google secures the physical infrastructure and the hardware (using the Titan chip), the “Security in the Cloud” is your responsibility. This chapter covers the advanced tools used to protect data, manage identities, and ensure compliance at scale.

1. VPC Service Controls (VPC SC): The Virtual Moat

VPC Service Controls is perhaps the most powerful security tool in GCP. It creates a security perimeter around your Google-managed services (like Cloud Storage, BigQuery, and Cloud SQL).

The Service Perimeter with Access Context Manager

  • Data Exfiltration Protection: Even if an attacker compromises a VM and gets hold of a service account key, VPC SC prevents them from copying data from your BigQuery table to an external bucket if that bucket is outside the perimeter.
  • Service-to-Service Protection: It ensures that only authorized resources inside the perimeter can talk to each other.
  • Access Context Manager: You can define “Access Levels” based on IP addresses, user identity, or device health (e.g., “Allow access only if the user is on a company-managed laptop with an encrypted disk”).
Device-Based Policy Configuration: To implement a device-based access policy, you need to deploy the Endpoint Verification Chrome Extension and configure an Access Level with device attributes. Example Access Level (YAML Definition): 
name: accessPolicies/12345678/accessLevels/corporate_devices
title: "Corporate Managed Devices Only"
basic:
  conditions:
    - devicePolicy:
        requireScreenlock: true
        requireAdminApproval: false
        allowedEncryptionStatuses:
          - ENCRYPTED
        allowedDeviceManagementLevels:
          - COMPLETE
        osConstraints:
          - osType: DESKTOP_WINDOWS
            minimumVersion: "10.0.19041"  # Windows 10 version 2004+

2. Sensitive Data Protection (Cloud DLP)

Cloud Data Loss Prevention (DLP) allows you to discover, classify, and protect sensitive data (PII, PHI, financial records) across your entire cloud footprint.

Discovery and De-identification

  • Inspection: Automatically scan buckets, BigQuery tables, and Datastore instances for over 150 built-in infoTypes (Credit card numbers, SSNs, passports).
  • De-identification:
    • Masking: Replacing 1234-5678 with XXXX-XXXX.
    • Tokenization: Replacing sensitive data with a cryptographically secure token.
    • Bucketing: Changing “Age: 27” to “Age: 20-30” to preserve privacy while maintaining analytical value.

3. Cloud KMS: Managing the Keys to the Kingdom

Cloud Key Management Service (KMS) provides a centralized place to manage cryptographic keys.

Key Types and Tiers

  • Software Keys: Fast and cost-effective, managed by Google.
  • HSM (Hardware Security Module): Keys are stored on physical FIPS 140-2 Level 3 validated hardware. The raw key never leaves the hardware.
  • External Key Manager (EKM): You store your keys on-premise or in a 3rd party vault (like Thales or Fortanix), and Google Cloud calls your vault every time it needs to encrypt/decrypt. You have ultimate control—if you pull the plug on your vault, Google can no longer read your data.

4. Security Command Center (SCC)

SCC is the central security dashboard for GCP. The Premium tier offers advanced threat detection.
  • Event Threat Detection: Scans your Cloud Audit Logs for signs of account hijacking, brute force attacks, or suspicious IAM changes.
  • Container Threat Detection: Detects malicious activity inside your GKE containers, such as the execution of unauthorized binaries or reverse shells.
  • Compliance Monitoring: Provides real-time reports on how your infrastructure aligns with industry standards like CIS, PCI-DSS, and HIPAA.

5. Identity-Aware Proxy (IAP) and Zero Trust

IAP is Google’s implementation of the BeyondCorp zero-trust model. It allows you to expose web applications and SSH/RDP access to the internet without a VPN.
  • Context-Aware Access: Access is granted based on the user’s identity and the “context” of their request (location, device security, etc.).
  • IAP TCP Forwarding: Allows you to SSH into a VM that has no public IP address. You connect to the IAP tunnel, which then securely forwards your traffic to the internal VM.

6. Secret Manager

Secrets (API keys, DB passwords) should never be stored in code, environment variables, or config files.
  • Version Control: Rotate secrets easily by adding new versions and letting applications always pull the latest version.
  • IAM-Integrated: Grant access to specific secrets only to the service accounts that need them.

7. Advanced Perimeter Defense: IAP and SCC

7.1 IAP TCP Forwarding

IAP isn’t just for web apps. TCP Forwarding allows you to reach internal VMs via SSH (port 22) or RDP (port 3389) even if they have no public IP.
  • How it works: You connect to the IAP service endpoint. IAP verifies your IAM identity and the context of your request. If authorized, it creates a tunnel into your VPC and delivers the traffic to the VM’s internal IP.
  • Command: gcloud compute ssh [VM_NAME] --tunnel-through-iap.

7.2 Security Command Center (SCC) Premium

The Premium tier of SCC provides active threat detection:
  • Event Threat Detection: Scans logs for brute-force attacks and account hijacks.
  • Container Threat Detection: Detects unauthorized binary execution inside your GKE pods.
  • Virtual Machine Threat Detection: Scans VM memory for signs of malware (cryptominers, rootkits) without needing an agent.

8. Interview Preparation

1. Q: How does VPC Service Controls (VPC SC) prevent data exfiltration? A: VPC SC creates a Service Perimeter around Google-managed services (like GCS or BigQuery). Even if an attacker compromises a valid User or Service Account, they cannot copy data from a protected resource to an external project or bucket that is not part of the same perimeter. It effectively mitigates the “Stolen Credential” risk by enforcing security at the resource level, not just the identity level. 2. Q: Explain the “BeyondCorp” Zero Trust model as implemented by IAP. A: Identity-Aware Proxy (IAP) replaces traditional VPNs. In a Zero Trust model, “being on the corporate network” does not grant access. IAP grants access to web apps and VMs (SSH/RDP) based on Identity (IAM) and Context (Device health, IP location, time of day). If a device is not encrypted or is missing a security patch, IAP blocks the request even if the user provides the correct password. 3. Q: What is the difference between Cloud KMS Software Keys and HSM Keys? A:
  • Software Keys: Cryptographic keys are stored and managed in a Google-managed software environment. They are cost-effective and fast.
  • HSM Keys: Keys are stored on Hardware Security Modules (FIPS 140-2 Level 3 validated). The raw key material never leaves the hardware. This is a requirement for high-compliance industries (Banking, Government) that need physical separation of keys.
4. Q: How does Cloud DLP (Sensitive Data Protection) handle “De-identification”? A: DLP uses several techniques to protect data while keeping it useful for analysis:
  • Masking: Replacing part of the data (e.g., 4532-XXXX).
  • Tokenization: Replacing sensitive data with a surrogate “token.”
  • K-Anonymity (Bucketing): Generalizing data (e.g., changing “Age 27” to “Age 20-30”) so that individuals cannot be re-identified in a dataset.
5. Q: What is the “Organization Policy Service” and why is it used? A: It is a central governance tool that enforces “Guardrails” at the Org or Folder level. Examples include:
  • Disable External IPs: Preventing any VM in the company from having a public IP.
  • Restrict Resource Usage: Only allowing specific machine types or regions.
  • Enforce Shielded VMs: Requiring all GCE instances to use boot integrity checks. It prevents “Configuration Drift” and human error across thousands of projects.

Implementation: The “Security Officer” Lab

Protecting a BigQuery Dataset with VPC Service Controls

# 1. Create an Access Level (Allow only from a specific CIDR)
# (Done via Access Context Manager in the Console)

# 2. Create a Service Perimeter
# Include your Project and the BigQuery API in the perimeter.

# 3. Test Exfiltration
# Try to run a query that exports data to a bucket in a DIFFERENT project.
# VPC SC will block this even if you are the Project Owner!

# 4. Use DLP to De-identify a Column in BigQuery
# Create a DLP Job to scan a table and mask the 'credit_card' column.

Pro-Tip: The “Organization Policy” Service

Use Organization Policies to enforce security at the root level. For example, you can set a policy that disables the creation of external IP addresses for all VMs in the entire company, or one that enforces the use of Shielded VMs. This prevents “shadow IT” from creating insecure resources.