4. Securing with things which are already available
Starting with the bare minimum available on GCP to secure your workloads
• Identity and Access Management
• VPC Controls
• Key Management Systems
• Native Monitoring
• Security Command Center
6. Suricata
Used as an Intrusion Detection and
Prevention System (IDPS) Suricata
comes into play for real-time network
traffic monitoring, intrusion detection and
prevention, and alert generation for
potential security events. In order to
detect malicious behaviour and defend
GCP workloads from network-based
risks, it analyses network packets and
signatures. You can easily configure
custom Indicators of Compromise (IoC)
and signatures to suit the capabilities of
Suricata to your workload needs.
7. ELK
Logstash is used for log collection
and parsing, Elasticsearch is used
for log archiving and searching,
and Kibana is used for log
visualisation. ELK Stack may help
with incident response, enabling
efficient monitoring and analysis of
security logs, and provide insights
into security events by gathering
and correlating logs from GCP
services and security devices.
8. OpenVAS/Greenbone
It performs comprehensive scans
of systems, services, and
applications, and provides reports
on identified vulnerabilities,
enabling timely patching and
reducing the risk of exploitation.
9. OSSEC
OSSEC can raise alarms and
notifications when unusual
modifications take place by
routinely inspecting files for
integrity, aiding in the detection of
potential security breaches.
11. The Final Achievement
• Infrastructure — using secure configuration
management techniques, such as operating system
hardening, communication channel security, and the
least privilege principle.
• Take a robust configuration — To achieve uniform
security settings across GCP workloads
• Patch Management — Stay up to date with security
patches and updates for GCP services and workloads.
• Isolation — Utilise network segmentation to divide
workloads and limit lateral network mobility..
• Incident Response & Delivery — To ensure efficient
handling of security problems, create an incident
response strategy and routinely do exercises.
Risk
17. BeyondCorp
BeyondCorp prioritises ongoing verification of trust using
a combination of variables including user identification,
device security posture, location, and access controls
rather than depending on network borders.
• Identity and Access Management - To provide
particular users or groups access to Google Cloud
services, for instance, or to restrict access depending
on IP address or time of day, you can build an IAM
policy.
• Context Aware Access - By combining user
identification, device properties, network location, and
other factors, CAA enables organisations to set access
policies.
• Device Access Security - Before giving access,
BeyondCorp spends a lot of emphasis on confirming
the security status of the devices.
18. Stratozone
Offers a centralised dashboard to track and
evaluate security incidents, enabling
security teams to see the security posture of
their infrastructure in real-time. Stratozone
uses machine learning and cutting-edge
analytics to quickly identify and address
security concerns.
SIEM - Security Information and Event
Management
SOAR - Security Orchestration, Automation
and Response
19. BeyondCorp Use Case
Web Application Access Control with Content
Aware Access and IAP
# Configure access policies based on user identity and device
context
gcloud compute backend-services update
[BACKEND_SERVICE_NAME]
--iap=enabled
--global
--oauth2-client-id-suffix=[CLIENT_ID_SUFFIX]
—oauth2-allowed-email-domains=[ALLOWED_DOMAINS]
# Configure access policies based on user identity and device
context for MySQL Connector
gcloud beyondcorp-enterprise connectors create my-
connector --type=onprem --
target=https://[YOUR_MYSQL_INSTANCE_IP]:3306 --
ingress=[YOUR_INGRESS_POINT] --
certificate=[YOUR_CERTIFICATE_PATH]
Accessing On-Premise Resources securely
# Configure a TCP/UDP tunnel for the on-premise database
gcloud compute target-tcp-proxies create [PROXY_NAME]
--backend-service=[BACKEND_SERVICE]
--project=[PROJECT_ID]
--region=[REGION]
--proxy-header=[HEADER_NAME]
--proxy-header-value=[HEADER_VALUE]
--proxy-protocol=[PROXY_PROTOCOL]
# Create an IAP-TCP/UDP access policy for the tunnel
gcloud compute backend-services update
[BACKEND_SERVICE]
--iap=enabled
--global
--oauth2-client-id-suffix=[CLIENT_ID_SUFFIX]
--oauth2-allowed-email-domains=[ALLOWED_DOMAINS]
20. Stratozone Use Case
Threat Detection and Alerts
# Create a detection rule for suspicious account
activity
gcloud alpha stratozone rules create
[RULE_NAME]
--type=anomaly_detection
--metric=account_activity
--threshold=3
--window=1d
—project=[PROJECT_ID]
Incident Response Automation
# Configure a Stratozone playbook for incident
response
gcloud alpha stratozone playbooks create
[PLAYBOOK_NAME]
--incident=[INCIDENT_ID]
--actions=send_chat_message
--chat_message="An incident has been detected in
[PROJECT_NAME]. Please investigate."
# Trigger the playbook when an incident is detected
gcloud alpha stratozone incidents update
[INCIDENT_ID]
—playbook=[PLAYBOOK_NAME]
22. Network Connectivity Center
Network Connectivity Center design
centralizes the management of hub-
and-spoke network connections
between on-premises networks,
Google Cloud VPC networks, and other
cloud providers. Organizations may
simplify their network operations and
obtain more insight into their network
infrastructure with its single pane of
glass for viewing and managing
network configurations, policies, and
traffic flows.
23. Network Connectivity Center
1. Single connectivity model
Network Connectivity Center offers the unique ability to easily connect and manage
VPNs, interconnects, and SD-WANs to enable users to access workloads
seamlessly.
2. Flexible cloud connectivity
Network Connectivity Center delivers a unified connectivity experience by allowing
enterprises to use Google’s global infrastructure, leveraging new or existing
partners and dedicated interconnects, Cloud VPN etc.
3. VPN-based multicloud connectivity
Network Connectivity Center unlocks VPN-based cloud connectivity directly and via
a set of partners allowing enterprises the flexibility of choice to create, connect and
consume resources spanning multiple clouds
4. SD-WAN Integration/Third-party router
Network Connectivity Center can be used as the default landing point when
integrating SD-WAN and other routing solutions with Google’s infrastructure.
5. Real-time visibility for your global network
Network Connectivity Center offers a single pane of glass for connecting your
VPNs, partner and dedicated interconnects and on-prem networks.
24. NCC Use Case
Creating a VPC
from google.cloud import networkconnectivity
# Create a network connectivity client
client = networkconnectivity.NetworkConnectivityClient()
# Set project ID and region
project_id = "YOUR_PROJECT_ID"
region = "YOUR_REGION"
# Create a VPC spoke resource
vpc_spoke = client.create_spoke(
parent=f"projects/{project_id}/regions/{region}",
spoke_id="my-vpc-spoke",
type_="VPC_SPOKE",
vpc_id=f"projects/{project_id}/global/networks/my-vpc-
network",
)
print(f"VPC spoke created: {vpc_spoke}")
Firewall Rule Creation
from google.cloud import networkconnectivity
# Create a network connectivity client
client = networkconnectivity.NetworkConnectivityClient()
# Set project ID, region, VPC network name, and source range
project_id = "YOUR_PROJECT_ID"
region = "YOUR_REGION"
vpc_network_name = "YOUR_VPC_NETWORK_NAME"
source_range = “0.0.0.0/0”
# Create a new firewall rule resource
firewall_rule = client.create_firewall_rule(
parent=f"projects/{project_id}/regions/{region}/networks/{vpc_network_name}",
firewall_rule_id="allow-ingress-tcp-80-from-specific-range",
direction="INGRESS",
priority=1000,
action="ALLOW",
source_ranges=[source_range],
destination_ranges=["YOUR_VPC_NETWORK_CIDR_BLOCK"],
protocol="tcp",
ports=["80"],
)
print(f"Firewall rule created: {firewall_rule}")
26. “Before my eyes, it blocks my
path. A high, high wall. What sort
of scene is on the other side?
What will I be able to see there?
“The view from the top”. A
scenery I will never be able to
see on my own. But if I’m not
alone, then… I might be able to
see it.” – Shoyo Hinata