Published on

GCP Security Landscape

Authors

Google Cloud Platform (GCP) offers a comprehensive set of security features and concepts to protect your data and applications. Here's an improved and markdown-compatible mind map of the key security concepts in GCP:

Infrastructure Security

  • Shielded VMs: Provide verifiable integrity of Compute Engine virtual machine instances, protecting against rootkits and bootkits. They use secure boot, virtual trusted platform module (vTPM), and integrity monitoring to ensure VMs haven't been tampered with.

  • Confidential Computing: Protects data in use, complementing existing encryption for data at rest and in transit. Ideal for protecting sensitive data processing and algorithms.

  • DDoS Protection: Google Cloud Armor provides DDoS mitigation for layer 3 to layer 7 attacks.

  • Firewall: Create rules that control incoming and outgoing traffic for your VPC networks.

  • Intrusion Detection/Prevention Systems (IDS/IPS)

  • Web Application Firewall (WAF): Google Cloud Armor helps protect against OWASP Top Vulnerabilities.

  • Container Security: Includes Vulnerability Scanning and Binary Authorization.

Network Security

  • Virtual Private Cloud (VPC): Plays a central role in isolating and securing network traffic within GCP. Features include Network Segmentation and Isolation, Shared VPC, VPC Peering, and Firewall Rules.

  • Cloud VPN: A secure networking solution that allows you to extend your on-premises network to your VPC network through an encrypted IPsec connection.

  • VPC Service Controls: Enhance security by creating a protective boundary around GCP resources. Offers context-aware access based on client attributes and data exfiltration protection.

Data Protection

  • Sensitive Data Protection (Data Loss Prevention): Provides resources to help discover, govern, protect, and report on sensitive data across your ecosystem.

  • Certificate Authority Service: A highly-available, scalable service that simplifies and automates the management of private certificate authorities (CAs) while maintaining control over private keys.

  • Cloud Key Management Service (KMS): Allows creation, import, and management of cryptographic keys and performs cryptographic operations in a centralized cloud service.

  • Certificate Manager: Enables acquisition and management of TLS (SSL) certificates for use with Cloud Load Balancing.

  • Secret Manager: Stores sensitive data such as API keys, passwords, and certificates, providing convenience while improving security.

  • Encryption and Tokenization: GCP encrypts data at rest by default and provides options for customer-managed and customer-supplied encryption keys.

  • Hardware Security Module (HSM): Cloud HSM provides a hardware-backed key management solution for hosting encryption keys and performing cryptographic operations in FIPS 140-2 Level 3 certified HSMs.

  • Model Armor: Protects AI-powered applications from malicious attacks and unintended consequences, preventing prompt injection and jailbreak attempts, securing sensitive data against leaks, and ensuring AI-generated content adheres to safety guidelines.

Application Security

  • Web Security Scanner: A powerful tool for identifying security vulnerabilities in web applications hosted on GCP in a static manner.

  • Binary Authorization: Provides policy-based deployment control, ensuring only trusted container images are deployed and integrating with CI/CD pipelines for automated security checks.

  • Web Risk: Protects users from unsafe websites.

  • reCAPTCHA Enterprise API: Helps protect websites from fraudulent activity, spam, and abuse without creating friction.

Identity and Access Management

  • Identity and Access Management (IAM): A comprehensive system for controlling access to cloud resources.

  • Cloud Identity-Aware Proxy: Provides a secure access control layer for applications and resources in Google Cloud.

  • Multi-Factor Authentication (Titan Security Key): Helps prevent account takeovers from phishing attacks.

  • Access Context Manager: Allows organization administrators to define fine-grained, attribute-based access control for projects and resources.

Security Operations

  • Security Command Center: Google Cloud's native security and risk management platform, designed to help organizations prevent, detect, and respond to security issues across their cloud environment.

  • SIEM/Security Analytics: Chronicle is Google's dedicated SIEM solution.

  • Advisory Notifications: Provides well-targeted, timely, and compliant communications about critical security and privacy events in the Google Cloud console, allowing secure investigation, action, and support.

  • Google Threat Intelligence

Compliance and Governance

  • Cloud Asset Inventory: Provides a comprehensive view of all cloud resources across an organization's Google Cloud environment.

  • Organization Policy Service: Offers centralized and programmatic control over an organization's cloud resources.

  • Assured Workloads: A specialized service that helps organizations meet specific regulatory and compliance requirements within Google Cloud Platform.

This mind map provides an overview of the main security concepts and features available in Google Cloud Platform, covering various aspects of cloud security from infrastructure protection to application-level security measures.

GCP Professional Security Engineer Exam Overview

I recently passed the GCP Professional Security Engineer exam. In my opinion, the exam is moderately complex, covering a range of topics from basic concepts like IAM to advanced subjects such as VPC Service Perimeters, including relatively new areas like securing AI workloads. Here's a breakdown of the exam structure and the types of questions you might encounter:

Section 1: Configuring Access

This section primarily focuses on IAM (Identity and Access Management). Questions may cover:

  • Workload Identity Federation
  • Exposed Service Account keys
  • Managing Organizational constraints

Example scenario: How to implement an organizational policy that restricts service account access to one hour for unattended devices with Google Cloud CLI access.

Section 2: Securing Communications and Establishing Boundary Protection

This section addresses infrastructure and application security. Scenario-based questions often involve:

  • VPC Perimeter Controls
  • Secure web proxy
  • Google Cloud Armor
  • Identity-Aware Proxy

Example scenarios:

  • Defining perimeters and granting permissions between two perimeters in different projects
  • Securely connecting Cloud Run instances to Cloud SQL

Section 3: Ensuring Data Protection

This section covers various aspects of data protection in GCP, including:

  • Confidential Computing
  • Data Loss Prevention (DLP)
  • Cloud Key Management Service (KMS)
  • Access Context Manager

Example scenarios:

  • Deciding whether to move existing VMs to Confidential VMs or create new ones for memory encryption
  • Re-encrypting Cloud Storage data

Section 4: Managing Operations

This section focuses on operational security, with questions about:

  • Web Security Scanner
  • Binary Authorization and its automation

Section 5: Supporting Compliance Requirements

This section addresses compliance and regulatory concerns, including:

  • Managing compliance reports (e.g., PCI-DSS, HIPAA)
  • Assured Workloads
  • Organizational policies
  • Access Transparency
  • Access Approval
  • Regionalization of data and services

By understanding these key areas and practicing with similar scenarios, you can better prepare for the GCP Professional Security Engineer exam.

Discuss on TwitterView on GitHub