Security controls
In this tutorial we will learn and understand about various Security controls. For example, VPC Service Controls, organization policy, auditing.
However, you must know VPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google Cloud services such as Cloud Storage and BigQuery. Using VPC Service Controls, you create perimeters that protect the resources and data of services that you explicitly specify.
Further, VPC Service Controls provides an additional layer of security defense for Google Cloud services. This is independent of Identity and Access Management (IAM). While IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security. This includes controlling data egress across the perimeter.
Security benefits of VPC Service Controls
VPC Service Controls helps mitigate the following security risks without sacrificing the performance advantages of direct private access to Google Cloud resources:
- Firstly, access from unauthorized networks using stolen credentials. By allowing private access only from authorized VPC networks, VPC Service Controls protects against theft of OAuth credentials or service account credentials.
- Secondly, data exfiltration by malicious insiders or compromised code. VPC Service Controls complements network egress controls by preventing clients within those networks from accessing the resources of Google-managed services outside the perimeter. Further, VPC Service Controls also prevents reading data from or copying data to a resource outside the perimeter using service operations. This can be copying to a public Cloud Storage bucket using the gsutil cp command. Or to a permanent external BigQuery table using the bq mk command.
- Thirdly, public exposure of private data caused by misconfigured IAM policies. VPC Service Controls provides an additional layer of security by denying access from unauthorized networks. Even if the data is exposed by misconfigured IAM policies.
- Lastly, monitoring access to services. Using perimeters in dry run mode, VPC Service Controls can be leveraged to monitor requests to protected services without preventing access. However, VPC Service Controls can be used to monitor requests to gain a better understanding of request traffic to your projects. And further, it provides a way to create honeypot perimeters to identify unexpected or malicious attempts to probe accessible services.
Capabilities
VPC Service Controls provides these benefits by enabling you to define security policies. These policies prevent access to Google-managed services outside of a trusted perimeter. By blocking access to data from untrusted locations and mitigating data exfiltration risks. With this release of VPC Service Controls, you are able to:
- Firstly, isolate GCP resources and VPC networks into service perimeters
- Secondly, extend perimeters to on-premises networks to authorized VPN or Cloud Interconnect
- Lastly, Control access to GCP resources from the internet
Isolate GCP resources into service perimeters
A service perimeter creates a security boundary around Google Cloud resources. Moreover, you can configure a service perimeter to control communications from virtual machines (VMs) to a Google Cloud service (API). And also between Google Cloud services. A service perimeter allows free communication within the perimeter. But, by default, blocks all communication across the perimeter.
Extend perimeters to authorized VPN or Cloud Interconnect
- Firstly, you can configure private communication to Google Cloud resources from VPC networks that span hybrid environments with Private Google Access on-premises extensions. However, a VPC network must be part of a service perimeter for VMs on that network to privately access managed Google Cloud resources within that service perimeter.
- Secondly, VMs with private IPs on a VPC Network that is part of a service perimeter cannot access managed resources outside the service perimeter. Further, if required, you can continue to enable inspected and audited access to all Google APIs over the internet.
Control access to GCP resources from the internet
Access from the internet to managed resources within a service perimeter is denied by default. Optionally, you can enable access based on the context of the request. However, to do so, you can create access levels that control access based on a number of attributes. This can be the source IP address. Requests made from the internet are denied if they do not meet the criteria defined in the access level.
Reference: Google Documentation