As we discussed in Part 1 of this book, cloud security is all about securing the cloud – addressing the challenges and using risk detection, remediation, and prevention in the cloud. Starting with the shared responsibility model, in which the cloud service providers (CSPs) are responsible for securing the underlying infrastructure and the customers are responsible for securing their data and applications, Google takes cloud security as a top priority and has built multiple layers of protection in following industry best practices. In this chapter, we will cover the following topics:

• Google Cloud IAM: Google has enabled granular control over access and permissions to GCP resources and services
• Google Cloud endpoint security: Google provides secure protection for GCP endpoints and services, such as virtual machines (VMs), Google Cloud Storage (GCS), and virtual private cloud (VPC) networks
• Google Cloud data security: We will discuss...

Google Cloud IAM defines cloud identities, resources, and their relationships. It specifies who (users, groups, or service accounts) has what kind of access (roles) to what cloud resources in the GCP resource hierarchy. Key features of Google Cloud IAM include the following:

• GCP resource hierarchy: Google Cloud IAM leverages a resource hierarchy (organization, folder, project, and resource) to inherit permissions from higher levels. This allows you to manage access control more efficiently by applying policies at the appropriate level in the hierarchy.
• Fine-grained access control with roles and permissions: Google Cloud IAM uses roles, which are a collection of permissions, to grant access to GCP resources. Google provides predefined roles (viewer, editor, and owner) as well as the ability to create custom roles tailored to your organization’s needs.
• Identity federation: Google Cloud IAM supports identity federation, allowing you to integrate...

Google Cloud offers a variety of security features and best practices to help protect Google Cloud endpoints including GCE VMs, GCS, and VPC networks.

GCE VM security

VMs run on GCE, which has security measures designed to secure the underlying infrastructure, protect VM data, and minimize potential vulnerabilities. Key aspects of Google Cloud VM security include the following:

• Firewall rules: These allow you to control inbound and outbound network traffic to VM instances. Configuring firewall rules can limit access to specific IP addresses, ports, and protocols, thereby reducing the VM attack surface.
• Service accounts: VM instances can use service accounts to authenticate and access other GCP services securely.
• Secure boot: This is a technology that helps ensure the integrity of the boot process by verifying that the VM boot firmware and OS have not been tampered with.
• OS patch management: This is crucial for security. Google...

GCP offers a robust set of security features to protect customer data. Many of the data security services are based on basic data security enablement. We will start with data classification.

Data classification and data lineage

Industry data security best practices recommend starting with a classification standard and then assigning a data/resource owner to identify each data resource’s classification. We recommend utilizing data classification and maintaining a unified level of permissions on GCP projects and resources, to prevent misconfigurations and unauthorized access to sensitive information.

Data lineage is the practice of tracking the data origin, what happened to it, and where it moves over time. Data provenance can be defined as the origins, custody, and ownership of data. It is the documentation of where a piece of data comes from and the processes/methodology by which it was produced. Establishing a data labeling/tagging standard...

The Google Cloud operations suite is a collection of tools and services that help customers monitor, troubleshoot, and improve the performance of their applications and infrastructure on Google Cloud. It is an aggregation suite for Google Cloud Monitoring and Logging. The Google Cloud operations suite offers the following security features:

• Cloud Monitoring provides visibility into the performance and availability of cloud applications and infrastructure. It collects and analyzes metrics, logs, and traces to provide insights into the health and performance of applications and services.
• Cloud Logging provides real-time log management and analysis for applications and infrastructure. It collects, stores, and analyzes log data from Google Cloud services, third-party applications, and custom applications.
• Cloud Trace provides in-depth visibility into application performance by tracing requests across distributed systems. It provides detailed...

Google Cloud SCC is a comprehensive security management platform that provides visibility, insights, and tools to help you manage security risks across your GCP resources and applications. Key features of SCC include the following:

• SCC provides a centralized dashboard that gives you an overview of your GCP assets, vulnerabilities, and security findings, enabling you to monitor and respond to potential risks in real time.
• SCC automatically discovers and inventories all the GCP resources, such as GCE instances, Google App Engine (GAE) applications, and GCS buckets, to understand the scope of your cloud environment and manage resource configurations effectively.
• SCC integrates with various vulnerability scanning and management tools, such as Google Cloud Web Security Scanner and third-party solutions, to identify and remediate vulnerabilities in your web applications and infrastructure.
• SCC collects security findings from...

In this chapter, we discussed the Google Cloud security concepts, including Google Cloud IAM, endpoint security, data security, monitoring, and logging. We dived into Google Cloud Security Command Center.

This chapter ends the second part of the book: Google Cloud. We have covered GCP by examining its foundational services in terms of compute, storage, and the network; the data services of database and big data; the ML services of Vertex AI and ML API; and the security services. In the next chapter, we will start our journey to the Microsoft Azure cloud.

Questions 1 to 10 are based on Figure 11.10. All configurations are default.

A cloud engineer team logged in to GCE instances VM-1, VM-2, VM-3, and VM-4, in 4 windows:

Figure 11.10 – GCP diagram

1. What will they need to do so they can ping www.google.com successfully from VM-1?

A. Nothing

B. Open icmp (ping) for the network/VPC1 firewall

C. Open icmp (ping) for the VPC1/subnet11 firewall

D. Open IGW routes for VPC1

2. What will they need to do so they can ping VM-1 successfully from the internet?

A. Nothing

B. Open icmp (ping) for the network/VPC1 firewall

C. Open icmp (ping) for the VPC1/subnet11 firewall

D. Open IGW routes for VPC1

3. What will they need to do so they can ping www.google.com successfully from VM-4?

A. Nothing

B. Open icmp (ping) for the network/VPC3 firewall

C. Open icmp (ping) for the VPC3/subnet3 firewall

D. Open IGW routes for VPC3

4. What will they need to...

1. A

2. A

3. A

4. B

5. C

6. C

7. A

8. A

For further insights into what you’ve learned in this chapter, refer to the following links:

• https://cloud.google.com/docs/security/infrastructure/design
• https://cloud.google.com/blog/topics/developers-practitioners/data-security-google-cloud
• https://cloud.google.com/architecture/framework/security/network-security
• https://cloud.google.com/armor
• https://cloud.google.com/security
• https://cloud.google.com/iam
• https://cloud.google.com/security-command-center
• https://cloud.google.com/recommender/docs/overview