GCP Cloud Foundations #whoami
Federico Fregosi Current: Principal Consultant - Technical
Past:
https://www.linkedin.com/in/federico-fregosi/ About Contino
Contino is a leading transformation consultancy that helps large, heavily-regulated enterprises to become fast, agile and competitive.
360+ 5 300+ 150+ People Global offices Engagements Customers
The deepest pool of We can scale rapidly More DevOps Specializing in helping the DevOps, data & cloud to support diverse transformation executed world's leading brands transformation talent client requirements than any other professional accelerate digital in the industry across the globe services firm transformation
3 Agenda
01 | Cloud Foundations 02 | Organization Structure & Resource Deployment 03 | Authentication & Authorization 04 | Networking 05 | Secrets Management 06 | Logging 07 | Operating Model 08 | FinOps - Billing 09 | Q&A
4 Why Do You Need Cloud Foundations?
Landing zones enable management of standardised GCP projects, which in turn control your Virtual Private Clouds (VPCs) and consumption of GCP cloud services.
● Prevents Project Sprawl: Project provision can be managed as cloud engagement increases
● Minimises Engineering Overhead: Eliminating manual changes reduces complexity and enables scalability and consistency
● Enables Scaling by Design: Management of services and infrastructure in public cloud is made simple by the use of a well-designed landing zone
● Accelerates Consumption of Cloud Services: Allows for GCP projects to be provisioned with a standard set of tooling and services
5 Core Features
GCP Core System Operational Security, privacy, and Reliability Performance and cost Design Practices Excellence compliance optimisation
Aligned with “Best practices” and the 5 pillars of “Google Cloud's Architecture Framework” principles
6 What is a Landing Zone?
On-Prem Quota Connectivity Monitoring Hybrid Billing Logging Cloud URL Organization Filtering Policies Log Security Compliance Exports SaaS integrations Resource Project SIEM Integration Deployment Factory Google Kubernetes CI/CD Secure Secrets Engine Baseline Dns Hub
Cloud SSO & Active Data Directory Platform Notifications Integration
7 GitHub solutions
● https://github.com/terraform-google-mod ules/terraform-google-project-factory
● https://github.com/terraform-google-mod ules/terraform-example-foundation
● https://github.com/contino/terraform-gcp -modules
● https://github.com/GoogleCloudPlatform /cloud-foundation-toolkit
8 Organization Structure GCP Resource Management
● Cloud Resource Manager provides project management & IAM functionality
● The top level component is the GCP organization.
● An organization is tied to a GSuite OR a Cloud Identity account
● Most of the available resources are deployed into a project.
● A project is the main isolation “container” in GCP
10 GCP Resource Management
The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its Top-down parent. access inheritance: Additive only
11 Cloud Resource Manager: Organization Hierarchy
The Common folder will include the following baseline projects:
● Interconnect - connectivity between an enterprise's on-premises environment and Google Cloud.
● DNS Hub - central point of communication between an enterprise’s on-premises DNS system and Cloud DNS.
● Notifications - managing Security Command Center alerting.
● Logging - destination for log sink and detective controls.
● Secrets - organization-level secrets.
12 Organisation Policies
The Organization Policy Service constrains the allowed resource configurations. Policies can be applied to the Organisation, Folders, and Projects.
*Requires IAM role: Organization policy / organization policy administrator
13 Organization Policy Hierarchy Evaluation
Resource 3 defines a custom policy that sets inheritFromParent to FALSE and allows yellow hexagon. The effective policy evaluates to only allow yellow In this example, the Organization Node defines hexagon. a policy that allows red square and green circle. Resource 4 defines a custom policy that sets inheritFromParent Resource 1 defines a custom policy to FALSE and includes the that sets inheritFromParent to TRUE restoreDefaultvalue. The default and allows blue diamond. The constraint behavior is used, so the effective policy evaluates to allow red effective policy evaluates to allow square, green circle, and blue all. diamond. Note: The exceptions are always Resource 2 defines a custom policy set by org-level Organization that sets inheritFromParent to TRUE Policy roles, and not by and denies green circle. Deny takes project-level roles. precedence. The effective policy evaluates to allow only red square. Resource Deployment Cloud Fundations Creation
The seed project contains the Terraform state of the foundation infrastructure, a highly privileged service account that's able to create new infrastructure, and the encryption configuration to protect that state.
Create Create Seed Leverage Organization Create Project using Project based on your Landing Zone CLI Factory domain
Attach Billing Administrator Project Vending Account
Create Service Account
Grant SA permission
Enable APIs
16 Project Factory
Project creation is a Automatic repetitive task. Projects are created automatically and consistently based on Infrastructure as Code methodology (Terraform and advanced project vending). Projects should be configured to consistently meet the organization needs:
● Project ID/name naming convention ● Billing account linking ● Networking configuration ● Enabled APIs/services ● Compute Engine access configuration ● Exporting logs and usage reports ● Project removal line ● And more 17 Project Factory - Vending Process
Apply CIS Add to Enable GCP Project IAM Baseline Benchmark Compliance access to Creation Configuration configuration Service account
Place into GCP Project Provision Baseline Add To security Create Group and Org/Folder IAM Configuration Requestor IAM Roles Command Center App Roles in AD (Business Unit)
Inherit/Define Create Service Logging & Event Threat Organization Add Users to Group Account Configuration Detection Policies
Attach Billing Networking Add Service Account Account (Shared VPC) to the Group
Enable APIs
18 Operator Personas & Direct Console Application User Personas Service Users Users Users
App Application: Automation Containers Images Central or RPMs App Operator BYO
Service Automation Managed Services: VMs, Anthos, Databases, Pub/Sub Central or Service Operator BYO
Infra GCP Foundation: Pipeline IAM, Routing, Firewalls, VPCs Central Subnets, Projects, Folders,, Org Policy Platform Operator
19 Continuous Integration and Delivery on GCP
Google Cloud environment(s) Continuous Integration Compute Engine
Source code Build/Test Artifact Mgmt. Deploy App Monitor/Test Engine Cloud Source Cloud Registry / Cloud Build Spinnaker Stackdriver Repository Cloud Storage Kubernetes Engine
Cloud Functions
On-premise
Source Cluster
Cluster
20 Application CI/CD - Supporting Services
Cloud Container Cloud Build Source Repos Registry
● Private Git repositories hosted on ● Hosted build execution on Google Cloud ● Hosted image repository Google Cloud ● Build container images or non-container ● Push builds to Container Registry ● Easily perform Git operations required artifacts from Cloud Build by your workflow ● Trigger new builds based on changes to ● Analyze images to ● Sync to existing GitHub or Bitbucket CSR or other repo ● Discover vulnerabilities repo
Container Spinnaker Analysis API
● Open source, multi-cloud application ● Store, query, and retrieve critical deployment platform metadata about software artifacts ● Built-in best practices for deployment ● Query all metadata across all of your ● Supports many deployment best practices components in real time
21 Implementing Changes
The toolkit encourages customers to collaborate on infrastructure through a compliant and secure platform.
Developer Administrator Administrator CI/CD updates CI runs submits reviews for merges the deployed validation pull request policy compliance new config infrastructure
Collaborate in Reduce manual effort source control and errors
Ensure Enforce policies consistency proactively 22 Continuous Compliance. It’s always green.
23 Authentication & Authorization Authentication & Authorization
In order to ensure a consistent and secure manner of accessing the cloud environment and the various resources under the scope of the Landing Zone implementation, the following aspects will be considered and included in the initial landing zone deployment.
Components ● Native user and group management: Cloud identity provides unified identity, access, app, and endpoint management (IAM/EMM) platform. ● Active Directory integration and Single Sign-on (SSO): By leveraging Google Directory Sync, we can map Active Directory forests, domains, users, and groups to Cloud Identity entities ● Roles and permissions: Standardised IAM roles and permission policies will be created to satisfy the principle of least privilege.
25 Cloud Identity
Chrome ● Cloud Identity is an Identity as a Service (IDaaS) Apps for Work solution that allows you to centrally manage users and groups who can access Google Cloud Android and G Suite cloud resources for Work ● It is the same identity service that powers G People Suite and can also be used as IdP for 3rd party applications (supports SAML and LDAP applications)
Google Cloud Identity Cloud Devices
26 Cloud Identity
Cloud Manual Identity Users
APIs Groups Cloud IAM GCP Resources CSV Org Units Upload
Users and groups created in Cloud Identity are the Google Identities that can be assigned IAM roles in the GCP console
The Cloud Identity roles only manage aspects of Cloud Identity such as user/group management, and are different from GCP roles which manage permissions to cloud resources
27 Cloud Identity - Typical Architecture
Intranet SaaS
Legacy IT Infra (LDAP) Applications Secure LDAP
IT Infrastructure
VPN Secure LDAP Radius server MS Infra, (Wifi AuthN) Print, File, Certificate GCDS
Secure LDAP Legacy Apps (LDAP)
28 Active Directory Integration
While Cloud Identity provides the necessary functionality to manage Google identities (users and groups) for use in a GCP environment, this might add unnecessary overhead for customers with existing on-premises AD deployments. The following steps are required for AD integration setup: ● Provisioning users - Relevant users and groups are one-way synchronized periodically from Active Directory to Cloud Identity. This process does not sync passwords as all authentication will be done through the on-premises Active directory ● Single Sign-on - Whenever a user needs to authenticate, Google Cloud delegates the authentication to Active Directory by using the Security Assertion Markup Language (SAML) protocol. This delegation ensures that only Active Directory manages user credentials and that any applicable policies or multi-factor authentication (MFA) mechanisms are being enforced
29 Cloud Directory Sync Implementation
Google Cloud Directory Sync (GCDS) is deployed on 1 an on-premises domain joined VM, either Linux or Windows.
Leveraging cron, GCDS is triggered automatically at 2 regular intervals to sync identities between Active Directory and Cloud Identity
In order to filter which users or groups are synced with Cloud Identity, an attribute is added to the 3 users in AD and Directory Sync filters are implemented to filter based on the provided attribute.
30 Authorization with IAM
Roles are a collection of permissions that may be assigned to users, groups and service accounts. Permissions grant the ability to execute specific API calls, for example: compute.instances.create
Primitive Roles Predefined Roles Custom Roles
Legacy Google Cloud roles More granular roles than Ability to create roles with a that grant broader set of primitive, based on job specific permission set. permissions function. (Owner, Editor, Viewer).
31 Authorization with IAM
Give access to a subset of resources within a project
Condition access based on context-aware access levels
Grant time limited IAM policies
32 Best Practices
Controversial Follow Industry
Approaches Standards
● Disabling APIs by default
● Deleting Default Service Accounts
● G-Suite Super Admin Role management
● Controlling Scopes ● CIS Benchmarks ● Using Service Accounts outside original ● NIST Cybersecurity Framework project
33 Networking Networking Considerations
Components
Support for Shared VPC Network private DNS Architecture Security
35 Shared VPC - Introduction
Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network.
Definition: ● Host Project: contains one or more Shared VPC networks. A Shared VPC Admin must first enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it. ● Service Project: A service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC. It's a common practice to have multiple service projects operated and administered by different departments or teams in your organization.
36 Shared VPC
37 DNS - Hub-and-spoke model
38 Firewall Rules
Target Ingress rule Source
Service account Network Allow/Deny Ingress rule VPC Firewall VM IP range/CIDR Instances by tag Target tag Instance tag or service ● Stateful with connection Service account account tracking Ingress rule ● Distributed: enforced on All instances in underlying host network Egress rule Destination Implied Rules
Service account ● Ingress deny ● Egress allow Allow/Deny IP range/CIDR Egress rule
Target tag
39 VPC Service Controls
Unauthorized Service Perimeter client Authorized VM to Extend perimeter security to managed GCP Project GCP service services
● Control VM-to-service and service-to-service paths. Access from Internet ● Ingress: prevent access from the unauthorized networks.
Private PII Data GCP service ● Egress: prevent copying of data to Unauthorized Unauthorized access Project to unauthorized GCP Projects. VPC project GCP service project
● Project level granularity.
40 Connectivity Options
Public Internet (IPSEC VPN) Cloud Interconnect Peering
● Fastest way to connect to ● Enterprise-grade, private ● Access G Suite and Google the cloud or between connectivity to GCP services, as well as GCP clouds with reduced egress rates ● Provisioned as a dedicated ● Leverages existing internet link to a Google PoP or via ● Utilizes existing BGP route network connectivity a partner selection and internet routing ● Supports high availability ● Dedicated Interconnect: and aggregated bandwidth Highest bandwidth with ● Greater control of peering with 1.5 to 3 Gbps per 10 Gbps and 100 Gbps facilities tunnel links ● Direct or carrier ● Static/dynamic (BGP) ● Partner Interconnect offers based VPC more flexible subscriptions (50 Mbps to 10 Gbps) ● Easy HA setup: 99.99% SLA
41 On-premises Connectivity Cloud Interconnect Metro Area
Project Colo Facility On-premises
VPC ● us-west1 | 10.240.1/24 IA BGP Layer 2 connectivity 169.254.68.50 169.254.68.52 10.120.1.1 Cloud ASN: 64513 ASN: 12345 ● Up to eight 10 Gbps links, or Google Peering Router 1 Router Edge - Zone 1 two 100 Gbps links 10.120.1/24 ● Same Interconnect can link to 10.130.1/24 multiple VPCs within the Colo Facility same project VPC Routing 10.140.1/24 us-west1 | 10.240.0/24 IA BGP ● 99.9% or 99.99% SLAs
169.254.68.51 169.254.68.53 depending on the architecture 10.130.1.2 Cloud ASN: 64513 ASN: 12345 Google Peering Router 2 chosen Router Edge - Zone 2
us-central1 | 10.250.0/24
42 Zero Trust Networking Access Context Manager - Access Levels
Context-Aware Access Suite of Products Attributes Policy Apps & Data collects attributes and data Context of the user Define and apply Protect all critical and request policies data ● Endpoint verification collects device identity and security posture
● Cloud Identity provides user information
Access Context Manager Defines Authorization Rules Employee Device ● Define rules around geography, device Rules Engine status, time of day, etc for granting access
Location
User + Device + Context is the new security perimeter
44 Identity-aware Proxy
Central enforcement
● Single point of control for managing user access ● Security team can define and enforce policy
Access control
● Control access by user identity ● Apply policy by group membership ● Supports 2FA Security Keys
Deployment
● Little to no change to applications ● No need to implement own authentication for each application ● Integrated with HTTP(s) Load Balancer
45 Detective Controls
46 Cloud DLP (Data Loss Prevention)
Cloud Data Loss Prevention provides programmatic access to a powerful detection engine for PII Data
Redaction “This is my credit card: ******”
Hashing or tokenizing
“This is my credit card: ga+32mx32s2as8cw38AEfknsFthc”
Data Loss Format preserving Prevention encryption or tokenization Raw API Data
“This is my credit card: 5432-4232-4232-6322”
47 Implementation Cloud BigQuery Datastore Storage
Action: Output Trigger Scan Detailed Findings one time, on schedule, etc. BigQuery
Cloud DLP UI or API
t
Cloud Security Command Center Action: Outpu Findings Summary
48 Secrets Management Secret Manager Supports versioning Follows Principle of Least Privilege ● Global Names and Replication
Integrated with Cloud KMS Audit Logging Accessible from Hybrid Environments Strong Encryption
50 Global Names and Regional Data
projects/my-project/secrets/my-secret
us-east-1 us-west-2 europe-north1
[***] [***] [***]
51 Key Management Comparison
Default CMEK Role CSEK Encryption via Cloud KMS
Supported Products All BigQuery, Compute Engine, Cloud Storage, Dataproc, Compute Engine, Cloud Storage Dataflow, Kubernetes Engine, Cloud SQL
Key Management Effort None Medium High
Data Encryption None Low Medium (GCE,GCS) Effort
Key rotation effect on Automatic Re-Encrypt All data Re-Encrypt All data encrypted data
52 Logging Stackdriver
Monitoring Logging Performance Multi-cloud
● Endpoint checks ● Filter, search, and ● Built on the same ● Google Cloud to internet-facing view systems that Platform, Amazon services power Google’s Web Services, ● Define metrics, global Hybrid ● Uptime checks for dashboards, and infrastructure configuration URLs, groups, or alerts resources ● Unprecedented ● Combines metrics, ● Export to scale, logs, and metadata ● Plugins for many BigQuery, Google performance, and major stacks Cloud Storage, and resiliency (Apache, MySQL, Pub/Sub CouchDB etc.)
54 Log Compliance
Separation of Duties Least privilege Non-repudiation (SoD) ● Only grant the ● Cloud Storage ● Use Aggregated right level of automatically Exports to permissions encrypts all data centralise all logs required on the before it is written from all projects project / bucket to disk into a single containing the separate project, logs ● Additional with different fortification can ownership than ● Avoid granting be implemented the source permissions to by delete buckets / object-versioning ● Choose Cloud objects log buckets in Storage as the conjunction with destination a Bucket Lock
55 Security Logging
Application Logging project project
Log redirection
Custom fluentd config
project: my-app project: security linked to jsonPayload: { linked to “user”:”xxx”, “group”:”yyy”, “account”:”123” Logging } Logging Cloud Operations Cloud Operations Account 1 Account 2
56 Log Exports Common Pattern
Table expiration time
Dataset location
BigQuery
Bucket type Log Object lifecycle (retention for objects) export Bucket lock (securing objects)
Cloud Storage Stackdriver Logs Logging An organization-level log sink aggregates logs on the Log streaming (integration with log analysis tools) organization level. Acknowledgement deadline for the subscriber
Cloud Pub/Sub
57 Security Information and Event Management
Organization can export their logs to a third party SIEM solution
Integration through
● Agents @ SIEM side ● Add-on or connector
Example integrations
● Splunk Add-on for Google Cloud
● Elasticsearch Cloud Pub/Sub -> Logstash|Beats -> ES -> Kibana
● Sumo Logic Cloud Pub/Sub -> API webhook -> Sumo
● ArcSight FlexConnector for REST
58 Cloud Logging
59 Alerting
Project Static thresholds
Kubernetes cluster Group thresholds Conditions Percent change in X Pod seconds
Signal Duration window Policy Stackdriver Virtual Machines Monitoring
Notification channels SMS
Signal
60 FinOps - Billing FinOps - Billing
Billing accounts are payment vehicles for your Google Cloud spend. They come in two types:
Offline Online
Billing account Billing account
Project 1 Project 2 Project 3 Project 4
Org node 1 Org node 2 Consumer
62 FinOps - Billing Billing account ● Use Project Factory to (IaC) provision Billing export projects and set billing accounts Credits applied Project Factory ● Hierarchical
A billing account can be ● Resources have manually added with correct consistent naming and IAM permissions, however this labelling standards to should be automated allow for cost attribution
● Report on costs Project Project ● Ensure budgets and spend alerts are in place to control spend
Project-level bill Project-level bill ● Forecast usage costs
Bills itemized by resource type
63 Operating Model The Model Needs to Fit in the Wider Digital Context Product Management
Software Cloud Delivery
Corporate Key Points: Strategy
IT Finance ● Cloud op model is only a part of the overall IT op model
● The IT op model is only a part of the Enterprise Human broader enterprise op model Marketing Operating Resources ● There are a number of dependencies, Model intersects and dependencies across the enterprise wide op model
Business Operations Change
Sales
65 Elements of Cloud Operating Model
Cloud Processes: Cloud Vision: The chain of practices Why are we leveraging Cloud Vision through which value is cloud delivered Cloud Processes - Value Delivery Chain
Cloud Operating Building Blocks
Capabilities for best use of cloud Cloud Operating Building Blocks Cloud Technology Cloud Organisation
Selected platforms, How our teams and Cloud Organisation Cloud Technology supporting technology people are organised and tooling
Cloud Governance Cloud Metrics
How our teams and Cloud Governance Cloud Metrics Measurement of cloud people are organised use, consumption and benefit There is a Need to Transition to a New Shared Responsibility Model Functional Application 3rd Party User Testing Requirements Access Control Management
Application Infrastructure Performance Business Case Deployment Deployment Management
Patch Environment Data Encryption Cost Management Management Provisioning Customer Key Points: Vulnerable Prerequisite Management Management ● Customer is a supplier of requirements Networking VM Backup/ Data Backup/ Incident Fault Monitoring/Alertin with shared responsibility for build Recovery Recovery Resolution g within your company. Compliance Cloud Identities Transit Services Monitoring/Alertin Directory Services ● Customer teams consume reusable g Application Service Reusable laC Golden Image
assets from central repository. Cloud Monitoring/Alertin Management Modules Management Services g ● Run responsibilities owned by your Shared/Reusable company and partners Tooling
Compute Storage Databases Networking
Regions Availability Edge Locations Cloud Provider
67 Operating Model
Decentralized Centralized
Access to and control of Google Cloud is shared Access and control of Google Cloud is centrally among developers and engineers across the controlled by Corporate IT or Operations. company. Corporate IT has little to no involvement ● Administering the platform with running the platform. ● Granting access to engineers and ● Corporate IT: Creation of folders, shared developers as required services, and common configuration ● Developers and engineers: Creation of projects and, optionally, additional folders under the relevant folder
68 Questions ?
[email protected] https://www.linkedin.com/in/federico-fregosi/