GCP Cloud Foundations #Whoami

GCP Cloud Foundations #whoami

Federico Fregosi Current: Principal Consultant - Technical

Past:

https://www.linkedin.com/in/federico-fregosi/ About Contino

Contino is a leading transformation consultancy that helps large, heavily-regulated enterprises to become fast, agile and competitive.

360+ 5 300+ 150+ People Global oﬃces Engagements Customers

The deepest pool of We can scale rapidly More DevOps Specializing in helping the DevOps, data & cloud to support diverse transformation executed world's leading brands transformation talent client requirements than any other professional accelerate digital in the industry across the globe services ﬁrm transformation

3 Agenda

4 Why Do You Need Cloud Foundations?

Landing zones enable management of standardised GCP projects, which in turn control your Virtual Private Clouds (VPCs) and consumption of GCP cloud services.

● Prevents Project Sprawl: Project provision can be managed as cloud engagement increases

● Minimises Engineering Overhead: Eliminating manual changes reduces complexity and enables scalability and consistency

● Enables Scaling by Design: Management of services and infrastructure in public cloud is made simple by the use of a well-designed landing zone

● Accelerates Consumption of Cloud Services: Allows for GCP projects to be provisioned with a standard set of tooling and services

5 Core Features

GCP Core System Operational Security, privacy, and Reliability Performance and cost Design Practices Excellence compliance optimisation

Aligned with “Best practices” and the 5 pillars of “Google Cloud's Architecture Framework” principles

6 What is a Landing Zone?

On-Prem Quota Connectivity Monitoring Hybrid Billing Logging Cloud URL Organization Filtering Policies Log Security Compliance Exports SaaS integrations Resource Project SIEM Integration Deployment Factory Google Kubernetes CI/CD Secure Secrets Engine Baseline Dns Hub

Cloud SSO & Active Data Directory Platform Notiﬁcations Integration

7 GitHub solutions

● https://github.com/terraform-google-mod ules/terraform-google-project-factory

● https://github.com/terraform-google-mod ules/terraform-example-foundation

● https://github.com/contino/terraform-gcp -modules

● https://github.com/GoogleCloudPlatform /cloud-foundation-toolkit

8 Organization Structure GCP Resource Management

● Cloud Resource Manager provides project management & IAM functionality

● The top level component is the GCP organization.

● An organization is tied to a GSuite OR a Cloud Identity account

● Most of the available resources are deployed into a project.

● A project is the main isolation “container” in GCP

10 GCP Resource Management

The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its Top-down parent. access inheritance: Additive only

11 Cloud Resource Manager: Organization Hierarchy

The Common folder will include the following baseline projects:

● Interconnect - connectivity between an enterprise's on-premises environment and Google Cloud.

● DNS Hub - central point of communication between an enterprise’s on-premises DNS system and Cloud DNS.

● Notiﬁcations - managing Security Command Center alerting.

● Logging - destination for log sink and detective controls.

● Secrets - organization-level secrets.

12 Organisation Policies

The Organization Policy Service constrains the allowed resource conﬁgurations. Policies can be applied to the Organisation, Folders, and Projects.

*Requires IAM role: Organization policy / organization policy administrator

13 Organization Policy Hierarchy Evaluation

Resource 3 defines a custom policy that sets inheritFromParent to FALSE and allows yellow hexagon. The effective policy evaluates to only allow yellow In this example, the Organization Node defines hexagon. a policy that allows red square and green circle. Resource 4 defines a custom policy that sets inheritFromParent Resource 1 defines a custom policy to FALSE and includes the that sets inheritFromParent to TRUE restoreDefaultvalue. The default and allows blue diamond. The constraint behavior is used, so the effective policy evaluates to allow red effective policy evaluates to allow square, green circle, and blue all. diamond. Note: The exceptions are always Resource 2 defines a custom policy set by org-level Organization that sets inheritFromParent to TRUE Policy roles, and not by and denies green circle. Deny takes project-level roles. precedence. The effective policy evaluates to allow only red square. Resource Deployment Cloud Fundations Creation

The seed project contains the Terraform state of the foundation infrastructure, a highly privileged service account that's able to create new infrastructure, and the encryption conﬁguration to protect that state.

Create Create Seed Leverage Organization Create Project using Project based on your Landing Zone CLI Factory domain

Attach Billing Administrator Project Vending Account

Create Service Account

Grant SA permission

Enable APIs

16 Project Factory

Project creation is a Automatic repetitive task. Projects are created automatically and consistently based on Infrastructure as Code methodology (Terraform and advanced project vending). Projects should be conﬁgured to consistently meet the organization needs:

● Project ID/name naming convention ● Billing account linking ● Networking conﬁguration ● Enabled APIs/services ● Compute Engine access conﬁguration ● Exporting logs and usage reports ● Project removal line ● And more 17 Project Factory - Vending Process

Apply CIS Add to Enable GCP Project IAM Baseline Benchmark Compliance access to Creation Conﬁguration conﬁguration Service account

Place into GCP Project Provision Baseline Add To security Create Group and Org/Folder IAM Conﬁguration Requestor IAM Roles Command Center App Roles in AD (Business Unit)

Inherit/Deﬁne Create Service Logging & Event Threat Organization Add Users to Group Account Conﬁguration Detection Policies

Attach Billing Networking Add Service Account Account (Shared VPC) to the Group

Enable APIs

18 Operator Personas & Direct Console Application User Personas Service Users Users Users

App Application: Automation Containers Images Central or RPMs App Operator BYO

Service Automation Managed Services: VMs, Anthos, Databases, Pub/Sub Central or Service Operator BYO

Infra GCP Foundation: Pipeline IAM, Routing, Firewalls, VPCs Central Subnets, Projects, Folders,, Org Policy Platform Operator

19 Continuous Integration and Delivery on GCP

Google Cloud environment(s) Continuous Integration Compute Engine

Source code Build/Test Artifact Mgmt. Deploy App Monitor/Test Engine Cloud Source Cloud Registry / Cloud Build Spinnaker Stackdriver Repository Cloud Storage Kubernetes Engine

Cloud Functions

On-premise

Source Cluster

Cluster

20 Application CI/CD - Supporting Services

Cloud Container Cloud Build Source Repos Registry

● Private Git repositories hosted on ● Hosted build execution on Google Cloud ● Hosted image repository Google Cloud ● Build container images or non-container ● Push builds to Container Registry ● Easily perform Git operations required artifacts from Cloud Build by your workﬂow ● Trigger new builds based on changes to ● Analyze images to ● Sync to existing GitHub or Bitbucket CSR or other repo ● Discover vulnerabilities repo

Container Spinnaker Analysis API

● Open source, multi-cloud application ● Store, query, and retrieve critical deployment platform metadata about software artifacts ● Built-in best practices for deployment ● Query all metadata across all of your ● Supports many deployment best practices components in real time

21 Implementing Changes

The toolkit encourages customers to collaborate on infrastructure through a compliant and secure platform.

Developer Administrator Administrator CI/CD updates CI runs submits reviews for merges the deployed validation pull request policy compliance new conﬁg infrastructure

Collaborate in Reduce manual effort source control and errors

Ensure Enforce policies consistency proactively 22 Continuous Compliance. It’s always green.

23 Authentication & Authorization Authentication & Authorization

In order to ensure a consistent and secure manner of accessing the cloud environment and the various resources under the scope of the Landing Zone implementation, the following aspects will be considered and included in the initial landing zone deployment.

Components ● Native user and group management: Cloud identity provides uniﬁed identity, access, app, and endpoint management (IAM/EMM) platform. ● Active Directory integration and Single Sign-on (SSO): By leveraging Google Directory Sync, we can map Active Directory forests, domains, users, and groups to Cloud Identity entities ● Roles and permissions: Standardised IAM roles and permission policies will be created to satisfy the principle of least privilege.

25 Cloud Identity

Chrome ● Cloud Identity is an Identity as a Service (IDaaS) Apps for Work solution that allows you to centrally manage users and groups who can access Google Cloud Android and G Suite cloud resources for Work ● It is the same identity service that powers G People Suite and can also be used as IdP for 3rd party applications (supports SAML and LDAP applications)

Google Cloud Identity Cloud Devices

26 Cloud Identity

Cloud Manual Identity Users

APIs Groups Cloud IAM GCP Resources CSV Org Units Upload

Users and groups created in Cloud Identity are the Google Identities that can be assigned IAM roles in the GCP console

The Cloud Identity roles only manage aspects of Cloud Identity such as user/group management, and are different from GCP roles which manage permissions to cloud resources

27 Cloud Identity - Typical Architecture

Intranet SaaS

Legacy IT Infra (LDAP) Applications Secure LDAP

IT Infrastructure

VPN Secure LDAP Radius server MS Infra, (Wiﬁ AuthN) Print, File, Certiﬁcate GCDS

Secure LDAP Legacy Apps (LDAP)

28 Active Directory Integration

While Cloud Identity provides the necessary functionality to manage Google identities (users and groups) for use in a GCP environment, this might add unnecessary overhead for customers with existing on-premises AD deployments. The following steps are required for AD integration setup: ● Provisioning users - Relevant users and groups are one-way synchronized periodically from Active Directory to Cloud Identity. This process does not sync passwords as all authentication will be done through the on-premises Active directory ● Single Sign-on - Whenever a user needs to authenticate, Google Cloud delegates the authentication to Active Directory by using the Security Assertion Markup Language (SAML) protocol. This delegation ensures that only Active Directory manages user credentials and that any applicable policies or multi-factor authentication (MFA) mechanisms are being enforced

29 Cloud Directory Sync Implementation

Google Cloud Directory Sync (GCDS) is deployed on 1 an on-premises domain joined VM, either Linux or Windows.

Leveraging cron, GCDS is triggered automatically at 2 regular intervals to sync identities between Active Directory and Cloud Identity

In order to filter which users or groups are synced with Cloud Identity, an attribute is added to the 3 users in AD and Directory Sync filters are implemented to filter based on the provided attribute.

30 Authorization with IAM

Roles are a collection of permissions that may be assigned to users, groups and service accounts. Permissions grant the ability to execute speciﬁc API calls, for example: compute.instances.create

Primitive Roles Predeﬁned Roles Custom Roles

Legacy Google Cloud roles More granular roles than Ability to create roles with a that grant broader set of primitive, based on job speciﬁc permission set. permissions function. (Owner, Editor, Viewer).

31 Authorization with IAM

Give access to a subset of resources within a project

Condition access based on context-aware access levels

Grant time limited IAM policies

32 Best Practices

Controversial Follow Industry

Approaches Standards

● Disabling APIs by default

● Deleting Default Service Accounts

● G-Suite Super Admin Role management

● Controlling Scopes ● CIS Benchmarks ● Using Service Accounts outside original ● NIST Cybersecurity Framework project

33 Networking Networking Considerations

Components

Support for Shared VPC Network private DNS Architecture Security

35 Shared VPC - Introduction

Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and eﬃciently using internal IPs from that network.

Deﬁnition: ● Host Project: contains one or more Shared VPC networks. A Shared VPC Admin must ﬁrst enable a project as a host project. After that, a Shared VPC Admin can attach one or more service projects to it. ● Service Project: A service project is any project that has been attached to a host project by a Shared VPC Admin. This attachment allows it to participate in Shared VPC. It's a common practice to have multiple service projects operated and administered by different departments or teams in your organization.

36 Shared VPC

37 DNS - Hub-and-spoke model

38 Firewall Rules

Target Ingress rule Source

Service account Network Allow/Deny Ingress rule VPC Firewall VM IP range/CIDR Instances by tag Target tag Instance tag or service ● Stateful with connection Service account account tracking Ingress rule ● Distributed: enforced on All instances in underlying host network Egress rule Destination Implied Rules

Service account ● Ingress deny ● Egress allow Allow/Deny IP range/CIDR Egress rule

Target tag

39 VPC Service Controls

Unauthorized Service Perimeter client Authorized VM to Extend perimeter security to managed GCP Project GCP service services

● Control VM-to-service and service-to-service paths. Access from Internet ● Ingress: prevent access from the unauthorized networks.

Private PII Data GCP service ● Egress: prevent copying of data to Unauthorized Unauthorized access Project to unauthorized GCP Projects. VPC project GCP service project

● Project level granularity.

40 Connectivity Options

Public Internet (IPSEC VPN) Cloud Interconnect Peering

● Fastest way to connect to ● Enterprise-grade, private ● Access G Suite and Google the cloud or between connectivity to GCP services, as well as GCP clouds with reduced egress rates ● Provisioned as a dedicated ● Leverages existing internet link to a Google PoP or via ● Utilizes existing BGP route network connectivity a partner selection and internet routing ● Supports high availability ● Dedicated Interconnect: and aggregated bandwidth Highest bandwidth with ● Greater control of peering with 1.5 to 3 Gbps per 10 Gbps and 100 Gbps facilities tunnel links ● Direct or carrier ● Static/dynamic (BGP) ● Partner Interconnect offers based VPC more ﬂexible subscriptions (50 Mbps to 10 Gbps) ● Easy HA setup: 99.99% SLA

41 On-premises Connectivity Cloud Interconnect Metro Area

Project Colo Facility On-premises

VPC ● us-west1 | 10.240.1/24 IA BGP Layer 2 connectivity 169.254.68.50 169.254.68.52 10.120.1.1 Cloud ASN: 64513 ASN: 12345 ● Up to eight 10 Gbps links, or Google Peering Router 1 Router Edge - Zone 1 two 100 Gbps links 10.120.1/24 ● Same Interconnect can link to 10.130.1/24 multiple VPCs within the Colo Facility same project VPC Routing 10.140.1/24 us-west1 | 10.240.0/24 IA BGP ● 99.9% or 99.99% SLAs

169.254.68.51 169.254.68.53 depending on the architecture 10.130.1.2 Cloud ASN: 64513 ASN: 12345 Google Peering Router 2 chosen Router Edge - Zone 2

us-central1 | 10.250.0/24

42 Zero Trust Networking Access Context Manager - Access Levels

Context-Aware Access Suite of Products Attributes Policy Apps & Data collects attributes and data Context of the user Deﬁne and apply Protect all critical and request policies data ● Endpoint veriﬁcation collects device identity and security posture

● Cloud Identity provides user information

Access Context Manager Deﬁnes Authorization Rules Employee Device ● Deﬁne rules around geography, device Rules Engine status, time of day, etc for granting access

Location

User + Device + Context is the new security perimeter

44 Identity-aware Proxy

Central enforcement

● Single point of control for managing user access ● Security team can deﬁne and enforce policy

Access control

● Control access by user identity ● Apply policy by group membership ● Supports 2FA Security Keys

Deployment

● Little to no change to applications ● No need to implement own authentication for each application ● Integrated with HTTP(s) Load Balancer

45 Detective Controls

46 Cloud DLP (Data Loss Prevention)

Cloud Data Loss Prevention provides programmatic access to a powerful detection engine for PII Data

Redaction “This is my credit card: ******”

Hashing or tokenizing

“This is my credit card: ga+32mx32s2as8cw38AEfknsFthc”

Data Loss Format preserving Prevention encryption or tokenization Raw API Data

“This is my credit card: 5432-4232-4232-6322”

47 Implementation Cloud BigQuery Datastore Storage

Action: Output Trigger Scan Detailed Findings one time, on schedule, etc. BigQuery

Cloud DLP UI or API

Cloud Security Command Center Action: Outpu Findings Summary

48 Secrets Management Secret Manager Supports versioning Follows Principle of Least Privilege ● Global Names and Replication

Integrated with Cloud KMS Audit Logging Accessible from Hybrid Environments Strong Encryption

50 Global Names and Regional Data

projects/my-project/secrets/my-secret

us-east-1 us-west-2 europe-north1

[***] [***] [***]

51 Key Management Comparison

Default CMEK Role CSEK Encryption via Cloud KMS

Supported Products All BigQuery, Compute Engine, Cloud Storage, Dataproc, Compute Engine, Cloud Storage Dataﬂow, Kubernetes Engine, Cloud SQL

Key Management Effort None Medium High

Data Encryption None Low Medium (GCE,GCS) Effort

Key rotation effect on Automatic Re-Encrypt All data Re-Encrypt All data encrypted data

52 Logging Stackdriver

Monitoring Logging Performance Multi-cloud

● Endpoint checks ● Filter, search, and ● Built on the same ● Google Cloud to internet-facing view systems that Platform, Amazon services power Google’s Web Services, ● Deﬁne metrics, global Hybrid ● Uptime checks for dashboards, and infrastructure conﬁguration URLs, groups, or alerts resources ● Unprecedented ● Combines metrics, ● Export to scale, logs, and metadata ● Plugins for many BigQuery, Google performance, and major stacks Cloud Storage, and resiliency (Apache, MySQL, Pub/Sub CouchDB etc.)

54 Log Compliance

Separation of Duties Least privilege Non-repudiation (SoD) ● Only grant the ● Cloud Storage ● Use Aggregated right level of automatically Exports to permissions encrypts all data centralise all logs required on the before it is written from all projects project / bucket to disk into a single containing the separate project, logs ● Additional with different fortiﬁcation can ownership than ● Avoid granting be implemented the source permissions to by delete buckets / object-versioning ● Choose Cloud objects log buckets in Storage as the conjunction with destination a Bucket Lock

55 Security Logging

Application Logging project project

Log redirection

Custom ﬂuentd conﬁg

project: my-app project: security linked to jsonPayload: { linked to “user”:”xxx”, “group”:”yyy”, “account”:”123” Logging } Logging Cloud Operations Cloud Operations Account 1 Account 2

56 Log Exports Common Pattern

Table expiration time

Dataset location

BigQuery

Bucket type Log Object lifecycle (retention for objects) export Bucket lock (securing objects)

Cloud Storage Stackdriver Logs Logging An organization-level log sink aggregates logs on the Log streaming (integration with log analysis tools) organization level. Acknowledgement deadline for the subscriber

Cloud Pub/Sub

57 Security Information and Event Management

Organization can export their logs to a third party SIEM solution

Integration through

● Agents @ SIEM side ● Add-on or connector

Example integrations

● Splunk Add-on for Google Cloud

● Elasticsearch Cloud Pub/Sub -> Logstash|Beats -> ES -> Kibana

● Sumo Logic Cloud Pub/Sub -> API webhook -> Sumo

● ArcSight FlexConnector for REST

58 Cloud Logging

59 Alerting

Project Static thresholds

Kubernetes cluster Group thresholds Conditions Percent change in X Pod seconds

Signal Duration window Policy Stackdriver Virtual Machines Monitoring

Notiﬁcation channels SMS

Signal

60 FinOps - Billing FinOps - Billing

Billing accounts are payment vehicles for your Google Cloud spend. They come in two types:

Oﬄine Online

Billing account Billing account

Project 1 Project 2 Project 3 Project 4

Org node 1 Org node 2 Consumer

62 FinOps - Billing Billing account ● Use Project Factory to (IaC) provision Billing export projects and set billing accounts Credits applied Project Factory ● Hierarchical

A billing account can be ● Resources have manually added with correct consistent naming and IAM permissions, however this labelling standards to should be automated allow for cost attribution

● Report on costs Project Project ● Ensure budgets and spend alerts are in place to control spend

Project-level bill Project-level bill ● Forecast usage costs

Bills itemized by resource type

63 Operating Model The Model Needs to Fit in the Wider Digital Context Product Management

Software Cloud Delivery

Corporate Key Points: Strategy

IT Finance ● Cloud op model is only a part of the overall IT op model

● The IT op model is only a part of the Enterprise Human broader enterprise op model Marketing Operating Resources ● There are a number of dependencies, Model intersects and dependencies across the enterprise wide op model

Business Operations Change

Sales

65 Elements of Cloud Operating Model

Cloud Processes: Cloud Vision: The chain of practices Why are we leveraging Cloud Vision through which value is cloud delivered Cloud Processes - Value Delivery Chain

Cloud Operating Building Blocks

Capabilities for best use of cloud Cloud Operating Building Blocks Cloud Technology Cloud Organisation

Selected platforms, How our teams and Cloud Organisation Cloud Technology supporting technology people are organised and tooling

Cloud Governance Cloud Metrics

How our teams and Cloud Governance Cloud Metrics Measurement of cloud people are organised use, consumption and beneﬁt There is a Need to Transition to a New Shared Responsibility Model Functional Application 3rd Party User Testing Requirements Access Control Management

Application Infrastructure Performance Business Case Deployment Deployment Management

Patch Environment Data Encryption Cost Management Management Provisioning Customer Key Points: Vulnerable Prerequisite Management Management ● Customer is a supplier of requirements Networking VM Backup/ Data Backup/ Incident Fault Monitoring/Alertin with shared responsibility for build Recovery Recovery Resolution g within your company. Compliance Cloud Identities Transit Services Monitoring/Alertin Directory Services ● Customer teams consume reusable g Application Service Reusable laC Golden Image

assets from central repository. Cloud Monitoring/Alertin Management Modules Management Services g ● Run responsibilities owned by your Shared/Reusable company and partners Tooling

Compute Storage Databases Networking

Regions Availability Edge Locations Cloud Provider

67 Operating Model

Decentralized Centralized

Access to and control of Google Cloud is shared Access and control of Google Cloud is centrally among developers and engineers across the controlled by Corporate IT or Operations. company. Corporate IT has little to no involvement ● Administering the platform with running the platform. ● Granting access to engineers and ● Corporate IT: Creation of folders, shared developers as required services, and common conﬁguration ● Developers and engineers: Creation of projects and, optionally, additional folders under the relevant folder

68 Questions ?

[email protected] https://www.linkedin.com/in/federico-fregosi/