Google Cloud Security IACA 2018

Jack OConnell Google Account Executive

Brad Schmerbeck, CISSP Google Solutions Engineer

Confidential & Proprietary Agenda:

● Why Google? ● Google’s Security Approach ● BeyondCorp ● Cloud Identity - IAM in the Cloud ● Cloud Security Command Center & Forseti ● Q & A

Confidential & Proprietary 7 Cloud products with 1 billion users

Confidential & Proprietary Ecosystem & Content

Confidential & Proprietary Chrome & Google Cloud G Suite Maps Devices Platform Unlock hidden A suite of tools built to Chromebooks, Android Build and host meaning help employees and purpose built applications and in your data and see communicate and devices that allow websites, store data, information in more collaborate more employees to work and analyze data on insightful, actionable effectively. from anywhere, Google's scalable ways. anytime. infrastructure.

Connect Access Visualize Build

Enable enterprise growth with all of Google’s technology infrastructure built for cloud Confidential & Proprietary Cloud First Open Standards Performance Infrastructure Security Machine Learning Cost Serverless Computing trends toward pay-as-you-go, fully automated services

Now Next

Storage Processing Memory Network Storage Processing Memory Network

Physical/Colo Virtualized Serverless

User-configured, managed, and maintained Fully automated

Proprietary + Confidential © 2017 Google Inc. All rights reserved. Google and the Google logo are trademarks of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. How Google Approaches Security

8

Confidential & Proprietary Your trusted security partner

Google Cloud Platform G Suite Chrome & Android

Confidential & Proprietary Defense in depth by default

Operational and Device Security Internet Communication

Storage Identity Services

Hardware Infrastructure Service Deployment

Confidential & Proprietary Purpose-built hardware infrastructure

Provenance from the bottom of the stack to the top

Purpose-built Purpose-built Purpose-built Purpose-built Purpose-built chips servers storage network data centers

Reduced “vendor in the middle” risk

Confidential & Proprietary End-to-end encryption by default

All connections to Google Data is chunked and each Data encryption keys Encrypted chunks and wrapped Cloud require TLS chunk is encrypted with its (DEKs) are wrapped using a encryption keys are distributed across own data encryption key key encryption key (KEK) Google’s storage infrastructure.

Confidential & Proprietary Fully-automated management Finer-grained customer control

Default Customer-managed Customer-supplied Google encryption encryption keys (CMEKs) encryption keys (CSEKs) using Cloud KMS

Only on GCP First on GCP

Enjoy world-class Keep keys in the cloud, Keep keys on premise, encryption without further for direct use by and use them to encrypt need for configurations cloud services your cloud services

By default Now generally Available for Cloud Storage available and Compute Engine Now with partner integrations

© 2018 Google LLC. All rights reserved. Google Cloud Network

Carries more than 25% of the world’s internet traffic Google’s network...

Carries >25% of all internet traffic

How do you spot Scans 694,000 Web pages every minute for malicious intent threats fast? Checks 400+ Million Android devices for health every day Protect more when Defends 1B+ Gmail accounts & Chrome users you see more. Encrypts all data at rest and in transit

Operates 4x faster than the public internet

17

Confidential & Proprietary Google: Threat Detection and Mitigation at Scale

694,000 2 Billion 400+ Million 10+ Million Web pages scanned Devices protected with Android devices checked for Spam messages stopped for harm every minute safebrowsing technology daily health every day every minute

1000x+ Network Capacity beyond the largest DDoS attack ever recorded

18 Proprietary + Confidential Confidential & Proprietary The Threat Matrix Evermore frequent and larger incidents Identities and access, Data, and Resources

Who is the attacker? How are they attacking? What do they want?

Lone-wolves DDoS $$$$$

Script kiddies Spear-phishing Intellectual property

Insider Risk Malware Espionage

Hacktivist groups XSS Vandalism

Malicious users Man-in-the-middle Public perception

Criminal organizations User error Notoriety

Nation-state actors Social ...

... 0-days

...

19 Proprietary + Confidential Result: End-to-end security

Chips Servers Network Applications Devices

Confidential & Proprietary Find vulnerabilities that impact everyone

21 Third-party audits and certification

ISO 27001 ISAE 3402 Type II PCI DSS v3.2

FedRAMP ATO

ISO 27017 AICPA SOC

ISO 27018 AICPA SOC MTCS Level 3

HIPAA SSAE 15 Type II CSA STAR

22 BeyondCorp ...what is it? How many enterprises are probably set up

But there are issues with this approach... Four issues are wrecking the castle approach

Cloud services

Mobile workforce

Breaches Plethora of devices

And we came to the realization that …. drumroll .... Beyondcorp’s realization...

WALLS DON’T WORK A different approach Google’s six year BeyondCorp mission (2011-2017)

To have every Google employee work successfully from untrusted networks without use of a VPN.

I feel like I’ve heard this before... Similar visions of the future

BeyondCorp Zero Trust Model Software Defined Perimeter

Sounds like what Jason Truppi said – “segmenting each individual device”... Access Yesterday: On-prem walled gardens

Employee ERP

SERVER VPN Identity CRM

SERVER On Prem What about contractors? Evolution: Not just employees with corporate devices

Unintended CRM access for contractor

Employee ERP

SERVER VPN Identity CRM

Contractor SERVER On Prem What about the cloud? Evolution: Infra leaves the building ERP VM

CRM

VM

Employee

VPN Identity

Contractor On Prem What about Identity Management in the Cloud? Evolution: Identity leaves the building ERP VM

CRM Identity VM

Employee Now everything is over the internet!

Contractor

How’s this secure without a castle? Where Are The Risks? XSS/SQL injection? ERP Man in the Middle? VM

Phishing? Malware? CRM Identity VM

Employee No chokepoint to enforce access control?

Contractor

What should I do? App Security Solutions Scans ERP TLS VM

Security Device Key management CRM

Access Proxy Identity VM

Employee IAP - Identity-Aware Proxy for access control, TLS termination, based on BeyondCorp vision

Contractor

So what’s the ideal scenario? Ideal access policy for ERP application

I want my ERP application service to be ● Accessed only by finance employees ..

● from well-managed client devices … ● In home country … ● using strong user authentication …

● and proper transport encryption and … ● hardened against application attacks …

We did this for Google’s 57,000 employees. Who Manage access to can do what resources

on which resource

37 Google Cloud Identity

Centrally manage users, devices, and apps from one console

38 Confidential & Proprietary Cloud Identity Single pane of glass

Powerful account security wrapped around each user, across devices and applications

40 Google Cloud Identity simple, secure access for any user to any cloud application from any device.

User lifecycle management: Create or import user accounts into a cloud-based directory. Provision and deprovision as users join the organization, change roles, and leave. Manage everything from an easy-to-use mobile app.

Account security: Protect user accounts with 2-step verification methods like push notifications and one-time passwords (OTPs). Enforce the use of phishing-resistant Security Keys for high-value users and applications.

Single sign on: Increase user convenience and security by allowing users to access multiple apps using the same credentials. Hundreds of pre-integrated SAML 2.0 and OpenID Connect apps are supported, in addition to custom apps that use Google as an identity provider.

Device management: Manage Android, iOS, Chrome Browser, and other desktop devices from a central console. Enforce screen locks or passcodes, wipe corporate data, view and search for devices, and export details.

App management: Build a catalog of pre-approved third-party SaaS apps and enterprise mobile applications that users can access. Ensure visibility and compliance.

Reporting and analytics: Monitor your security and compliance posture with reporting and auditing capabilities, including log-ins and third-party app use. Receive alerts for suspicious activity.

41 Cloud Identity Single pane of glass

User lifecycle Account Single Cloud management security sign-on Directory

Device Reporting App Extensible management and analytics management through APIs Deep and granular reporting and analytics across your ecosystem

42 Proprietary + Confidential Identity: Foundation for Cloud/Digital Workplace

● Power Cloud First Enterprises by Chrome for Edu securely connecting people, & Enterprise applications and devices

● Cloud is changing how people Android securely access applications from Enterprise their devices

● Unlike on-prem, no clear “edge” for assumed trust

Cloud Identity ● User + device identity + context Google Cloud Platform = the “New Perimeter” Proprietary + Confidential

Google Cloud Security Command Center & Forseti What is the Cloud Security Command Center?

Cloud SCC is the canonical security and data risk platform for GCP - unifies, assets, vulnerabilities, threats, detections, policies, IAM, findings, security/risk specific annotations in one place enabling security and data risk insights, prioritization, management, investigations, recommendations and actions.

● Gather and integrate security info ● Understand and analyze security info ● Act on security info ● Hub for the GCP security portfolio

Consumed via either API or GCP “Pane of Glass”

Confidential & Proprietary Cloud SCC Features

● Asset Discovery and Inventory: Discover assets across Google App Engine, Google Compute Engine, Google Cloud Storage, and Cloud Datastore and view them in one place. Review historical discovery scans to identify new, modified, or deleted assets. ● Sensitive Data Identification: Find out which storage buckets contain sensitive and regulated data using the Cloud Data Loss Prevention (DLP) API. Help prevent unintended exposure and ensure access is based on need-to-know. The DLP API integrates automatically with Cloud SCC. ● Application Vulnerability Detection: Uncover common vulnerabilities such as cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated/insecure libraries that put Google App Engine applications at risk with Cloud Security Scanner. Cloud Security Scanner integrates automatically with Cloud SCC. ● Access Control Monitoring: Help ensure the appropriate access control policies are in place across cloud resources and get alerted when policies are misconfigured or unexpectedly change. ● Threat Intelligence from Google: Identify threats like botnets, cryptocurrency mining, anomalous reboots and suspicious network traffic with built-in machine learning technology developed by Google. ● Third-party security tool inputs: Integrate output from existing security tools into Cloud Security Command Center to detect DDoS attacks, compromised endpoints, compliance policy violations and network attacks. ● Real-time Notifications: Receive Cloud SCC alerts via Gmail, SMS and Jira with Pub/Sub notification integration. ● REST API: Leverage the Cloud SCC REST API for easy integration with existing security systems and workflows. Confidential & Proprietary Confidential & Proprietary Cloud SCC can help answer these questions: Inventory ● What and how many assets do I actually have? ● What changes have occurred since yesterday? ● Are there any projects in my org that shouldn’t be there? ● Are all my projects correctly billed?

Vulnerabilities, access and ownership ● What are all my external IP’s? ● What are the specific security findings for each of my resources? ● When did the finding start? When did it end? ● Do I have any public buckets? ● Are all my external IP’s covered by the appropriate firewall rules? ● Which buckets have PII? ● Which applications have XSS vulnerabilities ● Are there any non-org owners in my projects?

Modifications ● What modifications/deployments have been made which were unauthorized?

Google Cloud Platform Confidential & Proprietary 48 Forseti - the god of justice and reconciliation in Norse mythology

Open Source Security Tools For GCP!

Google Cloud Platform Confidential & Proprietary 49 Proprietary + Confidential Forseti

Before you begin You will need:

● A GCP organization for which you want to deploy Forseti. ● Org Admin IAM role in order for the script to assign the Forseti service account roles on the organization IAM policy. ● A GCP project dedicated to Forseti. ● Enable billing on the project. Proprietary + Confidential

Inventory Inventory saves an hourly snapshot of your GCP resources to Cloud SQL, so you have a historical record of what was in your cloud. Using Inventory, you can understand all the resources you have in GCP and take action to conserve resources, reduce cost, and minimize security exposure. When configured, Inventory can run on a custom basis and send email notifications when it updates your resource snapshot.

Scanner Scanner uses the information collected by Forseti Inventory to regularly compare role-based access policies for your GCP resources. Scanner applies rules to audit the following resources in GCP:

Enforcer Enforcer uses policies you create to compare the current state of your Compute Engine firewall to the desired state. Policies can apply to individual projects or you can use an organization default policy. Confidential & Proprietary Q&A

Confidential & Proprietary