3. Google Compute Engine Security
Google cloud Identity service - IAM
IAM Policies & Organization level
policies
Effectively design the hierarchy
Apply Leave privileaged access policy
mode
Create security groups with conceptual
roles instead randiomly creating users
and groups
Like One top account create/set
polciies & service acconts only and the
other accounts apply it.
Unmanaged credentials night mare!
Key Management Services (KMS)
VPC network can be managed/deleted
as needed
Rootkits & Bootkits for VM hardening
Tools – AuditLogs, CSCC, KMS
Resource Hierarchy in general
4. Google Container Security
Infrastructure Security Software Supply Chain
Security
Run time Security
Cloud IAM, RBAC Google container Registry Stackdriver – monitoring,
Attack profiles
Compliance Certifications Security Vulnerability
Scanning
Anomolous detection by
third party products like
Twistlocks, acqua, sysdig
Cloud Audit Logging Secure base images Cloud SCC
Container Optimized
minimal OS, Node auto
upgrade
Regular builds Isolation
gVisor sandbox
Network policy, Private
clusters, Shared VPC
Deployment policies,
Binary authorization
Runtime detection – host,
network, workload, Boot
5. Google Kubernetes Engine Security
Managed Security by Google
●
Control plane security
– Google does the control plane management (Mater VM, Scheduler,
Cntroll manager, API server, etcd, CA, IAM, logging to stackdriver,) &
Patching the contol plane.
●
Node security
– Google handles K8s comoponents, COS (Chromium OS), logging &
monitoring. Autoupgarde & security patches automatically rolled out.
Manage base images.
– Live migration: Node auto upgrade is like adding new node and drain the
work from old.
● Workloads: User need to secure workloads. Protect the secret with
Cloud KMS or KMS plugin (Vault).
6. Hardening GKE
● Disable the Kubernetes web UI (Dashboard)
● Restrict Cluster discovery RBAC permission & binary authentication
● Restrict Traffic Among Pods with a Network Policy & Pod security policy
● Use Least Privilege Service Accounts for your Nodes
● Restrict your Node Service Account Scopes & Client Authentication Methods
● Protect node metadata & Automatically upgrade nodes
● Authorized networks & meta data concealment
● Google Container Registry (GCR) Vulnerability Scanning
● Third party container security.
● Read secuity bulletins – Vulnerabilties and solutiond
7. GKE Istio Security
Istio, a service mesh implementation, on GKE is an add-on.
●
The version of Istio installed is tied to the GKE version, and you will not be able to
update them independently.
●
Pilot:
●
Istio Auth ensures that services with sensitive data can only be accessed
●
Istio RBAC provides namespace-level, service-level, and method-level access control
●
Mixer:
●
Istio config policy on server side not client side.
●
Citadel:
●
MutualTLS authentication - both service-to-service and end-user-to-service
●
Automates key and certificate generation, distribution, rotation, and revocation.
8. Anthos Security
●
Single pane of glass
visibility across all clusters
●
Service-centric view of
your infrastructure
●
Configuration management
& Compliance centralized
●
Istio providing in-cluster
mTLS and certificate
management.
●
3rd
party marketplace
Hybrid cloud solutions: Anthos relies on Google
Kubernetes Engine (GKE) and GKE On-Prem to
manage Kubernetes installations in the environments
9. Google Cloud Partner Security
●
Splunk
●
Palo alto Networks
●
Checkpoint
●
F5
●
Brocade
●
Nginx
●
Symantec
●
Cisco
●
Hashicorp
●
Acqua
●
Blackduck
●
Twistlock
●
Stackrox
●
& more......
With 3rd
party providers, GCP Protects a wide
variety of hybrid cloud solutions and data.