Skip to main content

Documentation Index

Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt

Use this file to discover all available pages before exploring further.

Chapter 14: Hardening the Perimeter - Security and Compliance

Security in Google Cloud is built on the concept of Defense in Depth. While Google secures the physical infrastructure and the hardware (using the Titan chip), the “Security in the Cloud” is your responsibility. This chapter covers the advanced tools used to protect data, manage identities, and ensure compliance at scale. Think of GCP security like the layers of a medieval castle. The moat (VPC Service Controls) keeps attackers from reaching the walls. The walls (Cloud Armor, firewalls) stop direct attacks. The guards at the gate (IAM, IAP) check every visitor’s identity. And the vault (Cloud KMS, encryption) protects the crown jewels even if everything else fails. No single layer is sufficient, but together they create a defense that is extremely difficult to breach.

1. VPC Service Controls (VPC SC): The Virtual Moat

VPC Service Controls is perhaps the most powerful security tool in GCP. It creates a security perimeter around your Google-managed services (like Cloud Storage, BigQuery, and Cloud SQL).

The Service Perimeter with Access Context Manager

  • Data Exfiltration Protection: Even if an attacker compromises a VM and gets hold of a service account key, VPC SC prevents them from copying data from your BigQuery table to an external bucket if that bucket is outside the perimeter.
  • Service-to-Service Protection: It ensures that only authorized resources inside the perimeter can talk to each other.
  • Access Context Manager: You can define “Access Levels” based on IP addresses, user identity, or device health (e.g., “Allow access only if the user is on a company-managed laptop with an encrypted disk”).
Practical Scenario: A financial services company stores PII in BigQuery. An employee’s laptop is stolen at a coffee shop. Without VPC-SC, the thief could use cached credentials to query the data from any network. With VPC-SC and Access Context Manager, the query fails because the request originates from outside the corporate network and from a non-managed device — even though the credentials are valid. Device-Based Policy Configuration: To implement a device-based access policy, you need to deploy the Endpoint Verification Chrome Extension and configure an Access Level with device attributes. Example Access Level (YAML Definition): 
# Why device-based policies: Stolen credentials are the #1 cloud breach vector.
# This policy ensures that even with valid credentials, access is blocked unless
# the request comes from a managed, encrypted, screen-locked device.
# AWS equivalent: AWS IAM conditions with aws:SourceVpc + AWS SSO device trust.
# Azure equivalent: Conditional Access policies in Entra ID.
name: accessPolicies/12345678/accessLevels/corporate_devices
title: "Corporate Managed Devices Only"
basic:
  conditions:
    - devicePolicy:
        requireScreenlock: true           # Unlocked devices are a liability
        requireAdminApproval: false
        allowedEncryptionStatuses:
          - ENCRYPTED                     # Full-disk encryption required
        allowedDeviceManagementLevels:
          - COMPLETE                      # Must be enrolled in corporate MDM
        osConstraints:
          - osType: DESKTOP_WINDOWS
            minimumVersion: "10.0.19041"  # Windows 10 version 2004+ (security baseline)

2. Sensitive Data Protection (Cloud DLP)

Cloud Data Loss Prevention (DLP) allows you to discover, classify, and protect sensitive data (PII, PHI, financial records) across your entire cloud footprint. Think of DLP like a building inspector who walks through every room (bucket, table, datastore) and flags anything that should not be in the open — credit card numbers in a public bucket, SSNs in an unencrypted BigQuery column, email addresses in log files. AWS has Amazon Macie (focused on S3) and Azure has Microsoft Purview. GCP’s DLP is broader in scope, scanning across GCS, BigQuery, and Datastore with a single API.

Discovery and De-identification

  • Inspection: Automatically scan buckets, BigQuery tables, and Datastore instances for over 150 built-in infoTypes (Credit card numbers, SSNs, passports).
  • De-identification:
    • Masking: Replacing 1234-5678 with XXXX-XXXX.
    • Tokenization: Replacing sensitive data with a cryptographically secure token.
    • Bucketing: Changing “Age: 27” to “Age: 20-30” to preserve privacy while maintaining analytical value.
Cost Tip: DLP inspection charges 11-3 per GB inspected (depending on volume tiers). For a 10TB BigQuery dataset, a full scan costs 10,00010,000-30,000. The smart approach: run a sampling scan first (inspect 1% of rows) to identify which tables actually contain sensitive data, then run full scans only on those tables. Most organizations find that 80% of their PII is concentrated in 10-15% of their tables. Also consider scheduling scans during off-peak hours and using DLP job triggers to scan only newly added data incrementally.

3. Cloud KMS: Managing the Keys to the Kingdom

Cloud Key Management Service (KMS) provides a centralized place to manage cryptographic keys.

Key Types and Tiers

  • Software Keys: Fast and cost-effective, managed by Google. This is equivalent to AWS KMS with AWS-managed keys. Suitable for 90% of use cases.
  • HSM (Hardware Security Module): Keys are stored on physical FIPS 140-2 Level 3 validated hardware. The raw key never leaves the hardware. This is equivalent to AWS CloudHSM or Azure Dedicated HSM. Required for financial services (PCI-DSS) and government (FedRAMP High) compliance.
  • External Key Manager (EKM): You store your keys on-premise or in a 3rd party vault (like Thales or Fortanix), and Google Cloud calls your vault every time it needs to encrypt/decrypt. You have ultimate control — if you pull the plug on your vault, Google can no longer read your data. AWS has a similar feature called “External Key Store (XKS)” for KMS. EKM is the ultimate “trust but verify” option for organizations that require absolute key sovereignty.
Cost Consideration: Software keys are 0.06/10,000operations.HSMkeysare0.06/10,000 operations. HSM keys are 1.00-$2.50/10,000 operations depending on the key type. EKM adds latency (your vault must be reachable for every encrypt/decrypt) and the cost of running your external vault. Choose the tier that matches your compliance requirements, not your paranoia level — software keys are cryptographically strong and sufficient for most workloads.

4. Security Command Center (SCC)

SCC is the central security dashboard for GCP. Think of it as your cloud’s CCTV system with AI-powered monitoring — it does not just record events, it actively detects suspicious behavior and alerts you. AWS’s equivalent is a combination of AWS Security Hub + GuardDuty + Inspector. Azure’s equivalent is Microsoft Defender for Cloud. GCP’s SCC integrates all of these functions into a single pane of glass. The Premium tier offers advanced threat detection.
  • Event Threat Detection: Scans your Cloud Audit Logs for signs of account hijacking, brute force attacks, or suspicious IAM changes.
  • Container Threat Detection: Detects malicious activity inside your GKE containers, such as the execution of unauthorized binaries or reverse shells.
  • Compliance Monitoring: Provides real-time reports on how your infrastructure aligns with industry standards like CIS, PCI-DSS, and HIPAA.
Cost Consideration: SCC Standard tier is free and includes Security Health Analytics (misconfiguration detection). SCC Premium costs approximately 0.0071perresourcehourformostassets.Foramidsizeorganizationwith500cloudresources,thatisroughly0.0071 per resource-hour for most assets. For a mid-size organization with 500 cloud resources, that is roughly 2,500/month. The Premium tier pays for itself if it catches even one security incident that would otherwise go undetected — the average dwell time for undetected cloud breaches is 200+ days.

5. Identity-Aware Proxy (IAP) and Zero Trust

IAP is Google’s implementation of the BeyondCorp zero-trust model. It allows you to expose web applications and SSH/RDP access to the internet without a VPN.
  • Context-Aware Access: Access is granted based on the user’s identity and the “context” of their request (location, device security, etc.).
  • IAP TCP Forwarding: Allows you to SSH into a VM that has no public IP address. You connect to the IAP tunnel, which then securely forwards your traffic to the internal VM.

6. Secret Manager

Secrets (API keys, DB passwords) should never be stored in code, environment variables, or config files. Secret Manager is GCP’s equivalent of AWS Secrets Manager or Azure Key Vault (for secrets, not keys).
  • Version Control: Rotate secrets easily by adding new versions and letting applications always pull the latest version. Each version is immutable — you can always audit which version was active at any point in time.
  • IAM-Integrated: Grant access to specific secrets only to the service accounts that need them. A payment service gets access to the payment gateway API key but not the email service credentials.
  • Automatic Rotation: You can configure automatic rotation using a Cloud Function that generates a new secret version on a schedule (e.g., every 30 days).
Common Mistake: Storing secrets as environment variables in Cloud Run or GKE deployments. While this works, it means the secret is visible in the deployment configuration (which is often stored in Git). Instead, mount secrets directly from Secret Manager using the native integrations — Cloud Run supports --set-secrets and GKE supports CSI Secret Store Driver. Cost: Secret Manager charges 0.06per10,000accessoperationsand0.06 per 10,000 access operations and 0.06 per secret version per month. For a typical application with 20 secrets accessed 100,000 times/month, the total cost is under $2/month — negligible compared to the cost of a security breach.

7. Advanced Perimeter Defense: IAP and SCC

7.1 IAP TCP Forwarding

IAP isn’t just for web apps. TCP Forwarding allows you to reach internal VMs via SSH (port 22) or RDP (port 3389) even if they have no public IP.
  • How it works: You connect to the IAP service endpoint. IAP verifies your IAM identity and the context of your request. If authorized, it creates a tunnel into your VPC and delivers the traffic to the VM’s internal IP.
  • Command: gcloud compute ssh [VM_NAME] --tunnel-through-iap.

7.2 Security Command Center (SCC) Premium

The Premium tier of SCC provides active threat detection:
  • Event Threat Detection: Scans logs for brute-force attacks and account hijacks.
  • Container Threat Detection: Detects unauthorized binary execution inside your GKE pods.
  • Virtual Machine Threat Detection: Scans VM memory for signs of malware (cryptominers, rootkits) without needing an agent.

8. Interview Preparation

1. Q: How does VPC Service Controls (VPC SC) prevent data exfiltration? A: VPC SC creates a Service Perimeter around Google-managed services (like GCS or BigQuery). Even if an attacker compromises a valid User or Service Account, they cannot copy data from a protected resource to an external project or bucket that is not part of the same perimeter. It effectively mitigates the “Stolen Credential” risk by enforcing security at the resource level, not just the identity level. 2. Q: Explain the “BeyondCorp” Zero Trust model as implemented by IAP. A: Identity-Aware Proxy (IAP) replaces traditional VPNs. In a Zero Trust model, “being on the corporate network” does not grant access. IAP grants access to web apps and VMs (SSH/RDP) based on Identity (IAM) and Context (Device health, IP location, time of day). If a device is not encrypted or is missing a security patch, IAP blocks the request even if the user provides the correct password. 3. Q: What is the difference between Cloud KMS Software Keys and HSM Keys? A:
  • Software Keys: Cryptographic keys are stored and managed in a Google-managed software environment. They are cost-effective and fast.
  • HSM Keys: Keys are stored on Hardware Security Modules (FIPS 140-2 Level 3 validated). The raw key material never leaves the hardware. This is a requirement for high-compliance industries (Banking, Government) that need physical separation of keys.
4. Q: How does Cloud DLP (Sensitive Data Protection) handle “De-identification”? A: DLP uses several techniques to protect data while keeping it useful for analysis:
  • Masking: Replacing part of the data (e.g., 4532-XXXX).
  • Tokenization: Replacing sensitive data with a surrogate “token.”
  • K-Anonymity (Bucketing): Generalizing data (e.g., changing “Age 27” to “Age 20-30”) so that individuals cannot be re-identified in a dataset.
5. Q: What is the “Organization Policy Service” and why is it used? A: It is a central governance tool that enforces “Guardrails” at the Org or Folder level. Examples include:
  • Disable External IPs: Preventing any VM in the company from having a public IP.
  • Restrict Resource Usage: Only allowing specific machine types or regions.
  • Enforce Shielded VMs: Requiring all GCE instances to use boot integrity checks. It prevents “Configuration Drift” and human error across thousands of projects.

Implementation: The “Security Officer” Lab

Protecting a BigQuery Dataset with VPC Service Controls

# 1. Create an Access Level (Allow only from a specific CIDR)
# Why: Restricts API access to requests originating from your corporate network
# Without this, any authenticated user can access data from any network (coffee shop, airport)
# (Done via Access Context Manager in the Console or Terraform)

# 2. Create a Service Perimeter
# Why: Even with valid credentials, requests from outside the perimeter are blocked
# Include your Project and the BigQuery API in the perimeter.
# Common Mistake: Forgetting to add dependent services (e.g., Cloud Storage if your
# BigQuery queries reference external tables in GCS -- both must be in the perimeter)

# 3. Test Exfiltration
# Why: Trust but verify. Run this test BEFORE going to production.
# Try to run a query that exports data to a bucket in a DIFFERENT project.
# VPC SC will block this even if you are the Project Owner!

# 4. Use DLP to De-identify a Column in BigQuery
# Why: Allows analysts to work with realistic data without exposing actual PII
# Create a DLP Job to scan a table and mask the 'credit_card' column.

Pro-Tip: The “Organization Policy” Service

Use Organization Policies to enforce security at the root level. For example, you can set a policy that disables the creation of external IP addresses for all VMs in the entire company, or one that enforces the use of Shielded VMs. This prevents “shadow IT” from creating insecure resources.