# Managing and Securing Data

## Establishing Core Security (Cloud IAM)

Cloud IAM
- determining WHO has ACCESS to WHICH resources
- Who (principals or members)
    - Google account
    - Service account
    - Google group (best practice)
    - Google Workspace account (org)
    - Cloud Identity domain (org less Workspace Apps / Features)
    - All authenticated users (users on Internet authenticated by Google)
    - All users (anyone on the Internet)
- Access (roles)
    - Billing Account Administrator
    - Billing Account User
    - Storage Object Creator
    - Storage Object Viewer
    - Cloud SQL Editor
    - Cloud SQL Instance User
    - Security Admin (get/set any IAM policy)
- Which resources
    - VM instance
    - GKE cluster
    - Storage bucket
    - Pub/Sub topic
    - Organization
    - Folder
    - Project
- Roles
    - Primitive (oldest, pre-date Cloud IAM, broadest permissions)
    - Predefined (target specific resources w/ actions at granular level)
    - Custom (unique set of permissions, most granular level)
        - requires Role Administrator role
- Policies
    - Role binding - 1 or more principals assigned to a role (policy)
- Summary (Part 1: Cloud IAM)
    - globally manages access control for organizations
    - resource access is granted to roles (collection of permissions), and roles are granted to principals
    - recommender helps identify excess or needed permissions from principals
    - grants IAM access to external identities (AD, etc.) with workload identity federation

Resource Manager
- centrally manages and secures organization's projects with custom folder hiearchy
- example:
    - company
        - dept Y
            - team B
                - product 1
                    - dev
                    - test
                        - GCE, GAE, GCS resources
                    - production
- modified Cloud IAM policies across an org
- Cloud Asset Inventory monitors and analyizes all GCP assets, including IAM policies
- Organization Policy Service sets constraints on resources and helps orgs stay in compliance

Cloud Identity
- fully-managed Identity as a Service (IaaS) for provisioning and managing identity resources
- each user and group given a Cloud Identity account allow Cloud IAM to manage access
- can be configured to federate identities with other identity providers (i.e. Active Directory)
- features
    - SSO with other apps
    - Multi-factor authentication (MFA)
    - Device security with endpoint management
    - Context-aware access without VPN

Cloud Identity-Aware Proxy (IAP)
- establishes a central authorization layer for apps accessed by HTTPS, also internally by HTTP
- enforces access control policies for apps and resources
- based on load balancer and IAM, permits only auth request
- supports
    - App Engine
    - Compute Engine
    - Kubernetes Engine
    - Cloud Run
    - On-premises

Summary
- Cloud IAM: principals, roles, and resources relation and well as IAM policies creation and inheritance
- keep the principle of least privilege in mind and practice; GCP stresses this concept and offers the Recommender service to help implement it
- controlling and managing access is critical to an orgs security. GCP offers two services: Cloud Identity and Cloud Identity-Aware Proxy

## Detecting and Responding to Security Threats

Cloud Security Command Center - hub for GCP protective resources
- comprehensive security management and risk platform
- two tiers: standard and premium
- designed to prevent, detect, and respond to threats from a single pane of glass
- integrates and monitors many security services on GCP as well as external services
- identifies security compliance violations and misconfiguration in Google Cloud assets
- exports SCC data to Splunk as well as other SIEMs
- standard
    - SHA: security health analytics
    - WSS: web security scanner
    - CA/WAF: cloud armor
    - DLP: cloud data loss prevention
    - anomaly detection
    - Foreseti Security integration
- premium
    - SHA: adds monitoring/reporting for compliance
    - WSS: adds managed scans
    - ETD: event threat detection
    - CTD: container threat detection
    - continuous exports to Pub/Sub

Web Security Scanner - guarding frontlines of Internet traffic
- detects key vulnerabilities in App Engine, Compute Engine, and Kubernetes Engine applications
- crawler based, supports public URLs and IPs not behind a firewall
- standard
    - custom scans
- premium
    - managed scans
- detects
    - Cross-site scripting (XSS)
    - Flash injection
    - mixed (HTTP/HTTPS) content
    - outdated and insecure JavaScript libraries
    - readable text passwords

Cloud Armor
- edge-level, enterprise-grade DDoS protection and web application firewall (WAF)
- leverages Google Cloud load balancing
- mitigates OWASP's top ten risks
- features
    - allow or deny traffic by IPs or CIDR ranges
    - preview changes before pushing policy live
    - configure WAF fules to reduce false positives
    - reference named IP address lists from CDN partners (Fastly, Cloudflare, Imperva)

Event Threat Detection - malware, crypto mining
- identify threats in near-real time by monitoring and analyziing Cloud Logging
- threats are defined by rules, which specify needed logs
- create custom rules by running queires on log data exported to BigQuery
- quickly detect many types of attacks
    - malware
    - crypto mining
    - outgoing DDoS attacks
    - port scanning
    - IAM anomalous grant
    - brute-force SSH

Cloud Data Loss Prevention
- inspection, classification, and de-identification platform to protect sensitive data
- includes over 150 data detectors for personal identifiable information (PII)
- connect DLP results to SCC, Data Catalog, or export to external SIEM or governance tool
- detects data in
    - streams of data or structured text
    - files in cloud storage or BigQuery
    - images

Summary
- the Cloud Security Command Center (SCC) platform monitors the majority of GCP's security services and is accessible through Standard and Premium tiers
- if you use Google Cloud's external HTTPS load balancer, protect your web-based applications hosted on GAE, GCE, or GKE with Web Security Scanner
- when Event Threat Detection (EDT) is enabled, GCP analyzes a range of logs from Cloud Logging to find signs of malware, crypto mining, outgoing DDoS attacks, brute-force SSH, and other threats

## Managing Encrypted Keys
A cryto key is a string of characters when used with an encryption algorithm, it makes ordinary text unreadable. When that key, or another, is used with a decryption algorithm, it makes the text readable.

In order to be effective, cryto keys have to be complex and not something anyone should memorize. As such, we need a service to maintains them like KMS.

Cloud Key Management Service (KMS)
- highly available, low-latency service to generate, manage and apply cryptographic keys
- Cloud KMS encrypts and decrypts - does not store secrets itself - and controls access to keys
- supports both symmetrical (e.g. AES) and asymmetrical (e.g. RSA or EC), algorithms
- includes a 24-hour delay for key material destruction, to prevent accidental or malicious data loss
- supports regulatory compliance and adds optional variations
    - Cloud HSM
    - Cloud EKM
    - CMEK
    - CSEK
- google recommends you regularly and automatically rotate symmetric keys
    - asymmetric keys cannot be automated, but good practice

Cloud Hardware Security Module (HSM)
- hosts encryption keys and performs cryptographic actions in cluster of FIPS 140-2 level 3 certified devices
- enables compliance with hardware requirements
- HSM keys are crytographically bound to region, with support for multi-regions
- Cloud HSM properties
    - keys are non-exportable
    - tamper resistant
    - provides tamper evidence
    - auto-scales horizontally

Cloud External Key Managment (EKM)
- use keys from supported external key management partners instead of GCP
- works only with supported CMEK integration services
    - BigQuery
    - Compute Engine
    - Cloud Run
    - Cloud Spanner
    - Cloud Storage
    - GKE
    - Pub/Sub
    - Secret Manager
- key ring should be created in same location as external key management partner
- benefits include
    - key provenance
    - access control
        - must grant GCP project access to key
    - centralized key management

Secret Manager
- allows storage of passwords and variables to use in applications
- fully managed service for storing, managing, and accessing secrets as binary blobs or text strings
- used for storing sensitive runtim info such as database passwords, API keys, or TLS certificates
- data of each secret is immutable and new versions are created each time value is modified
- best practices
    - follow principle of least privilege
    - limit access with IAM conditions
    - use the Secret Manager API instead of env vars
    - reference secrets by version number, not "latest"

Encrypted Keys Flowcharts
![Service Types](https://user-images.githubusercontent.com/5553105/187797687-c74b10bf-8b9d-497d-83d8-7562e88de74d.png)

![Flowchart](https://user-images.githubusercontent.com/5553105/187797732-bca97f4a-5549-4005-80c0-0b950192b30a.png)

Summary
- cloud KMS offers a full range of key sources: Google-managed, Cloud HSM devices, or Cloud EKM partners as well as customer-managed or supplied keys
- regular automatic rotation of symmetric algorithm keys is considered a best practics; Cloud KMS does not support automatic rotation of asymmetric keys
- follow the principle of least privilege when assigning access to Secret Manager entries by using Cloud IAM conditions or secret-level binding