Jump to Content
Security & Identity

New best practices to help automate more secure Cloud deployments

August 6, 2020
Andy Chang

Senior Product Manager, Google Cloud Security

Organizations move to the cloud for many reasons, from improved efficiency, to ease of management, to better security. That’s right, one of the most important benefits of moving to the cloud is the opportunity to establish a robust baseline security and compliance posture. 

But it doesn’t just magically happen. While you can depend on Google Cloud’s secure-by-design core infrastructure, built-in product security features, and advanced security tools, you also need to configure cloud deployments to meet your own unique security and compliance requirements. We believe that a big part of our shared responsibility for security is to help make meeting these requirements easier. 

That’s why this week we launched our Google Cloud security best practices center, a new web destination that delivers world-class security expertise from Google and our partners. This expertise, in the form of security blueprints, guides, whitepapers, and more, can help you accelerate your move to cloud while prioritizing security and compliance. And with downloadable, deployable templates and code, it can help you automate more secure deployment of services and resources.

Blueprints: Helping you automate more secure deployments

As part of this new resource center, we’re publishing a comprehensive new security foundations blueprint to provide curated, opinionated guidance and accompanying automation to help you build security into your starting point for your Google Cloud deployments. The security foundations blueprint was developed based on our customer experience and covers the following topics:

  • Google Cloud organization structure

  • Authentication and authorization

  • Resource hierarchy and deployment

  • Networking (segmentation and security)

  • Logging

  • Detective controls

  • Billing setup

The blueprint itself includes both a detailed best practices guide and deployable assets in the form of customizable Terraform build scripts that can be used to stand up a Google Cloud environment configured per the guidance. 

This joins other newly published blueprints with the same goal of best-practice security posture automation for specific apps or workloads.

The PCI on GKE blueprint contains reference architectures and a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. The core of this blueprint is a sample Online Boutique application, where users can browse items, add them to a shopping cart, and make purchases. This blueprint enables you to quickly and easily deploy workloads on Google Kubernetes Engine (GKE) that align with the Payment Card Industry Data Security Standard (PCI DSS) in a repeatable, supported, and secure way. The blueprint also includes a PCI DSS 3.2.1 mapping for the solution and a PCI Compliance whitepaper, which provides an independent, third-party assessment of the blueprint performed by Coalfire, Google's PCI DSS auditor.

The Google Cloud Healthcare Data Protection Toolkit is an automation framework for deploying Google Cloud resources to store and process healthcare data, including protected health information (PHI) as defined by the US Health Insurance Portability and Accountability Act (HIPAA). It provides an example of how to configure Google Cloud infrastructure for data storage, analytics, or application development and includes many of the security and privacy best-practice controls recommended for healthcare data, such as configuring appropriate access, maintaining audit logs, and monitoring for suspicious activities.

The Anthos security blueprints provide prescriptive information and instructions for achieving a set of security postures when you create or migrate workloads that use Anthos clusters. There are currently individual blueprints for enforcing policies, enforcing locality restrictions for clusters on Google Cloud, and auditing and monitoring for deviation from policy. Each blueprint includes an implementation guide and deployable assets (custom resource definition files and Terraform templates and scripts). These blueprints are additive, so you can apply multiple blueprints to your environments. 

Get started

Visit our Google Cloud security best practices center today to learn more about how to accelerate your cloud migration and improve your security posture. We also have a couple NextOnAir sessions that deal with blueprints and are worth checking out: Master Security and Compliance in the Public Cloud and Enhance Your Security Posture and Run PCI Compliant Apps with Anthos. Then, listen to our recent GCP Podcast on blueprints to hear about the current offerings and future plans. And keep checking back for the latest additions to the center as we continue to add and update content from Google Cloud experts and our partners.

Posted in