Jump to Content
Security & Identity

Build security into Google Cloud deployments with our updated security foundations blueprint

April 26, 2021
https://storage.googleapis.com/gweb-cloudblog-publish/images/Google_Cloud_security.max-2600x2600.jpg
Sean Leighton

Principal Architect, Google Cloud

Andy Chang

Senior Product Manager, Google Cloud Security

At Google, we’re committed to delivering the industry’s most trusted cloud. To earn customer trust, we strive to operate in a shared-fate model for risk management in conjunction with our customers. We believe that it's our responsibility to be active partners as our customers securely deploy on our platform, not simply delineate where our responsibility ends. Toward this goal, we have launched an updated version of our Google Cloud security foundations guide and corresponding Terraform blueprint scripts

In these resources, we provide opinionated step-by-step guidance for creating a secured landing zone into which you can configure and deploy your Google Cloud workloads. We highlight key decision points and areas of focus, and provide both background considerations and discussions of the tradeoffs and motivations for each of the decisions we’ve made. We recognize that these choices might not match every individual company’s requirements and business context; customers are free to adopt and modify the guidance we provide.  

This new version enhances and expands the initial guide and blueprint we launched back in August 2020 to incorporate practitioner feedback and account for additional threat models. In this latest version, we have extended our guidance for networking and key management; and added new guidance for secured CICD (Continuous Integration and Continuous Deployment). We review the guide and corresponding blueprints regularly as we continue to update best practices to include new product capabilities. Since its release, the guide has been the most frequently accessed content in our best practices center. We're committed to keeping it up-to-date, comprehensive, and relevant to meet your security needs.

“The security foundations guide and Terraform blueprint have enabled customers to accelerate their onboarding to Google Cloud and enabled us to assist clients in adopting security leading practices to operate their environments and workloads.” - Arun Perinkolam, Principal and US Google Cloud Security Practice & Alliance Leader, Deloitte & Touche LLP

Who can use the security foundations blueprint

The guide and Terraform blueprint can be useful to all of the following roles in your organization:

  • The security leader that wants to understand Google’s key principles for cloud security and how to apply and implement them to help secure their own organization’s deployment.

  • The security practitioner that needs detailed instructions on how to apply security best practices when setting up, configuring, deploying, and operating a security-centric infrastructure landing zone that's ready to deploy your workloads and applications.

  • The security engineer that needs to configure and operate multiple security controls to correctly interact with one another.

  • The business leader that needs to quickly identify the skills their teams need to meet the organization’s security, risk, and compliance needs on Google Cloud. In this role, you also need to be able to share Google’s security reference documentation with your risk and compliance teams.

  • The Risk and Compliance officer that needs to understand the controls available on Google Cloud to meet their business requirements and how those controls can be automatically deployed. You also need visibility into control drift and areas that need additional attention to meet the regulatory needs of your business.

All of these roles can use this document as a reference guide. You can also use the provided Terraform scripts to automate, experiment, test, and accelerate your own live deployments, modifying them to meet your specific and unique needs.

Create a better starting point for compliance
If your business operates under specific compliance and regulatory frameworks, you need to know whether your configuration and use of Google Cloud services meets those requirements. This guide provides a proven blueprint and starting point to do so.

After you’ve deployed the security foundations blueprint as a landing zone, Security Command Center Premium provides you a dashboard overview and downloadable compliance reports of your starting posture for the CIS 1.0, PCI-DSS 3.2.1, NIST-800-53 and ISO/IEC 27001 frameworks at the organization, folder, or project level.

Implement key security principles
In addition to following compliance and regulatory requirements, you need to protect your infrastructure and applications.

The security foundation guide and blueprint and the associated automation scripts help you adopt three security principles that are core to Google Cloud’s own security strategy:

  • Executing defense in depth, at scale, by default.

  • Adopting the BeyondProd approach to infrastructure and application security.

  • De-risking cloud adoption by moving toward a shared fate relationship.

Defense in depth, at scale, by default
A core principle for how Google secures its own infrastructure dictates that there should never be just one barrier between an attacker and a target of interest. This is what we mean by defense in depth. Adding to this core principle, security should be scalable and all possible measures should be enabled by default.

The security foundations guide and blueprint embody these principles. Data is protected by default through multiple layered defenses using policy and controls that are configured across networking, encryption, IAM, detection, logging, and monitoring services.

BeyondProd
In 2019, we published documentation on BeyondProd, Google’s approach to native cloud security. This was motivated by the same insights that drove our BeyondCorp effort in 2014, because it had become clear to us that a perimeter-based security model wasn't secure enough. BeyondProd does for workloads and service identities what BeyondCorp did for workstations and users. In the conventional network-centric model, once an attacker breaches the perimeter, they have free movement within the system. Instead, the BeyondProd approach uses a zero-trust model by default. It decomposes historically large monolithic applications into microservices, thus increasing segmentation and isolation and limiting the impacted area, while also creating operational efficiencies and scalability.

The security foundations guide and blueprint jumpstart your ability to adopt the BeyondProd model. Security controls are designed into and integrated throughout each step of the blueprint architecture and deployment. Logical control points like organization policies provide you with consistent, default preventive policy enforcement at build and deploy time. Centralized and unified visibility through Security Command Center Premium provides unified monitoring and detection across all the resources and projects in your organization during run time.

Shared fate
To move from shared responsibility to shared fate, we believe that it's our responsibility to be active partners with you in deploying and running securely on our platform. This means providing holistic capabilities throughout your Day 0 to Day N journey, at:

  • Design and build time: Supported security foundations and posture blueprints that encode best practices by default for your infrastructure and applications.

  • Deploy time: "Guard rails" though services like organization policies and Assured Workloads that enforce your declarative security constraints.

  • Run time: Visibility, monitoring, alerting, and corrective-action features through services like Security Command Center Premium.

Together, these integrated services reduce your risk by starting and keeping you in a more trusted posture with better quantified and understood risks. This improved risk posture can then allow you to take advantage of risk protection services, thus de-risking and ultimately accelerating your ability to migrate and transform in the cloud.

What's included in the Google Cloud security foundations guide and the blueprint

The Google Cloud security foundations guide is organized into sections that cover the following:

  • The foundation security model
  • Foundation design
  • The example.com sample that expresses the opinionated organization structure
  • Resource deployment
  • Authentication and authorization
  • Networking
  • Key and secret management
  • Logging
  • Detective controls
  • Billing
  • Creating and deploying secured applications
  • General security guidance
https://storage.googleapis.com/gweb-cloudblog-publish/images/foundation_reference_organization_structur.max-2000x2000.jpg
 The foundation reference organization structure

Updates from version #1

This updated guide and the accompanying repository of Terraform blueprint scripts adds best practice guidance for four main areas: 

  • Enhanced descriptions of the foundation (Section 5.6), infrastructure (Section 5.7), and application (Section 5.8) deployment pipelines.
  • Additional network security guidance with new alternative hub-and-spoke network architecture (Section 7.2) and hierarchical firewalls (Section 7.7).
  • New guidance about key and secret management (Section 8).
  • A new creation and deployment process for secured applications (Section 12). 

We update this blueprint to stay current with new product capabilities, customer feedback, and the needs of and changes to the security landscape.

To get started building and running your own landing zone, read the Google Cloud security foundations guide, and then try out the Terraform blueprint template either at the organization level or the folder level.

Our ever-expanding portfolio of blueprints is available on our Google Cloud security best practices center to help you build security into your Google Cloud deployments from the start and help make you safer with Google.

Posted in