Help secure the Cloud Workstations API using BeyondCorp Enterprise

Overview

BeyondCorp Enterprise is Google Cloud's zero trust solution that enables an organization's workforce to access web applications securely from anywhere, without the need for VPN, and to help prevent malware, phishing, and data loss.

With the power of Google Chrome, BeyondCorp Enterprise enables users to access applications from any device. BeyondCorp Enterprise is expanding its capabilities to address some key security challenges in the developer environment. Using context-aware access control for Google Cloud console and APIs, BeyondCorp Enterprise enables additional security for the Cloud Workstations API.

The following table lists whether BeyondCorp Enterprise supports context-aware access control for the specified Cloud Workstations access method.

  • The check mark indicates BeyondCorp Enterprise limits this Cloud Workstations access method.
  • The not supported icon indicates BeyondCorp Enterprise does not limit this Cloud Workstations access method.

Objectives

This document describes the steps that an administrator follows to set up BeyondCorp Enterprise access control for the Cloud Workstations API and to provide additional mechanisms that help prevent source code exfiltration from browser-based Cloud Workstations IDEs.

Costs

As part of this tutorial, you may need to get other teams involved (for billing or IAM) and you also test access-control to demonstrate that BeyondCorp Enterprise guardrails are in place.

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Workstations API.

    Enable the API

  5. Make sure that you have the following role or roles on the project: Cloud Workstations > Cloud Workstations Admin.

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find the row that has your email address.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Google Cloud project.

  8. Enable the Workstations API.

    Enable the API

  9. Make sure that you have the following role or roles on the project: Cloud Workstations > Cloud Workstations Admin.

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find the row that has your email address.

      If your email address isn't in that column, then you do not have any roles.

    4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your email address.
    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

  10. Make sure that you have assigned a BeyondCorp Enterprise Standard license to each of your users. Only users with a license have access controls enforced. For more information, see Assign, remove, and reassign licenses.

Part 1: Set up BeyondCorp Enterprise for Cloud Workstations

This section takes you through the steps to help you secure context-aware access to the Cloud Workstations API:

  1. Set up Cloud Workstations.
  2. Create a demo user and a demo group.
  3. Create an access level in Access Context Manager.
  4. Enable BeyondCorp Enterprise CAA.
  5. Add required Google groups with access levels.
  6. Test developer access to Cloud Workstations.

Set up Cloud Workstations

From the Google Cloud console, create a workstation configuration.

If you're not familiar with Cloud Workstations, see the Cloud Workstations Overview and Architecture descriptions.

Create a demo user and a demo group

From the Google Workspace Admin console, create a demo user and a new user group. When enabled, context-aware access (CAA) for Google Cloud console applies to all users and Google groups because it is a global setting.

  1. Sign in to the Google Workspace Admin console with your administrator account: Menu > Directory > Users > Add New User.

  2. Create a demo user: demo-user@<domain>.

  3. Sign in to the Google Cloud console and navigate to Menu > IAM & Admin > Groups.

  4. Create an IAM group for Cloud Workstations access, name it Cloud Workstations Users, and assign the previously created demo user, demo-user@<domain>.

  5. Click Save.

  6. Also create an IAM administrator group, and name it Cloud Admin Users. Assign your project and organization administrators to this group.

  7. Add the demo user, demo-user@<domain>, to the Cloud Workstations user group that you created:

    1. In the Google Cloud console, go to Cloud Workstations > Workstations.
    2. Select the workstation and then click more_vertMore > Add Users.
    3. Select the demo user, demo-user@<domain> and select Cloud Workstations User as the Role.
    4. To give the demo user access to the workstation, select demo-user@<domain>, select Cloud Workstations Users as the Role, and click Save.

Create an access level

Go back to the Google Cloud console to create an access level in Access Context Manager.

Follow these instructions to test access:

  1. From the Google Cloud console, navigate to Security > Access Context Manager to configure a corporate-managed device policy.

  2. Click Create access level and fill in the following fields:

    1. In the Access level title field, enter corpManagedDevice.
    2. Select Basic mode.
    3. Under Conditions select True to enable the condition.
    4. Click + Device policy to expand the options and check Require corp owned device.
    5. Click Save to save the access policy.

Enable BeyondCorp Enterprise CAA for Google Cloud console

To assign context-aware access controls (CAA) to workstations, start by enabling CAA for Google Cloud console:

  1. From the Google Cloud console, navigate to Security > BeyondCorp Enterprise.

  2. Click Manage access to Google Cloud console and API. This takes you to the BeyondCorp Enterprise Organization level page.

  3. In the Secure Google Cloud console & APIs section, click Enable.

Add required Google groups with access levels

Add required administrator groups with relevant members and the correct access policy.

Console

  1. Create an administrator access policy named CloudAdminAccess with the location set to regions where your administrators work. This makes sure that administrators can access resources even when another policy blocks them.

  2. Create an IAM group with administrator access at IAM & Admin > Groups.

    1. Select the organization.
    2. Create a group, name it Cloud Admin Users.
    3. Assign yourself and any other administrators to this group.
    4. Click Save.

  3. Go to Security > BeyondCorp Enterprise. Click Manage access and review the list of groups and access levels that appear.

  4. Click Add principals to Google Cloud console & APIs.

    1. For Google Groups, select Cloud Admin Users. This is the Google Group that you selected in the previous step.
    2. Select CloudAdminAccess, the access level that you created for administrator access.
    3. Click Save.

gcloud and API

To enable dry-run, follow the BeyondCorp Enterprise dry-run tutorial.

Assign access level to Cloud Workstations users group

To assign the access level to Cloud Workstations users group:

  1. Go to Security > BeyondCorp Enterprise and click Manage access.

  2. Review the list of groups and access levels that appears.

  3. Click Add principals to Google Cloud console & APIs.

    1. For Google Groups, select Cloud Workstations Users. This is the Google Group that you selected in the previous step.
    2. Select the access level you created earlier, corpManagedDevice.
    3. Click Save.

Test developer access to Cloud Workstations

Test developer access to Cloud Workstations API from multiple entry points. For a corporate-owned device, make sure that developers can access the workstation API.

  • Test that access to the workstation API from an unmanaged device is blocked:

    BeyondCorp Enterprise blocks users trying to access the Cloud Workstations API. When users try to sign in, an error message appears, altering the user that they don't have access or that they should check network connection and browser settings.

  • Test that access to the workstation API from a corporate-owned device is enabled:

    Developers with BeyondCorp Enterprise and Cloud Workstations access should be able to create their workstation and then launch their workstation.

Part 2: Set up BeyondCorp Enterprise DLP capabilities

This section includes steps to take advantage of BeyondCorp Threat and Data Protection to integrate data loss prevention (DLP) features. This helps prevent source code exfiltration from the Chrome-based, Cloud Workstations base editor (Code OSS for Cloud Workstations).

Follow these steps to set up BeyondCorp Enterprise DLP capabilities to help prevent download of source code:

  1. Enable threat and data protection.
  2. Create a BeyondCorp DLP rule.
  3. Review settings and create the rule.
  4. Test the DLP rule.

Enable threat and data protection

To enable threat and data protection from the Google Workspace Admin console, follow these steps:

  1. Go to Devices > Chrome > Settings > Users & browsers.

  2. After you select your organizational unit identifier (OU ID), click Search or add a filter under User and Browser Settings and select the Category subtype.

  3. Search for the Chrome Enterprise connector in the Category subtype.

  4. In Download content analysis select Google BeyondCorp Enterprise.

  5. Expand Additional Settings.

    1. Select Delay file access until analysis is complete.
    2. In Check for sensitive data > Mode, select On by default, except for the following URL pattern.

  6. Click Save to save the configuration.

Create a BeyondCorp Enterprise DLP rule

To create a DLP rule, follow these steps:

  1. Go to the Google Workspace Admin console and select Security > Access and data control > Data protection > Manage Rules.

  2. To create a new rule, click Add rule, and then New rule. This opens the Name and scope page.

  3. In the Name section, enter a name and description. For example, for the Name field, enter CloudWorkstations-DLP-Rule1 and, for the Description field, enter Cloud Workstations Data Loss Prevention Rule 1.

  4. In the Scope section, configure the following:

    1. Select Organizational units and/or groups.
    2. Click Include organizational units and select your organization.
    3. Click Continue.

  5. In the Apps section, configure the following:

    1. In the Chrome options, select File uploaded and File downloaded.
    2. Click Continue.

  6. In the Conditions page, configure the following:

    1. Click Add condition to create a new condition.
    2. Select All content.
    3. Select Matches Predefined data type (recommended).
    4. For Select data type, select Documents—Source code file.
    5. For the Likelihood threshold field, select High.
    6. For the Minimum unique matches field, enter 1.
    7. For the Minimum match count field, enter 1.
    8. Click Continue.

  7. On the Actions page, configure the following:

    1. In the Actions options, select Chrome > Block content.
    2. In the Alerting options, configure the following:
      • For severity, select Medium.
      • Select Sent to alert center.
    3. Click Continue.

Review settings and create the rule

From the Review page, review the settings that you configured in previous pages:

  1. Make sure the settings are correct.
  2. To proceed, click Create.
  3. On the next page, make sure Active is selected.
  4. To finish creating the rule, click Complete.

Test the DLP rule

Now that the DLP rule is added, you can test from Cloud Workstations in Chrome:

  1. In a new Chrome tab, enter chrome://policy and click Reload policies to make sure the Chrome policy is updated.

  2. Scroll down to make sure you see a list of policies. If you see these, the policies have been pulled down successfully. In this case, look for the OnFileDownloadEnterpriseConnector policy.

  3. Navigate to the Google Cloud console and create a Cloud Workstations configuration.

    When creating your workstation configuration, be sure to select Code editors on base images and then select the Base Editor (Code OSS for Cloud Workstations) preconfigured base image.

  4. Create a workstation.

  5. Start and launch your workstation.

  6. Access the Code OSS for Cloud Workstations URL that appears after you launch your workstation and connect to port 80.

  7. Clone a repository with the Clone Git Repository option in the IDE. After the repository is cloned, try to download a file with source code.

    To download files in the Code OSS for Cloud Workstations Explorer view, use any of the following methods:

    • Drag files from the Explorer view.

    • Navigate to the files and directories you would like to use, right-click, and then choose Download.

  8. Upon download, the DLP policy goes into effect. Notice a download blocked notification that states that your organization's policies aren't met:

Congratulations! You have successfully helped prevent source code files from being downloaded.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources. For more information, see Delete resources.

What's next