Google Cloud LiftOff

Getting started
on GCP
 01.
What is Google Cloud Platform?
Agenda 02.
How do I get started?

03.
Cloud Identity

04.
Resource Manager and Billing

05.
Cloud IAM

06.
Administrative Tools
 01
What is Google Cloud
Platform?
9 services with more than 1.000.000.000 users each
 Current regions

Google Cloud continually expanding

and number of zones

Future regions
and number of zones

Points of presence

Network

2021 and beyond

+5 cloud regions in Salt lake
city, Las Vegas, Jakarta, Seoul
and Warsaw
3
+7 coming Doha (Qatar), Dunant (US, FR) 2020
3
3 3 Warsaw
Toronto (Canada), Paris 3
3
Salt Lake City
3 3
3 3
3
4 3
(France), Milan (Italy), Seoul 3 33 3 3 3 3
3 3
Zurich
3
Santiago (Chile), Madrid 3 Osaka
Las Vegas
3 3 3
(Spain) and Turin (Italy). 3
Equiano (PT, NG, ZA) 2021

Dunant, Curie, and JGA-S 3 Curie (CL, US) 2020

cables operational 3

Jakarta
3

3
JGA-S
3 (GU, AU)
3
2020
Indigo
(SG, ID, AU)
2019
Google is #4 server
world-wide manufacturer
Google’s carbon journey
 Security that’s built in, not bolted on
Usage

Operations

Deployment

Application

Network

Storage

OS + IPC

Boot

Hardware

9
Shared responsibility SaaS PaaS IaaS

Gmail Drive BigQuery GAE GCE GCS

Content
Access Policies
Usage
Deployment
Web Application Security
Identity
Operations
Access and authentication
Network Security
Guest OS, Data & Content
Audit Logging
Network
Storage + Encryption
Hardened Kernel + IPC
Boot
Hardware

Google Managed
Customer Managed
 Secure storage
100% of data is encrypted at rest and in transit

Customer-Supplied External Key

Encryption
Encryption Keys Manager
by default

MORE AUTOMATED MORE CONTROL

Default Customer-managed (CMEK) Customer-supplied (CSEK)

Google manages keys You manage keys in You store keys outside
transparently Google Cloud KMS Google Cloud

Always-on encryption for everything. Cloud KMS lets you control key Keep keys on your own premises, and
No choices here :-) creation, revocation & rotation. only supply them to Google when
doing an operation.

If you lose the keys, your data is

effectively cryptodeleted. 11
 Certifications and frameworks
Americas Europe, Middle East & Africa Asia Pacific

Global USA Canada Europe Spain Australia Japan

ISO 27001 HIPAA Personal GDPR Esquema Australian FISC
ISO 27017 HiTrust Information EU Model Nacional de Privacy My Number
FedRAMP & Electronic Contract Clauses Seguridad Principles Act
ISO 27018 Documents Act Privacy Shield
FIPS 140-2 Australian
SOC 1 TISAX South
COPPA Prudential
EBA Guidelines Africa Regulatory Singapore
SOC 2 FERPA Argentina POPI Authority
SOC 3 NIST 800-53 Standards MTCS Tier 3
PCI DSS NIST 800-171 Personal Data Germany OSPAR
Protection Law UK IRAP
NIST 800-34 BSI C5 MAS Guidelines
CSA STAR
Sarbanes- Oxley ABS Guide
MPAA NCSC Cloud
SEC Rule 17a-4(f) Switzerland Security
Independent Principles
CFTC Rule 1.31(c)-(d) FINMA
Security NHS IG
Evaluators FINRA Rule 4511(c)
HDS France Toolkit
Audit HECVAT
DISA IL2
HDS

More info: https://cloud.google.com/security/compliance/#/

12
 02
How do I get
started?
Controlling Access

Authentication Authorization

Cloud Identity Cloud IAM

Projects: the main unit of GCP
Project
● The Project resource is the base level
organizing entity and is a logical grouping of Admin
resources that does not correspond to a Cloud
IAM
particular geographic region

● A project is required to use Google Cloud Resources

Platform, and forms the basis for creating,
enabling and using all GCP services Container
Engine
Compute
Engine

● Projects track resource and quota usage:

○ Enable billing Cloud Machine
Learning
Cloud
Storage
App
Engine

○ Manage permissions and credentials

○ Enable services and APIs
 03
Cloud Identity
Types of User Accounts

Consumer users Organization-managed users

Users with creation managed by individuals and Users with creation and authentication
authentication managed by Google. options managed by an organization.

Google recommends avoiding the use of Organization-managed users are highly

consumer accounts with GCP. recommended for accessing GCP, as they
grant additional control, audit, and security
measures
Cloud Identity - Managed Google accounts

● Cloud Identity is an Identity as a

Service (IDaaS) solution that Chrome
Apps
for Work
allows you to centrally
manage users and groups who Android
can access GCP/G Suite cloud for Work
resources People

● It is the same identity service

that powers G Suite and can
also be used for 3rd party
Google
applications Cloud
Cloud Identity
Devices
 Cloud Identity Provides
Single pane of glass

User lifecycle Account Single Cloud

management security sign-on Directory

Device Reporting App Extensible

management and analytics management through APIs
Deep and granular reporting and analytics across your ecosystem
Two Consoles For User/Access Management

admin.google.com console.cloud.google.com

Managing Users, Groups, and

Roles & Authorization for GCP
Authentication settings
Users & Groups

● Users and groups created in Cloud

Identity are the Google Identities
that can be assigned IAM roles in
the GCP console

● The Google Admin roles only

manage aspects of Cloud Identity
such as user/group management,
and are different from GCP roles
which manage permissions to cloud
resources
User & Group Management

Cloud
Manual
Identity
Users

APIs Groups

Cloud
IAM GCP
Resources
CSV Org Units
Upload
User Provisioning (AD) & LDAP Integration

Intranet
Legacy
MS Suite
Applications
MS Exchange, Lync,
MS Office, Skype

IT Infrastructure
VP
N
Radius
server
MS Infra, (Wifi AuthN)
Print, File,
Certificate
GCDS

AD
Legacy Apps Legacy Apps
Federation
(Kerb/NTLM) (LDAP)
Service
 04
Resource
Manager and
Billing
Resource Manager

● Resource Manager provides hierarchical

grouping to organize Cloud Platform
resources
● It manages 3 main resources containers:
○ An Organization
○ Folders
○ Projects
● Available for both Cloud Identity and Google
Workspace customers
Resource Manager: Organizations

● An organization node is the root node for Google Cloud

Organization
Platform (GCP) resources

● It gives your admin visibility and control over all

resources on GCP

● Each G Suite or Cloud Identity account is associated with

exactly one organization

● It allows the enforcement of Org-wide

GCP Projects
security/governance policies across the entire cloud
resource hierarchy.
gcloud organizations list
Resource Manager: Folders

● Folders provide an additional grouping mechanism and

Organization
isolation boundaries between projects

● A folder can contain projects, folders (up to ten levels

deep), or a combination of both

● Folders allow delegation of administration rights.They

can be seen as business units within the Organization
Folders
● Folders act as a policy inheritance point for IAM and
Organization policies
Resource Manager: Projects

● The Project resource is the base level organizing Organization

entity and is a logical grouping of resources that
does not correspond to a particular geographic region

● A project is required to use Google Cloud Platform,

and forms the basis for creating, enabling and using all Folders
GCP services

● Projects track resource and quota usage:

○ Enable billing
○ Manage permissions and credentials
○ Enable services and APIs GCP Projects

gcloud projects list

Resource Manager & IAM
● Provide attach points for IAM and
organization policies

● IAM and Org policies are inherited from

parent Org/folders

● All GCP resources belong to exactly one

project

● At the lowest level, resources are the

fundamental components that make up
all GCP services
 Billing Account
Invoice with
per-project
Billing Accounts aggregation

● A billing account is used to define who

pays for a given set of resources
Project A Project B Project C
● A billing account includes a payment
instrument, to which costs are charged,
and access control that is established by
Project-level Project-level Project-level
Cloud IAM roles charges charges charges

● There are two types of billing account: Bills itemized by resource type

○ Self-serve: created online, credit

or debit card or ACH direct debit
Resource consumption is measured on:
○ Invoiced: offline, check or wire
○ Rate of use/time
transfer
○ Number of items
○ Feature use
 05
Cloud IAM
 Cloud IAM
● Cloud IAM lets you manage access control by defining who
(identity) has what access (role) on which organization node

● Cloud IAM lets you adopt the security principle of least

privilege, so you grant only the necessary access to your
resources

● In Cloud IAM, you grant access to Cloud Identity members,

which can be of following types:

○ Google account (e.g. [email protected])

○ Service account (e.g. [email protected])
○ Google group (e.g. [email protected])
○ Google Workspace domain or Cloud Identity domain (e.g.
yourcompany.com)
 IAM Policies
● A role is a collection of permissions that enforce ● Permissions are represented in the form of
separation of duties across Google Cloud Platform <service>.<resource>.<verb>

● Permissions determine what operations are allowed ● The IAM policy binds a set of members to a role. Policies
on a resource can then be attached to a resource, a project, a folder or a
domain

compute.instances.delete
Users
compute.instances.start

Service compute.instances.stop Compute Engine VMs

Accounts Compute.InstanceAdmin
Role …
Groups
Types of Roles

There are three types of roles in Cloud IAM:

● Primitive roles: legacy roles spanning multiple

services with broad access. These are the Owner,
Editor, and Viewer roles. Recommended to avoid.

● Predefined roles: roles that give finer-grained

access control on specific services.

● Custom roles: Roles that you create to tailor

permissions to the needs of your organization when
predefined roles don't meet your needs.
Service Accounts
● Service accounts are accounts that represent an application or a virtual machine (VM),
instead of an individual end user

● Service accounts are created in a project, however, they can be granted IAM roles on any
other projects

● Service accounts are created by users or services (e.g. GCE, GAE)

Examples of Service Accounts:

[email protected]

[email protected]

SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

[email protected]
 06
Administrative
Tools
 Mobile App
Accessing GCP

Google Cloud SDK Restful APIs

Cloud Console & Shell

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID
]/zones/[ZONE]/instances -d
'{
"disks":[
{
"boot":"true",
"initializeParams":{

"sourceImage":"https://www.googleapis.com/compute/v1/proje
cts/debian-cloud/global/images/debian-8-jessie-v20160301"
}
}
],
Google Cloud SDK https://cloud.google.com/sdk/

● Set of tools containing gcloud, gsutil, and bq,

which you can use to access Google Compute
Engine, Google Cloud Storage, Google
BigQuery

● Client libraries for Java, Python, NodeJS, Ruby,

Go, .NET, and PHP are available for installation

● It contains emulators for Pub/Sub and

Datastore allowing you to simulate these
services in your environment for local
development, testing and validation
Google Cloud Shell (Part of Cloud Console)

● A temporary Debian based, Compute Engine virtual

machine instance in a web browser

● Built-in code editor

● 5 GB of persistent disk storage

● Pre-installed Google Cloud SDK and other tools

● Web preview functionality

● Built-in authorization for access to GCP Console projects

and resources
Useful Links

Documentation cloud.google.com/docs
Architectures cloud.google.com/architecture
Code samples
cloud.google.com/docs/samples
Support cloud.google.com/support
Training cloud.google.com/training
Codelabs g.co/codelabs/cloud
Console tour

©Bill Watterson
That’s a wrap! Questions?
Thank you!