Tips on building a network security policy in Google Cloud
Changing the network security perspective
In a data center, network security engineers tend to spend the bulk of their time managing individual devices: creating strong passwords and hardening configurations for networking devices and creating firewall rules for each endpoint. Since nothing is physical in the cloud networking world, the security focus should shift from hardware protection to software defined networking and protecting virtual devices.
This means that you don’t have to worry about hardening router configs or configuring high availability. However, there’s a definitive paradigm shift you have to do coming from a data center to cloud infrastructure.
Start with the foundation of Identity Access Management
Identity Access Management (IAM) manages access control to networking services in the cloud. If someone needs access to configure resources, then you need to assign their identity to an IAM role to be able to perform any configurations or changes.
IAM can be used to grant a role to a user, depending on what they need to access in the cloud.
For example, your data center network security roles and responsibilities might look like this:
Like the data center, in Google Cloud each role has defined tasks. This is enforced through IAM, using allow policies and deny policies.
- Allow policy = who + can do what + on what resource
- Deny policy = who + cannot do what + on what resource
This gives you the ability to provide separation of duties by providing access to a service. With Google Cloud, you can refactor network access as your organization evolves and grows.
For example, the Compute network administrator role is defined here, which allows a network engineer to have significant access to the networking functionality in Google Cloud. For example, the Compute network administrator can create and modify most network resources, except firewalls. The firewall configuration and administration is only handled by the Compute security administrator. This gives you the ability to have separation of duties between the network operations and security team. There are thousands of roles you can copy and adapt to your organization’s needs. Take a look here.
Virtual Private Cloud (VPC) architecture
In Google Cloud, there are two commonly used network architectures: shared VPCs and hub-and-spoke. Both provide a centralized network policy, but are controlled in different ways.
I suggest you use custom VPC networks to create your own network so you can have total control over configuring your network architecture. By default, the subnets are pre-defined. In a production network, you want to have control over the subnets and external accessibility. The VPC uses automatic mode by default. While it’s convenient, it’s not practical for production networks.
Shared VPC architecture
One of the ways to help build a network on Google Cloud is to use a shared VPC architecture. Google Cloud lets you connect resources from multiple projects to a common VPC network. This approach allows your resources to communicate with each other securely and efficiently using internal IP addresses from that network. This also allows your security team to enforce security policies across your entire organization.
If you need to have multiple shared VPCs, you can create connectivity between multiple shared VPC using Cloud VPN, VPC peering, or Network Connectivity Center.
Your Google Cloud network design that you choose depends primarily on your needs for centralized or decentralized control.
Depending on your organization’s preferences, you must decide if you need centralized control over the network including IP addressing, routing, and firewalling between different workloads, or if you need to give your teams greater autonomy in running their own environments and building network elements within their environments themselves.
Additionally, your organization might require traffic between different workloads in Google Cloud to pass through centralized network appliances such as next generation firewalls (NGFW). This constraint influences your Virtual Private Cloud (VPC) network design.
Some designs might be better for your organization than others, based on the number of workloads that you want to deploy, and the number of virtual machines (VMs), internal load balancers, and other resources that they will consume.
One approach is to set up VPC Peering. VPC Peering allows you to connect two VPCs, which are virtual private clouds. This can be done in a hub and spoke architecture, which is a network topology that consists of a central hub VPC and multiple spoke VPCs. The hub VPC contains shared resources, such as a load balancer or a database, and the spoke VPCs contain resources that are specific to each department. VPC Peering allows you to connect the spoke VPCs to the hub VPC, so that the resources in the spoke VPCs can access the shared resources in the hub VPC.
Protecting your Cloud resources with Google Cloud network security services
Once you have your network configured for your organization, you can implement network security services in Google Cloud to fortify your network security. Here are some great tools to get you started:
Google provides Application Load Balancers (HTTP, HTTPS) and Network Load Balancers. Network Load Balancers include support for TLS, TCP, UDP, ESP (IPSec), ICMP and others. These load balancers are highly configurable and robust. Google also provides container-native load balancing.
Google Cloud Armor helps keep your Google Cloud assets safe from different threats, like distributed denial-of-service (DDoS) attacks, and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).
Cloud Firewall allows you to utilize global network firewall policies to batch update all firewall rules by grouping them into a single policy object. You can assign regional or global network firewall policies to a Virtual Private Cloud (VPC) network, or you can associate a global network firewall policy with multiple networks in a project. For centralized control that inherits a policy through your resource hierarchy, you want to look at hierarchical firewall policies.
Cloud Firewall intrusion prevention service monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. Cloud Firewall Plus, currently in preview, adds advanced threat protection and next-generation firewall (NGFW) capabilities to our distributed firewall service. The malicious activity can include threats such as intrusions, malware, spyware, and command-and-control attacks on your network.
There are also other network security options like Network Intelligence Center, BeyondCorp, Cloud Ops, and many others. See https://cloud.google.com/learn/what-is-cloud-network-security for more details on how you can secure your Google Cloud network.