Security Flashcards
What are the cornerstones of the Google ‘security model’?
1) Information Security Team- top experts
2) Data Center Physical Security
3) Server and Software Stack Security
4) Trusted Server Boot - Titan security chip to verify firmware and software components, system identity
5) Data Access - auth services
6) Data Disposal policy
Cloud IAM does not directly grant permissions to an end user.
Permissions are grouped into roles, which are granted to members of an authenticated group. Cloud IAM policies dictate and apply what roles are granted to which group members. Authenticated members are validated each time they try to access a resource to determine whether the action is permissible.
How do roles work?
Roles group permissions together, and permissions help determine which operations can support resources. Granting a role to a member means granting the permissions given a role association.
What are policies?
Policies in Cloud IAM associate members to a given role. When a member is supposed to have access to a type of role or resource, you associate that policy with that member and apply it to the resource.
What are members?
A member is representative of the type of user—be it a Google account (end user), service account (apps and virtual machines that are not humanly accessible), Google group, G Suite group, or Cloud Identity domain, which has access to one or more resources. Identities are defined by the user e-mail address, a service or Google account, or the organizational domain name tied to the G Suite or Cloud identity domain account.
what are service accounts?
Service accounts are a different account type because they are used by applications or virtual machine instances, not by human beings. The service accounts are used to make authorized API calls. In GCP, service accounts are identified by e-mail addresses that are unique to the accounts. Interestingly, these accounts do not have passwords, so they cannot log in using browsers or maintain cookies.
What is an Identity?
An identity is an entity that represents a person or other agent that performs actions on a GCP resource. Identities are sometimes called members. There are several kinds of identities:
Google account
Service account
Cloud Identity domain
What is Cloud Identity (IDaaS) offering
. Users who do not have Google accounts or G Suite accounts can use the Cloud Identity service to create an identity. It will not be linked to a Google account, but it will create an identity that can be used when assigning roles and permissions.
Cloud Identity can be configured to delegate authentication to other identity providers that use OIDC or SAML. This is convenient when the primary source of truth about an application is an enterprise identity provider.
What is a permission?
A permission is a grant to perform some action on a resource. Permissions vary by the type of resource with which they are associated. Storage resources will have permissions related to creating, listing, and deleting data. For example, a user with the bigquery.tables.create permission can create tables in BigQuery. Cloud Pub/Sub has a permission called pubsub.subscriptions.consume, which allows users to read from the Cloud Pub/Sub topic it is associated with.
Here are some examples of other permissions used by Compute Engine:
compute.instances.get
compute.networks.use
compute.securityPolicies.list
What are Roles?
Roles are sets of permissions. One of the most important things to remember about IAM is that administrators grant roles, not permissions, to identities. You cannot grant a permission directly to a user—you must grant it by assigning a role to an identity.
Roles can be granted to identities. An identity can have multiple roles. Roles are granted for projects, folders, or organizations, and they apply to all resources under those. In other words, resources in those projects, folders, or organizations assume those roles when the role applies to the type of resource. For example, roles granted to a project that grants permissions to Compute Engine instances are applied to VM instances in that project.
What are Policies?
In addition to granting roles to identities, you can associate a set of roles and permissions with resources by using policies. A policy is a set of statements that define a combination of users and the roles. This combination of users (or members as they are sometimes called) and a role is called a binding. Policies are specified using JSON.
What are the trust boundaries?
Think in terms of trust boundaries, which set the scope of where roles and permissions should apply. For example, if you have three services in an application, consider having three trust boundaries—one for each service. You could use a different service account for each service and assign it just the roles it needs. For example, if only one of the services writes to Cloud Storage, then only that service should have permissions to write to Cloud Storage. If either of the other services is compromised, it will not have permission to write to Cloud Storage and thus limit the amount of damage that can be done.
Cloud Audit Logs are what?
Cloud Audit Logs is a GCP service that records administrative actions and data operations. Administrative actions that modify configurations or metadata of resources are always logged by Cloud Audit Logs. Data access logs record information when data is created, modified, or read. Data access logs can generate large volumes of data so that it can be configured to collect information for select GCP services. System Event audit logs are generated by Google Cloud systems and record details of actions that modify resource configurations. Policy Denied audit logs record information related to when Google Cloud denies access to a user or service account because of a security policy.
The logs are saved for a limited period of time. Often, regulations require that audit logs be retained for longer periods of time. Plan to export audit logs from Cloud Audit Logs and save them to Cloud Storage or BigQuery. They can also be written to Cloud Pub/Sub.
Logs are exported from Cloud Logging, which supports the following three export methods:
JSON files to Cloud Storage
Logging tables to BigQuery datasets
JSON messages to Cloud Pub/Sub
What is HIPAA?
HIPAA is a federal law in the United States that protects individuals’ healthcare information. It was enacted in 1996 and updated in 2003 and 2005. HIPAA is a broad piece of legislation, but from a security perspective, the most important parts are the HIPAA Privacy Rule and the HIPAA Security Rule.
The HIPAA Privacy Rule is a set of rules established to protect a patient’s healthcare information. It sets limits on data that can be shared by healthcare providers, insurers, and others with access to protected information. This rule also grants patients the right to review information in their records and request information. For further details on this rule, see the following:
www.hhs.gov/hipaa/for-professionals/privacy/index.html
The HIPAA Security Rule defines standards for protecting electronic records containing personal healthcare information. The rule requires organizations that hold electronic healthcare data to ensure the confidentiality, integrity, and availability of healthcare information, protect against expected threats, and prevent unauthorized disclosures. In practice, this requires security management practices, access control practices, incident response procedures, contingency planning, and evaluation of security measures. For more information on the HIPAA Security Rule, see the following:
What is the General Data Protection Regulation?
The EU’s GDPR was passed in 2016 and began enforcement in 2018. The purpose of this regulation is to standardize privacy protections across the European Union, grant controls to individuals over their private information, and specify security practices required for organizations holding the private information of EU citizens.
GDPR distinguishes controllers and processors. A controller is a person or organization that determines the purpose and means of processing personal data. A processor is a person or organization that processes data on behalf of a controller.
Controllers are responsible for gaining and managing consent of individuals whose data is collected. Controllers direct processors on implementing the wishes of individuals who request access or changes to data. Processors are responsible for securing data and conducting audits to ensure that security practices are functioning as expected.
In the event of a data breach, data processors must notify the controller. Controllers in turn must notify the supervising authority, which varies by country, and individuals whose data was compromised.
