What are the two most common compliance areas? Privacy regulations such as HIPAA and GPDR, and commercial and live business standards such as PCI DSS. Google Network has layers of protection. Each layer protects and compliments the next internal layer. The main thing to know is that Google handles security up to a point, after that, the security is up to you. So, you need to know where your responsibilities begin. Secure VPC; identify optimal VPC topology, deploy distributed firewalls, control access with IAM permissions, avoid adding public IPs to instances. Access Google services internally. Cloud Interconnect, connect securely to on-prem or other cloud deployments, Private Interconnect, Carrier Interconnect, Direct Peering, VPN. Third-Party Virtual Appliances, enhance VPC security with third party appliances, Next-gen firewalls, IDS slash IPS, that's intrusion detection. Logging, monitoring, scale third-party appliances using internal load balancing so you don't create choke points in your VPC. Global Cloud Load Balancing provides edge protection and global infrastructure protection for IPv4 and IPv6. Layer three and layer four, denial of service protections. Anycast IP even if backends are in multiple regions to absorb a tax for resiliency, auto-scaling, cross-region, overflow, and cross-region failover. Google network; high-capacity, high-performance, software defined network, virtualization global networks with subnets, organizations, folders, cross-project networking, peering. Third-Party DDoS, you can complement the infrastructure with additional security from third-party providers. Here's some key concepts: Cloud Armor, Cloud Load Balancing, Cloud Firewall Rules, Service Accounts, separation into front-end and back-end, isolation of resources using separate service accounts between devices. Because of pervasive availability of firewall rules, you don't have to install a router in the network at a particular location to get firewall protection. That means you can layer the firewalls as shown in this example, because of pervasive support for Service Accounts you can lock down connections between components. When faced with a security question on an exam or in practice, determine which of the specific technologies or services is being discussed: Authentication, encryption for example, then determine exactly what the goals are for sufficient security. Is it deterrence? Is it meeting a standard for compliance? Is the goal to eliminate a particular risk or vulnerability? This will help you define a scope of a solution whether it's on an exam or in a real-world application. GCP provides several encryption options. Customer Managed encryption keys CMEK, using Cloud KMS. When you use Cloud Dataproc, cluster and job data is stored on persistent disks associated with the Compute Engine VMs in your cluster, and in a Cloud Storage bucket. The persistent disk and bucket data is encrypted using a Google-generated data encryption key called a DEK and a key encryption key called a KEK. The CMEK feature allows you to create use and revoke the key encryption key, the KEK. Google still controls the data encryption key or the DEK. Default encryption, encryption at rest uses the key management system KMS to generate KEKs and DEKs. The Key Management Service KMS allows you to generate AES-256 keys. You can use these values off Cloud. The service also handles key rotation and when a file is destroyed there is a 24-hour delay before final deletion.
