You are about to solve a problem and turned to Google Cloud Platform and followed GCP security best practices to build and host your solution. You create your account and are all set to brew some coffee and sit down at your workstation to architect, code, build, and deploy. Except… you aren’t. There are many knobs you must tweak and practices to put into action if you want your solution to be operative, secure, reliable, performant, and cost effective. First things first, the best time to do that is now right from the beginning, before you start to design and engineer. 

First, a word of caution: Never use a non-corporate account.

Instead, use a fully managed corporate Google account to improve visibility, auditing, and control of access to Cloud Platform resources. Don’t use email accounts outside of your organization, such as personal accounts, for business purposes.

Cloud Identity  is a stand-alone Identity-as-a-Service (IDaaS) that gives Google Cloud users access to many of the identity management features that Google Workspace provides. It is a suite of secure cloud-native collaboration and productivity applications from Google. Through the Cloud Identity management layer, you can enable or disable access to various Google solutions for members of your organization, including Google Cloud Platform (GCP).

Signing up for Cloud Identity also creates an organizational node for your domain. This helps you map your corporate structure and controls to Google Cloud resources through the Google Cloud resource hierarchy.

Let’s discuss some Google Cloud security best practices

Like all major clouds, Google Cloud provides an Identity and Access Management (IAM) framework that you can use to define access controls for resources in your cloud environment. IAM is one of the pillars of constructing a secure cloud. To make the most of Google Cloud IAM, create rules that enforce least privilege. Least privilege means that each user can access only the specific services or resources required for their role. Avoid assigning broad sets of access rights, and grant rights to individual users rather than groups wherever possible.

You should also validate your Google Cloud IAM configurations with Cloud Security Posture Management (CSPM) tools that can detect configuration oversights or errors that may expose your cloud environment to attack.

Multi-factor authentication requires more than one mechanism to authenticate a user. This secures user logins from attackers exploiting stolen or weak credentials. By default, multi-factor authentication is not set.

Make sure that for each Google Cloud Platform project, folder, or organization, multi-factor authentication for each account is set and, if not, set it up.

GCP users with Organization Administrator roles have the highest level of privilege in the organization.

These accounts should be protected with the strongest form of two-factor authentication: Security Key Enforcement. Ensure that admins use Security Keys to log in instead of weaker second factors, like SMS or one-time password (OTP). Security Keys are actual physical keys used to access Google Organization Administrator Accounts. They send an encrypted signature rather than a code, ensuring that logins cannot be phished.

Anyone with access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services, such as App Engine and Compute Engine. These keys cannot be downloaded. Google holds the key and rotates it automatically almost every week.

On the other hand, user-managed keys are created, downloaded, and managed by the user and only expire 10 years after they are created.

User-managed keys can easily be compromised by common development practices, such as exposing them in source code, leaving them in the downloads directory, or accidentally showing them on support blogs or channels. Please be aware that deleting user-managed service account keys may break communication with the applications using the corresponding keys.

Allowing anonymous or public access gives everyone permission to access bucket content. Such access may not be desirable if you are storing sensitive data. Therefore, make sure that anonymous or public access to the bucket is not allowed.

Also, you might want to prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy.

Moving to the cloud opens a new world of possibilities, but it also requires learning a new set of Google Cloud Platform security best practices. Each new cloud service you leverage has its own set of potential dangers you need to be aware of.

Luckily, Swifta Systems can guide you through these Google Cloud Platform security best practices, and help you meet your compliance requirements and set you up.