Sunday, February 12, 2023

Google Professional Cloud Security Engineer Exam Prep notes - Part 3

 Integrating existing identity management solution with Google Cloud Platform

Given below are the  steps to integrate a third party identity management platform

  • You should have a domain that is enabled for email. In case of a preexisting domain registered with Google or a non-existent domain you cannot proceed
  • You should have permissions to verify domain ownership by creating txt or CNAME entry
  • Implement SAML SSO if existing identity management system is to be used for authentication to GCP console
  • Create the first cloud identity administration account and account for admin who will manage users in GCP
  • Configure billing accounts- this can either be an online account or offline invoiced account linked to a Purchase Order. For applying for an invoiced billing account you would need to meet certain criteria , ie be a registered business for one year, have min billing of $2500/month for 3 months
  • Create additional admin accounts like network admins or organization admins
  • Use directory sync  to sync identities. Passwords are not synced by default unless you choose to do so. Synching passwords is not a best practices and it is recommended to use SSO instead
  • You can also use third party IDP connectors such as connectors from Ping, Okta or Azure AD G Suite connector

Recommended usage of service accounts

Service accounts are used in access management scenarios where human users are not involved, for e.g.: when applications want to access a DB, storage or similar resources in Google cloud.While using service account to authenticate to other Google Services and APIs, it is recommended to use a user-managed service account and not default service accounts(default service accounts are created when you enable a Google cloud service). After attaching a user-managed service account to resources, you should use application default credentials(ADC) for authentication. ADC  should be configured in the application environment and is automatically used by client libraries for authentication

Envelope encryption

Envelope encryption is the process of implementing multiple layers of key , where one key is encrypted with another. The encryption can either be done at application or storage layer. The default encryption offered by Google is also envelope encryption, but the central keystore is Google's internal key management system. You can also choose to use KMS instead of the internal key management system

Data Encryption Keys(DEK) - used for data encryption, should be generated locally and stored with encryption at rest

Key Encryption Key(KEK)- Used for encryption DEK. Recommended to store centrally(in KMS) and rotate regularly

The process happens as follows

DEK generated locally-> Data encrypted with DEK-> DEK wrapped with KEK-> Encrypted data and wrapped DEK stored in storage system->KEK stored in KMS



Post a Comment

Total Pageviews

About Me

Cloud Solutions expert with 17+ years of experience in IT industry with expertise in Multi cloud technologies and solid background in Datacentre management & Virtualization. Versatile technocrat with experience in cloud technical presales, advisory, innovation , evangelisation and project delivery. Currently working with Google as Infra modernization specialist, enabling customers on their digital transformation journey . I enjoy sharing my experiences in my blog, but the opinions expressed in this blog are my own and does not represent those of people, institutions or organizations that I may be associated with in professional or personal capacity, unless explicitly stated.

Search This Blog

Powered by Blogger.