Encryption IAP & Cloud Armor

Encryption

Encryption is process of turning plaintext data into a scrambled string of characters. Any system cannot read these strings, until we have the relevant key to decrypt it back to plain text format.

By default, GCP offers encryption at rest, means data stored on GCP storage service is encrypted without any further actions from users. In GCP Cloud KMS allow us to generate, use, rotate and destroy cryptographic keys, which can be either Google generated or imported from your KMS system. Cloud KMS is integrated with Cloud IAM, so you can manage permission on individual keys.

Data Encryption keys & Key Encryption keys

A key when it is used to encrypt data is called as Data encryption keys (DEK). These keys are then wrapped by a key encryption key (KEK). KEKs are stored and managed within Google Cloud's KMS, allowing Google to track and control access from a central point. It isn't possible to export your KEK from KMS, and all of the encryption and decryption of keys must be within KMS.

In addition to this, KMS-held keys are backed up for disaster recovery purposes. KEKs are also rotated over a certain period, meaning that a new key is created. This allows GCP to comply with certain regulations, such as Payment Card Industry Data Security Standard (PCI DSS), and is considered a security best practice. GCP will rotate the keys every 90 days by default.

GCP offers the ability for the customer to manage KEKs, allowing us to control the generation of keys, the rotation of keys, and the expiration of keys. Keys will still be stored in KMS, but we will have control of their life cycle. This is known as CMEK. To organize keys effectively, Google Cloud KMS uses the concept of key rings to group keys together and push inherited permissions to keys.

Industry regulation

It is also very important to comply with most IT Security regulation or Industry Regulation apart from IT & Enterprise level Security.

GCP follows all global regulations and third-party regulations and certifications. Like PCI Compliance, Data Loss prevention (DLP), Penetration testing etc.

Many organizations handle financial transactions, and Google has to go to great lengths to secure information residing on their servers. If there is a need to set up a specific payment processing environment, then Google can assist in helping customers achieve this.

To secure the environment, we should use Resource Manager to create separate projects to segregate our gaming and PCI projects. We can utilize Cloud IAM and apply permissions to those separate projects.

We can also secure the environment with firewall rules to restrict the inbound traffic. We want the public to be able to use our payment page, so we need HTTPS traffic to be secured by an HTTP(S) load balancer, and any additional payment processing applications may need bi-directional access to third parties.

Identity -Aware Proxy

Google offers additional access control to your Cloud Engine instances or applications running on GCP via Cloud IAP. This allows the user's identity to be verified over HTTPS and grants access only if permitted. This service is especially useful for remote workers as it negates the need for a company VPN to authenticate user requests using on-premises networks. Instead, access is via an internet-accessible URL. When remote users need to access an application, a request is forwarded to Cloud IAP, and access will be granted (if permitted)