Designing for Security and
Legal Compliance
The Professional Cloud Architect Certification Exam objectives
covered in this chapter include the following:
✓ 3.1 Designing for security
✓ 3.2 Designing for legal compliance
The Highest-Paying Certifications in the United States
Below are the top 20 highest-paying technical certifications in the
United States, according to responses to the IT Skills and Salary survey.
AWS Certified Security - Specialty averages $203,597
Google Cloud - Professional Cloud Architect averages $190,204
Nutanix Certified Professional - (NCP-MCI) v6.5 averages $175,409
CCSP - Certified Cloud Security Professional averages $171,524
CCNP Security averages $168,159
CISSP - Systems Security Professional averages $168,060
CCIE Enterprise Infrastructure averages $166,524
CRISC - Risk and Information Systems Control averages $165,890
AWS Certified Developer – Associate averages $165,171
CIPP - Certified Information Privacy Professional averages $161,439
Microsoft 365 Certified: Administrator Expert averages $160,044
CISM - Certified Information Security Manager averages $157,189
CIPM - Certified Information Privacy Manager averages $155,976
AWS Certified Solutions Architect – Associate averages $155,597
CISA - Certified Information Systems Auditor averages $155,362
CGEIT - Governance of Enterprise IT averages $152,838
Microsoft Certified: Azure Administrator Associate averages $148,849
Google Cloud - Associate Cloud Engineer averages $146,533
CEH - Certified Ethical Hacker averages $146,260
CDPSE - Data Privacy Solutions Engineer averages $146,033
Identity and Access Management
IAM service is designed to allow you to specify what operations
specific users can perform on particular resources.
“who gets to do what on which resources.”
The primary elements of IAM are as follows:
■ Identities and groups
■ Resources
■ Permissions
■ Roles
■ Policies
Identities and Groups
Identities and groups are entities that are used to grant access
permissions to users.
Identities
An identity is an entity that represents a person or other agent that performs actions on a GCP resource.
There are several kinds of identities:
■ Google account
■ Service account
■ Cloud Identity domain
Google accounts are used by people and represent people who interact with GCP,such as developers and administrators.
Designated by an email address that is linked to a Google account.
Service accounts are used by applications running in GCP.
Give applications their own set of access controls.
Service accounts are also designated by email addresses.
Service account, you specify a name of the account, such as gcp-archexam.
IAM will then create an associated
email such as gcp-arch-exam@gcp-certs-1.iam.gserviceaccount.com,
where gcp-certs-1 is the project ID of the project hosting the service account.
When App Engine creates a service account,
it uses the appspot.gserviceaccount.com domain.
Cloud Identity is an (IaaS) offering. Users who do not have
Google accounts can use the Cloud Identity service to create an identity.
Create an identity that can be used when assigning roles and permissions.
Groups
Groups are sets of Google accounts and service accounts.
Have an associated email address.
Used for assigning permissions to sets of users.
The user acquires the permissions granted to the group.
Groups do not have login credentials.
Resources
Entities that exist in the Google Cloud platform and can be accessed by users.
Broad category that includes anything that you can create in GCP.
Resources include the following:
■ Projects
■ Virtual machines
■ App Engine applications
■ Cloud Storage buckets
■ Pub/Sub topics
Google has defined a set of permissions associated with each kind of resource.
Permissions vary according to the functionality of the resource.
Permissions
Grant to perform some action on a resource.
Storage resources will have permissions related to creating, listing, and deleting data.
Cloud Pub/Sub has a permission called pubsub.subscriptions.consume,
which allows users to read from a Cloud Pub/Sub topic.
Here are some examples of other permissions used by Compute Engine:
■ compute.instances.get
■ compute.networks.use
■ compute.securityPolicies.list
Here are some permissions used with Cloud Storage:
■ resourcemanager.projects.get
■ resourcemanager.projects.list
■ storage.objects.create
Permissions in IAM are fine-grained; they grant permissions to do limited operations.
One-to-one relationship between the things that you can do and the
permissions to do them.
Roles
Sets of permissions. Administrators grant roles to identities, not permissions.
You cannot grant a permission directly to a user—you must grant it by
assigning an identity a role.
Roles can be granted to identities.
Identity can have multiple roles.
Roles are granted for projects, folders, or organizations, and they
apply to all resources under those.
There are three types of roles.
■ Predefined
■ Primitive
■ Custom
Predefined Roles
Roles are organized around groups of tasks commonly performed when
working with IT systems, such as administering a server, querying a database, or saving a file to a storage system.
Roles have names such as the following:
■ roles/bigquery.admin
■ roles/bigquery.dataEditor
■ roles/cloudfunction.developer
■ roles/cloudsql.viewer
Name of the service and a name associated with a person’s organizational
responsibilities.
Primitive Roles
Before IAM was released, permissions were grouped into a set of three
roles that are now called primitive roles.
■ Viewer
■ Editor
■ Owner
The Viewer role grants a user read-only permission to a resource.
The Editor role has all of the capabilities of the Viewer role and can also
modify the state of the resource.
The Owner role includes the capabilities of the Editor role and can also
manage roles and permissions for the resource to which it is assigned.
The Owner role can also be assigned to specific resources, such as
a Compute Engine instance or a Cloud Pub/Sub topic. In those cases,
the permissions apply only to that specific resource.
Using primitive roles can reduce the administrative overhead of managing
access controls.
Custom Roles
Users of GCP can set up their own roles. These are known as custom roles.
Administrators can specify a particular set of permissions.
When you want to ensure that a user has the fewest permissions possible
and is still able to perform tasks associated with their role.
This is an example of following the principle of least privilege. It is considered a security best practice.
Developers may be able to view code (Get) in production but not change
it (Set). If developers are deploying code that makes use of Cloud Functions, they could be granted the role roles/cloudfunctions.developer.
Policies
You can associate a set of roles and permissions with resources by using
policies. Set of statements that define a combination of users and the roles.
This combination of users (or members as they are sometimes called) and
a role is called a binding. Policies are specified using JSON.
In the following example from Google’s IAM documentation, the role roles/
storage_objectAdmin is assigned to four identities, and the
roles/storage_objectViewer is assigned to one identity—
a user with the email bob@example.com:
{
"bindings": [
{
"role": "roles/storage.objectAdmin",
"members": [
"user:alice@example.com",
"serviceAccount:my-other-app@appspot.gserviceaccount.com",
"group:admins@example.com",
"domain:google.com" ]
},
{
"role": "roles/storage.objectViewer",
"members": ["user:bob@example.com"]
}
]
}
Policies can be managed using the Cloud IAM API, which provides three functions.
■ setIamPolicy for setting policies on resources
■ getIamPolicy for reading policies on resources
■ testIamPermissions for testing whether an identity has a permission on a resource.
Policies can be set anywhere such as at the organization,folder, or
project level (see Figure 7.1). They can also be set on individual resources.
Policies set at the project level are inherited by all resources in the project,
while policies set at the organization level are inherited by all resources in all folders and projects in the organization. If the resource hierarchy is changed,permissions granted by policies change accordingly.
Figure 7.1 Google Cloud Platform resource hierarchy
IAM Best Practices
Google recommends several best practices for using IAM securely.
For more details, see https://cloud.google.com/iam/docs/using-iam-securely.
Predefined roles are designed to provide all of the permissions needed for a user or service account to carry out a particular set of tasks.
When using predefined roles, assign the most restricted set of roles needed to do a job.
For example, if a user only needs to list Cloud Pub/Sub topics, then grant
pubsub.topics.list only.
Think in terms of trust boundaries, which set the scope of where roles and
Permissions should apply.
Services in an application, consider having three trust boundaries—
one for each service. You could use a different service account for each
service and assign it just the roles it needs.
Restrict access to roles that allow a user to administer IAM roles and policies.
Review the Cloud Audit Logs messages for changes to IAM policies. Also,
limit access to audit logs using logging roles, such as roles/logging.viewer
and roles/logging .privateLogViewer.
IAM gives cloud administrators tools to craft sets of permissions granted to
users and service accounts precisely.
Security Evaluation
Cloud users can expend significant time and resources configuring and
managing identity management services, access controls, and encryption
key management.
Evaluate the extent of the protection provided by the combination of security measures in place are penetration testing and auditing.
Penetration Testing
Penetration testing is the process of simulating an attack on an information
system in order to gain insights into potential vulnerabilities.
Testers know something about the structure of the network, servers, and
applications being tested.
Penetration testing occurs in these five phases:
1. Reconnaissance is the phase at which penetration testers gather information about the target system and the people who operate it or have access to it. This could include phishing attacks that lure a user into disclosing their login credentials or details of software running on their network equipment and servers.
2. Scanning is the automated process of probing ports and checking for
known and unpatched vulnerabilities.
3. Gaining access is the phase at which the attackers exploit the information gathered in the first two phases to access the target system.
4. In the maintaining access phase, attackers will do things to hide their
presence, such as manipulating logs or preventing attacking processes from appearing in a list of processes running on a server.
5. Removing footprints, the final phase, involves eliminating indications that
the attackers have been in the system. This can entail manipulating audit logs and deleting data and code used in the attack.
During a penetration test, testers will document how they gathered and
exploited information what if any vulnerabilities they exploited, and how
they removed indications that they were in the system.
Auditing
Auditing is basically reviewing what has happened on your system.
Sources of logging information that can provide background details on what
events occurred on your system and who executed those actions.
Applications should generate logs that identify significant events, especially
security related events.
Managed services, like Compute Engine, Cloud SQL, and App Engine,
log information to Stackdriver logs.
Regulations require that audit logs be retained for longer periods of time.
Logs are exported from Stackdriver, which supports the following three
export methods:
■ JSON files to Cloud Storage
■ Logging tables to BigQuery datasets
■ JSON messages to Cloud Pub/Sub
Security Design Principles
As a cloud architect, you will be expected to know security design principles such as separation of duties, least privileges, and defense in depth.
Separation of Duties
Separation of duties (SoD) is the practice of limiting the responsibilities of a
single individual in order to prevent the person from successfully acting alone in a way detrimental to the organization.
A finance department that practices separation of duties, a single person cannot both create a bill to be paid and pay the bill. If they could, then that person could create a false bill in the finance system and then approve its payment.
Developers should not have the ability to deploy application code to production without first having it reviewed, then the deployment process could be configured to require that another developer review the code before releasing it.
Least Privilege
Least privilege is the practice of granting only the minimal set of permissions needed to perform a duty. IAM roles and permissions are fine-grained and enable the practice of least privilege.
Defense in Depth
Defense in depth is the practice of using more than one security control to
protect resources and data.
To prevent unauthorized access to a database, a user attempting to read the data may need to authenticate to the database and must be executing the request from an IP address that is allowed by firewall rules.
Prevents an attacker from gaining access to a resource by exploiting a single vulnerability. If an attacker used a phishing scheme to coax a user’s login credentials.
Attackers would have to try to spoof an IP address or gain physical access to a location with devices assigned a trusted IP address.
Sarbanes-Oxley Act
SOX is a United States federal law passed in 2002 to protect the public from fraudulent accounting practices in publicly traded companies.
Three rules covering destruction and falsification of records, the retention
period of records, and the types of records that must be kept.
Public companies are required to implement controls to prevent tampering
with financial data.
Children’s Online Privacy Protection Act
COPPA is a U.S. federal law passed in 1998 that requires the U.S. Federal
Trade Commission to define and enforce regulations regarding children’s online privacy.
This legislation is primarily focused on children under the age of 13, and
It applies to websites and online services that collect information about children.
The rules require online service operators to do the following:
■ Post clear and comprehensive privacy policies.
■ Provide direct notice to parents before collecting a child’s personal information.
■ Give parents a choice about how a child’s data is used.
■ Give parents access to data collected about a child.
■ Give parents the opportunity to block collection of a child’s data.
■ Keep a child’s data only so long as needed to fulfill the purpose for which it was created.
■ In general, maintain the confidentiality, integrity, and availability of collected data.
Personal information covered by this rule includes name, address,
online contact information, telephone number, geolocation data, and photographs.
ITIL Framework
ITIL, which was formerly known as the Information Technology Infrastructure
Library, is a set of IT service management practices for coordinating IT activities with business goals and strategies. ITIL specifies 34 practices grouped into three broad areas.
■ General management practices, which include strategy, architecture, risk
management, security management, and project management
■ Service management practices, which include business analysis, service
design, capacity and performance management, incident management, and IT asset management
Summary
Designing for security and compliance is multifaceted. IAM is used for
managing identities, groups, roles, permissions, and related functionality.
.Predefined roles are preferred over primitive roles in most situations.
Policies are used to associate a set of roles and permissions with a resource.
It is strongly suggested that you use security best practices,
including separation of duties and defense in depth.
No comments:
Post a Comment