Mike Fowler (mike.fowler@claranet.uk)

Google Cloud & Your Data

● Data encryption

● Connecting your network(s)

● Accessing your Data

● Audit Logging

● Cost considerations

Overview

● Your data is always encrypted− Encrypted at rest− Encrypted in transit

● AES-256 with symmetric keys− Keys are encrypted with a master key− Key rotation is automatic

● Some services allow you to use your own keys− Google Compute disks− Cloud Storage

Data in the Google Cloud

● Interconnect (Access by private address space)

− Dedicated Interconnect

− Cloud VPN

● Peering (Access by public IP address)

− Direct Peering

− Carrier Peering

Connecting your network(s)

● SLA of 99.9% service availability

● IPsec supporting both IKEv1 and IKEv2

● Creates a Google managed virtual gateway device

● Performs gateway-to-gateway encryption

● Allows both static & dynamic routes

Cloud VPN

Cloud VPN

● SLA of 99.9% or 99.99% uptime availability● Physical connection in a co-located facility− Traffic does not traverse public internet− Private addresses directly accessible

● Between 1-8 10Gbps connections per interconnect● Not encrypted – still consider a VPN● More cost effective for high volume of traffic

Dedicated Interconnect

Dedicated Interconnect

● Users authenticate with a Google account− Can be a Gmail or G Suite account

● Cloud Identity & Access Management (IAM)− Fine grained set of configurable permissions− Permissions can be collected into a role

● Primitive roles● Predefined roles● Custom roles

Accessing your Data

● Two forms of audit logs for each project− Admin Activity− Data Access

● Activity can be alerted upon− Define a metric in Stackdriver Logging− Create an alert in Stackdriver Monitoring

● Not all services log data access− All will be with many currently in beta

Cloud Audit Logging

● Retaining all data for all time costs− Use Nearline when data is accessed once a month− Use Coldline when data is accessed once a year

● Data Access logs will be excessive− Consider logging access only to sensitive data

● Set a budget− Budgets can be defined in billing− Alerts can be raised if a budget is exceeded

Cost considerations

● Your data is always encrypted

● Trust Google to manage your keys

● Cloud VPN is sufficient for most use cases

● Judicious use of IAM

● Stackdriver is essential for

● Audit logging

● Cost management

Summary