Upload
mike-fowler
View
58
Download
1
Embed Size (px)
Citation preview
● Data encryption
● Connecting your network(s)
● Accessing your Data
● Audit Logging
● Cost considerations
Overview
● Your data is always encrypted− Encrypted at rest− Encrypted in transit
● AES-256 with symmetric keys− Keys are encrypted with a master key− Key rotation is automatic
● Some services allow you to use your own keys− Google Compute disks− Cloud Storage
Data in the Google Cloud
● Interconnect (Access by private address space)
− Dedicated Interconnect
− Cloud VPN
● Peering (Access by public IP address)
− Direct Peering
− Carrier Peering
Connecting your network(s)
● SLA of 99.9% service availability
● IPsec supporting both IKEv1 and IKEv2
● Creates a Google managed virtual gateway device
● Performs gateway-to-gateway encryption
● Allows both static & dynamic routes
Cloud VPN
● SLA of 99.9% or 99.99% uptime availability● Physical connection in a co-located facility− Traffic does not traverse public internet− Private addresses directly accessible
● Between 1-8 10Gbps connections per interconnect● Not encrypted – still consider a VPN● More cost effective for high volume of traffic
Dedicated Interconnect
● Users authenticate with a Google account− Can be a Gmail or G Suite account
● Cloud Identity & Access Management (IAM)− Fine grained set of configurable permissions− Permissions can be collected into a role
● Primitive roles● Predefined roles● Custom roles
Accessing your Data
● Two forms of audit logs for each project− Admin Activity− Data Access
● Activity can be alerted upon− Define a metric in Stackdriver Logging− Create an alert in Stackdriver Monitoring
● Not all services log data access− All will be with many currently in beta
Cloud Audit Logging
● Retaining all data for all time costs− Use Nearline when data is accessed once a month− Use Coldline when data is accessed once a year
● Data Access logs will be excessive− Consider logging access only to sensitive data
● Set a budget− Budgets can be defined in billing− Alerts can be raised if a budget is exceeded
Cost considerations
● Your data is always encrypted
● Trust Google to manage your keys
● Cloud VPN is sufficient for most use cases
● Judicious use of IAM
● Stackdriver is essential for
● Audit logging
● Cost management
Summary