Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DataCouncil BKK - Security on Cloud

DataCouncil BKK - Security on Cloud

Security on Cloud
By Fon, Kamolphan Liwprasert

Presented at DataCouncil BKK meet up on Jan 29th, 2020

This slide is mostly applied to Google Cloud Platform.
“Security is only as strong as the weakest link”

Kamolphan Liwprasert

January 29, 2021
Tweet

More Decks by Kamolphan Liwprasert

Other Decks in Technology

Transcript

  1. What I will cover: • Cloud security ◦ Why it’s

    important • Security compliance ◦ PDPA / GDPR • Secured data on GCP ◦ IAM & Organizational structure ◦ Service Account ◦ Object life cycle ◦ Cloud Data Loss Prevention (DLP) ◦ Data encryption options ◦ Secured practice for BigQuery • Tips & Tricks • Q&A
  2. Why it’s important? https://www.cxo-community.com/2018/01/5-reasons-why-cloud-security-is.html 1. Security breaches are always big

    news 2. All service providers aren’t equal 3. Know where your data is stored 4. Security roles should be clearly defined 5. Backing up data is just as important
  3. Match resources to company structure Organization Resource Projects Folders Resource

    TIPS: Verbose project names provide clarity on resource structure and ownership i.e. company-sales-clientinsight-prod
  4. Bucket Lock & Retention Policy Retention Policy To keep it

    at a certain amount of time before be able to delete. ** be careful, some action cannot be undone
  5. • SSN / ID • Name • Date of Birth

    • Phone number • Email • Photos • . . . Personally Identifiable Information
  6. Cloud Data Loss Prevention (DLP) Provides methods for detection, risk

    analysis, and de-identification of privacy-sensitive fragments in text, images, and Google Cloud Platform storage repositories. https://cloud.google.com/solutions/automating-classification-of-data-uploaded-to-cloud-storage
  7. Data Encryption Options • Google managed key ◦ Encryption by

    Default ◦ AES-256 standard • Customer-managed encryption keys (CMEK) ◦ Store keys within Cloud KMS • Customer-Supplied Encryption Keys (CSEK) ◦ Data encryption key (DEK): A key used to encrypt data. ◦ Key encryption key (KEK): A key used to encrypt, or "wrap", a data encryption key. https://cloud.google.com/security/encryption-at-rest/
  8. Tips and Tricks 1. Least Privileges! > Only allow the

    necessity roles. No more than that. 2. Least Privileges. Same to people in project. > Only allow people 3. Don’t use default firewall rule > It allows port 22 (default-allow-ssh). Should be removed 4. Don’t use default service account in production > The permission in default service account can be changed without notice. 5. Delete the unused projects! > Cause it co$t money $$$$! > CONSULT YOUR TEAM, PM, AND ANYONE RELATED FIRST! 6. Keep updating :) https://polleyg.dev/posts/shoot-yourself -gcp/
  9. Resources • https://cloud.google.com/security/infrastructure/design/res ources/google_infrastructure_whitepaper_fa.pdf • https://cloud.google.com/docs/enterprise/best-practices-fo r-enterprise-organizations • https://cloud.google.com/storage/docs/bucket-lock •

    https://cloud.google.com/security/encryption-at-rest/custo mer-supplied-encryption-keys/ • https://cloud.google.com/storage/docs/encryption/custome r-managed-keys • https://cloud.google.com/blog/products/identity-security/int roducing-google-clouds-secret-manager • https://cloud.google.com/dlp/ • https://www.etda.or.th/app/webroot/content_files/13/files/1. PDPA%20Presentation_CyberSecurity%20Week%20201 9.pdf