DataCouncil BKK - Security on Cloud

Transcript

1. Security on Cloud

2. About:me Fon - Kamolphan Liwprasert Senior Machine Learning Engineer @Sertis

   Master in Computer Science student About:me

3. What I will cover: • Cloud security ◦ Why it’s

   important • Security compliance ◦ PDPA / GDPR • Secured data on GCP ◦ IAM & Organizational structure ◦ Service Account ◦ Object life cycle ◦ Cloud Data Loss Prevention (DLP) ◦ Data encryption options ◦ Secured practice for BigQuery • Tips & Tricks • Q&A

4. Cloud Security

5. Why it’s important? https://www.cxo-community.com/2018/01/5-reasons-why-cloud-security-is.html 1. Security breaches are always big

   news 2. All service providers aren’t equal 3. Know where your data is stored 4. Security roles should be clearly defined 5. Backing up data is just as important

6. How secured a cloud is? https://cloud.google.com/security/

7. Security Ecosystem

8. Mitigate the loss https://lifehacker.com/how-to-protect-yourself-in-microsofts-recent-data-breac-1841185226

9. “Security is Only as Strong as the Weakest Link”

10. Security Compliance

11. Data Protection Policy

12. GDPR

13. PDPA in Thailand

14. Data Protection Guideline https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other -Guides/Guide-to-Data-Protection-by-Design-for-ICT-Systems -(310519).pdf https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other -Guides/Technical-Guide-to-Advisory-Guidelines-on-NRIC-Nu mbers---260819.pdf

15. Secure Data on GCP

16. 1 Cloud IAM and Organizational Structure

17. Cloud IAM https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

18. Use Groups, with logical names https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

19. Organization Structure https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations Organization Resource Projects Folders Resources

20. Match resources to company structure Organization Resource Projects Folders Resource

    TIPS: Verbose project names provide clarity on resource structure and ownership i.e. company-sales-clientinsight-prod

21. 2 Service Accounts

22. Service Account https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

23. Service Account Tips https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th Don’t rely on default Service Account

24. How many Service Accounts https://www.youtube.com/watch?v=ZQHoC0cR6Qw&hl=th

25. We should centralize the service account creation and rotation! https://cloud.google.com/blog/products/gcp/help-keep-your-google-cloud-service-account-keys-safe

26. 3 Object Life Cycle

27. cannot be undeleted. Lifecycle configuration https://cloud.google.com/storage/docs/lifecycle#actions Delete Multi-Regional Storage/ Regional

    Storage Nearline Storage Coldline Storage Archive Storage OR

28. Storage Classes

29. How to add a Lifecycle rule

30. How to add a Lifecycle rule (2)

31. How to add a Lifecycle rule (3) Done :)

32. Bucket Lock & Retention Policy Retention Policy To keep it

    at a certain amount of time before be able to delete. ** be careful, some action cannot be undone

33. 4 Cloud Data Loss Prevention

34. What can happen? https://www.youtube.com/watch?v=MY3PjFpI3rE

35. PII Personally Identifiable Information

36. • SSN / ID • Name • Date of Birth

    • Phone number • Email • Photos • . . . Personally Identifiable Information

37. Redaction https://www.youtube.com/watch?v=MY3PjFpI3rE

38. Cloud Data Loss Prevention (DLP) Provides methods for detection, risk

    analysis, and de-identification of privacy-sensitive fragments in text, images, and Google Cloud Platform storage repositories. https://cloud.google.com/solutions/automating-classification-of-data-uploaded-to-cloud-storage

39. Cloud Data Loss Prevention (DLP) https://cloud.google.com/solutions/automating-classification-of-data-uploaded-to-cloud-storage

40. 5 Data Encryption Options

41. Data Encryption Options • Google managed key ◦ Encryption by

    Default ◦ AES-256 standard • Customer-managed encryption keys (CMEK) ◦ Store keys within Cloud KMS • Customer-Supplied Encryption Keys (CSEK) ◦ Data encryption key (DEK): A key used to encrypt data. ◦ Key encryption key (KEK): A key used to encrypt, or "wrap", a data encryption key. https://cloud.google.com/security/encryption-at-rest/

42. 6 Security Practice for BigQuery

43. Big Data Reference Architecture Cloud Composer

44. BigQuery - Project BigQuery workshop

45. BigQuery - Datasets BigQuery workshop

46. BigQuery - Tables BigQuery workshop

47. BigQuery - Jobs BigQuery workshop

48. Tips and Tricks

49. New Arrival!

50. Tips and Tricks 1. Least Privileges! > Only allow the

    necessity roles. No more than that. 2. Least Privileges. Same to people in project. > Only allow people 3. Don’t use default firewall rule > It allows port 22 (default-allow-ssh). Should be removed 4. Don’t use default service account in production > The permission in default service account can be changed without notice. 5. Delete the unused projects! > Cause it co$t money $$$$! > CONSULT YOUR TEAM, PM, AND ANYONE RELATED FIRST! 6. Keep updating :) https://polleyg.dev/posts/shoot-yourself -gcp/

51. Resources • https://cloud.google.com/security/infrastructure/design/res ources/google_infrastructure_whitepaper_fa.pdf • https://cloud.google.com/docs/enterprise/best-practices-fo r-enterprise-organizations • https://cloud.google.com/storage/docs/bucket-lock •

    https://cloud.google.com/security/encryption-at-rest/custo mer-supplied-encryption-keys/ • https://cloud.google.com/storage/docs/encryption/custome r-managed-keys • https://cloud.google.com/blog/products/identity-security/int roducing-google-clouds-secret-manager • https://cloud.google.com/dlp/ • https://www.etda.or.th/app/webroot/content_files/13/files/1. PDPA%20Presentation_CyberSecurity%20Week%20201 9.pdf

52. “Security is Only as Strong as the Weakest Link”

53. Q & A

54. Thanks! Kamolphan Liwprasert (Fon) [email protected] linkedin.com/in/fonylew/ Sertis is hiring :)

55. SERTIS IS HIRING :) Feedback IS A GIFT :) https://forms.gle/cQrUDeJeyvYnDpVw5