Designing a GCP Security Infrastructure
The course is part of this learning path
This course walks you through the main security components of Google Cloud Platform and uses a case study to show you how these can be applied to a real-world example.
By the end of this course, you will understand how the following components can be used to secure your GCP environments:
- Service accounts
- Data protection and encryption
- Legislation and compliance
This course is intended for anyone who wants to learn more about Google Cloud Platform.
To get the most from this course, you should already have a basic understanding of Google Cloud Platform.
The first step in giving secure access to your Google Cloud infrastructure is to decide how to authenticate your users. By default, Google Cloud Platform requires users to have a Google account to access it. But if you have more than a handful of users, then you'll want to find a centralized way to manage your user accounts. The solution is to use the G Suite Global Directory. You don't have to use G Suite products like Google Docs, you can just use G Suite for user management.
Most organizations already have a user directory, so the best policy is usually to manage users in your existing directory, and then synchronize the account information in G Suite. There are three ways to do this: Google Cloud Directory Sync or GCDS, the Google Apps Admin SDK, or a third party connector.
Google Cloud Directory Sync is the easiest solution if you have either Active Directory or an LDAP server. It synchronizes users, groups, and other data from your existing directory to your Google Cloud Domain Directory. GCDS runs inside your network on a machine that you control.
It's a one-way synchronization, so GCDS doesn't modify your existing directory. Of course the synchronization can't be a one-time event. It has to happen on a regular basis to keep your Google Directory up-to-date.
To make authentication even easier for your users, you can implement single sign-on or SSO. Google Cloud Platform supports SAML 2.0-based SSO. If your system doesn't support SAML 2.0, then you can use a third party plugin.
Once you've implemented SSO, then when a user would normally have to login, Google will redirect your authentication system. If the user is already authenticated in your system, then they don't have to login to Google Cloud separately. If they aren't already logged in, then they're prompted to login.
In order for this to work, your users must have a matching account in Google's Directory. So you still need to use GCDS or one of the other synchronization options.
In our case study, since we have an active directory server, we'll use GCDS for synchronization and also implement single sign-on.
And that's it for authentication.
Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).