The course is part of this learning path
If you’re going to work with modern software systems, then you can escape learning about cloud technologies. And that’s a rather broad umbrella. Across the three major cloud platform providers, we have a lot of different service options, and there’s a lot of value in them all.
However, the area that I think Google Cloud Platform excels in is providing elastic fully managed services. Google Cloud Platform to me, is the optimal cloud platform for developers. It provides so many services for building out highly available - highly scalable web applications and mobile back-ends.
For me personally, Google Cloud Platform has quickly become my personal favorite cloud platform. Now, opinions are subjective, but I’ll share why I like it so much.
I’ve worked as a developer for years, and for much of that time, I was responsible for getting my code into production environments and keeping it running. I worked on a lot of smaller teams where there were no operations engineers.
So, here’s what I like about the Google Cloud Platform, it allows me to think about the code and the features I need to develop, without worrying about the operations side because many of the service offerings are fully managed.
So things such as App Engine allow me to write my code, test it locally, run it through the CI/CD pipeline, and then deploy it. And once it’s deployed, for the most part, unless I’ve introduced some software bug, I don’t have to think about it. Google’s engineers keep it up-and-running, and highly available. And having Google as your ops team is really cool!
Another thing I really like about is the ease of use of things such as BigQuery and their Machine Learning APIs. If you’ve ever worked with large datasets, you know that some queries take forever to run. BigQuery can query massive datasets in just seconds. Which allows me to get the data I need quickly, so I can move on to other things.
And with the machine learning APIs, I can use a REST interface to do things like language translation, or speech to text, with ease. And that allows me the ability to integrate this into my applications, which gives the end-users a better user experience.
So for me personally, I love that I can focus on building out applications and spend my time adding value to the end-users.
If you’re looking to learn the fundamentals about a platform that’s not only developer-friendly but cost-friendly, then this is the right course for you!
By the end of this course, you'll know:
- The purpose and value of each product and service
- How to choose an appropriate deployment environment
- How to deploy an application to App Engine, Kubernetes Engine, and Compute Engine
- The different storage options
- The value of Cloud Firestore
- How to get started with BigQuery
This is an intermediate-level course because it assumes:
- You have at least a basic understanding of the cloud
- You’re at least familiar with building and deploying code
- Anyone who would like to learn how to use Google Cloud Platform
Hello and welcome! In this lesson, I'll introduce you to some of the security services that you should know about before working with Google Cloud. We'll talk about virtual private clouds, Key Management Service, Data Loss Prevention, Cloud Identity, and the Identity Platform. For the most part, this lesson is going to be a high-level introduction to these services. However, since the Data Loss Prevention service is fairly easy to demonstrate, we'll actually test it out.
So, without further ado, let's get started. Without networks, our devices would be all independent and would require physical access to use, which might make security easier, however, it's just not how the world works, so it's important to be able to control the flow of data on our networks. When using Google Cloud, networking happens inside of a virtual private cloud, also called a VPC. VPCs are logically isolated software-defined networks that provide networking for compute resources on Google Cloud, and they allow us to control the flow of traffic through the use of subnets, firewall rules, and routes.
All right, next up is the Key Management Service, also called KMS. KMS is used for centralizing, managing, and using encryption keys, and once we have keys in a centralized location, we can set schedules for them to expire so that they're not sticking around forever. Without the use of a service such as KMS, engineers would have to manage these encryption keys on their own, which oftentimes, it results in less-than-stellar security practices. Sometimes keys are uploaded to source control systems, which happens more often than you'd think. Sometimes they're also deployed with applications, and that might even be a mobile app which would allow an attacker to extract those keys. Other times, there might be no encryption at all, because again, it's a non-trivial task to get right. So if you're going to be working with encryption, check out KMS and see if it meets your use case.
For many of us, the internet is integrated into our daily lives, which results in more of our data being stored digitally. Some of the data we put out into the world is rather benign, and we just don't care if it's public. However, we all have data that we expect to remain private. That's information such as your Social Security number, your passport number, medical history, and so on. Certain information is sensitive, and in the wrong hands it can be abused. To help with data security, Google Cloud offers Cloud Data Loss Prevention, also referred to as Cloud DLP, or in the context of Google Cloud, it might just be called DLP.
Cloud DLP is a service which allows customers to inspect their data for potentially sensitive information and optionally redact it. So, at the risk of angering the engineers who work on this, at the risk of oversimplifying, imagine it as a giant find and replace for sensitive data. DLP is a stand-alone REST API, and by that I mean it's useful on its own independently, though it can also integrate with some of the other Cloud services. It provides end points for inspecting data, for de-identifying data, and for even re-identifying data in certain cases. When I say data, what I mean by that is either structured or unstructured text, or images which may contain sensitive information.
So imagine having a picture of a medical record. When you inspect your data with DLP, you need to provide a list of the types of sensitive data for which you want to search. By default, DLP can detect over 90 different types of sensitive information, which are called information types, or just info types. You can also create custom info types that are either based on a dictionary, or a regular expression. After completing an inspection, DLP returns the findings, which will show all of the matches along with the likelihood that that match is the expected information type. Now, once you find sensitive data, that is your first step.
Next, it needs to be secured, which involves transforming the matches that you find into a format that can't be re-identified. DLP has different types of transformations, such as redaction, replacement, masking, encryption, date shifting, and more. Some of these types of transformation are one-way. They can't be reversed, once you do it that's it, and others are reversible. Let's check out an example using the API Explorer.
I'm here on the Overview page for the already-enabled DLP API. At the bottom is a link to the API Explorer, and this is going to open up the Data Loss Prevention version two. The end point used to inspect data is listed under dlp.projects.content.inspect. All right, so this is our inspection end point. Now, using this structured editor, you can select the properties. You can build out this JSON object. However, I'm going to use the free-form editor. I'm going to paste in the JSON that comes directly from the DLP documentation.
Alright, let's pause here. I wanna review what's happening. This is passing the inspect API a request to inspect this unstructured text. This section is telling the API to search for any phone numbers, which includes any toll-free numbers. Then it asks only to show results with a minimum likelihood of possible. We don't want everything, just if we really think it's possible. And then we have this setting here which will ask the DLP service to return whatever sensitive data it detected. That way we can see, we can determine if it really is sensitive data. So our goal here is to search through this text for any phone numbers.
Now before running it, I just need to provide a parent resource, and in this case, it is going to be my project. Okay, so let's run this by clicking Authorize and execute, and logging in. Great, now scrolling down, you can see the API Explorer has printed the request, and further down is our response. The status code of 200 tells us that the API call was successful, and the JSON object tells us that DLP did find a likely match for a phone number.
So I mentioned before that DLP is a stand-alone API, which is true, though it does integrate with some of the Google Cloud Platform storage services, such as Cloud Storage, BigQuery, and Cloud Data Storage. So this means we'll be able to use DLP to scan through the data in these different services and either find sensitive data or maybe redact it. So if you're going to be storing sensitive data, even if it's outside of the Google Cloud Platform, then check out DLP. See if it can help you find any of that data that maybe you haven't de-identified.
Cloud Identity is Google's cloud-based enterprise identity service. Cloud Identity is used by organizations to manage user identities, application access, and device management. It supports two-factor authentication, device security policies, human resource management system integration, et cetera.
Our final service for this lesson is going to be the Identity Platform. Where Cloud Identity is intended for corporate use as an identity solution, the Identity Platform is a service for managing customer identities. By integrating the Identity Platform into your application, it kind of fills the role of Authentication as a Service. It supports multiple authentication methods, such as traditional email and password, social media logins, SAML, et cetera. It's priced based on monthly active users, and it has a nice free tier. So if you're building an application that requires user accounts, make sure to evaluate Identity Platform as an auth service in addition to any other services you might be evaluating.
Okay, that's going to be all for this lesson. I hope this has been a helpful glimpse into some of the security functionality on Google Cloud. Thank you so much for watching, and I will see you in the next lesson.
Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.