Author Archives: anuj - Page 4
Public Access Prevention Org Policy GCP
Org Policy - Public Access Prevention It is a best practice to enable this constraint at the top Organization Level. If projects need to override it, they can. But by…
OS patch management on GCP Compute Engine VMs
VM Manager API is the service to use. Enable a feature called OS Patch Management in there.
Default VPC Firewall Rules in GCP
All inbound traffic is denied by default However, all OUTBOUND is allowed by default. So - if there is a need to ensure that the default VPC instances see no…
Service Account Key Rotation in GCP
Create a new service account key Switch applications to use the new key Destroy the old key
FIPS 140 Level 2 encryption requirements on GCP
Cloud KMS does not meet Level 2 Fips 140 requirements Only Cloud HSM does - and requires an on premises HSM solution.
Cloud DLP – De identify Sensitive Data in GCP
To deidentify sensitive data, you need to replace the data with cryptographic tokens. The GCP service that helps you accomplish this is called Cloud DLP (Cloud data loss prevention).
Scanning for Vulnerabilities on GCP
There are two services you can use Web Security Scanner - this will scan your application (hosted either on App Engine or Compute Engine) for vulnerablities - outdated libraries, hackable…
Edge Security on GCP
What is edge security? When the security rails are deployed closer to the user, it is called Edge Security Should I use VPC Service Controls? Not so. These controls prevent…
Data Loss Prevention GCP – DLP API
Bucketing This technique is ideal for large datasets ( containing potentially sensitive data). It reduces the risk of matching sensitive data to identifying information. Redacting This uses obfuscation. Date Shifting…
DDos Prevention on GCP Hosted Applications
Use an SSL based Load Balancer This restricts you to either the HTTPs Global Load Balancer or SSL Proxy Use a Cloud CDN Cloud CDNs send requests all over the…