Giao diện
🛡️ Security & Data Perimeter
Level: Advanced Solves: Bảo vệ dữ liệu nhạy cảm khỏi data exfiltration với defense-in-depth và zero trust architecture
🎯 Mục tiêu (Outcomes)
Sau khi áp dụng kiến thức trong trang này, bạn sẽ có khả năng:
- Thiết kế VPC Service Controls perimeter cho sensitive data
- Cấu hình Access Levels dựa trên identity, device, và context
- Triển khai IAP cho zero trust application access
- Implement Cloud DLP cho data discovery và protection
- Sử dụng Security Command Center cho threat detection
- Xây dựng Defense-in-Depth security architecture
✅ Khi nào dùng
| Control | Use Case | Lý do |
|---|---|---|
| VPC Service Controls | Sensitive data protection | Prevent exfiltration |
| IAP | Internal app access | Zero trust, no VPN |
| Cloud DLP | PII discovery | Compliance, data governance |
| Access Levels | Context-aware access | Device + location + identity |
| SCC Premium | Threat detection | Real-time security |
❌ Khi nào KHÔNG dùng
| Pattern | Vấn đề | Thay thế |
|---|---|---|
| VPC-SC cho public services | Blocks customers | Selective perimeter |
| DLP scan mọi data | Cost, performance | Risk-based scanning |
| IAP without device policies | Incomplete zero trust | Add device verification |
| Overly restrictive perimeter | Blocks legitimate access | Proper ingress policies |
⚠️ Cảnh báo từ Raizo
"Team enable VPC-SC mà không có ingress rules đúng. CI/CD pipeline bị block. Production deployment stuck 8 giờ. Luôn test trong dry-run mode trước."
Security Layers
Defense in Depth
┌─────────────────────────────────────────────────────────────────┐
│ GCP SECURITY LAYERS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 1: Organization Policies │ │
│ │ • Restrict resource locations │ │
│ │ • Disable service account keys │ │
│ │ • Require OS Login │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 2: VPC Service Controls │ │
│ │ • Service perimeter │ │
│ │ • Access levels │ │
│ │ • Ingress/Egress policies │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 3: IAM & Resource Policies │ │
│ │ • Least privilege │ │
│ │ • Conditional access │ │
│ │ • Resource-level permissions │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 4: Network Security │ │
│ │ • VPC firewall rules │ │
│ │ • Private Google Access │ │
│ │ • Private Service Connect │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Layer 5: Data Protection │ │
│ │ • Encryption (at rest, in transit) │ │
│ │ • Cloud KMS (CMEK) │ │
│ │ • DLP (Data Loss Prevention) │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘VPC Service Controls
Core Concepts
┌─────────────────────────────────────────────────────────────────┐
│ VPC SERVICE CONTROLS CONCEPTS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ SERVICE PERIMETER │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ A security boundary around GCP resources │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ PERIMETER │ │ │
│ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │
│ │ │ │Project A│ │Project B│ │Project C│ │ │ │
│ │ │ │BigQuery │ │ GCS │ │ Pub/Sub │ │ │ │
│ │ │ └─────────┘ └─────────┘ └─────────┘ │ │ │
│ │ │ │ │ │
│ │ │ Protected Services: │ │ │
│ │ │ • BigQuery, Cloud Storage, Pub/Sub, etc. │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ │ │ │
│ │ ❌ Blocked: Access from outside perimeter │ │
│ │ ✅ Allowed: Access within perimeter │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ACCESS LEVELS │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Conditions that allow access to perimeter │ │
│ │ • IP ranges (corporate network) │ │
│ │ • Device attributes (managed devices) │ │
│ │ • Identity (specific users/SAs) │ │
│ │ • Geographic location │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Perimeter Architecture
┌─────────────────────────────────────────────────────────────────┐
│ VPC SERVICE CONTROLS ARCHITECTURE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ OUTSIDE PERIMETER │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Internet Users Developer Laptops Other Projects │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ │
│ │ Access Level Check │
│ │ (IP, Device, Identity) │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ INGRESS POLICY │ │
│ │ • Allow from corporate IP range │ │
│ │ • Allow from managed devices │ │
│ │ • Allow specific service accounts │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ │
│ ▼ │
│ ╔═════════════════════════════════════════════════════════╗ │
│ ║ SERVICE PERIMETER ║ │
│ ║ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ║ │
│ ║ │ prj-data │ │ prj-analytics│ │ prj-ml │ ║ │
│ ║ │ (BigQuery) │ │ (Dataproc) │ │ (Vertex AI) │ ║ │
│ ║ └─────────────┘ └─────────────┘ └─────────────┘ ║ │
│ ║ ║ │
│ ║ ✅ Free communication within perimeter ║ │
│ ╚═════════════════════════════════════════════════════════╝ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ EGRESS POLICY │ │
│ │ • Block data export to external projects │ │
│ │ • Allow specific API calls only │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Perimeter Configuration
yaml
# Service Perimeter Definition
name: accessPolicies/POLICY_ID/servicePerimeters/data_perimeter
title: "Data Analytics Perimeter"
perimeterType: PERIMETER_TYPE_REGULAR
status:
resources:
- projects/123456789 # prj-data
- projects/234567890 # prj-analytics
- projects/345678901 # prj-ml
restrictedServices:
- bigquery.googleapis.com
- storage.googleapis.com
- pubsub.googleapis.com
- dataproc.googleapis.com
- aiplatform.googleapis.com
accessLevels:
- accessPolicies/POLICY_ID/accessLevels/corp_network
- accessPolicies/POLICY_ID/accessLevels/managed_devices
ingressPolicies:
- ingressFrom:
identityType: ANY_IDENTITY
sources:
- accessLevel: accessPolicies/POLICY_ID/accessLevels/corp_network
ingressTo:
operations:
- serviceName: bigquery.googleapis.com
methodSelectors:
- method: "*"
resources:
- "*"
egressPolicies:
- egressFrom:
identityType: ANY_SERVICE_ACCOUNT
egressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: google.storage.objects.get
resources:
- projects/external-project # Specific allowed externalAccess Level Examples
yaml
# Corporate Network Access Level
name: accessPolicies/POLICY_ID/accessLevels/corp_network
title: "Corporate Network"
basic:
conditions:
- ipSubnetworks:
- "203.0.113.0/24" # Office IP range
- "198.51.100.0/24" # VPN IP range
# Managed Device Access Level
name: accessPolicies/POLICY_ID/accessLevels/managed_devices
title: "Managed Devices"
basic:
conditions:
- devicePolicy:
requireScreenlock: true
osConstraints:
- osType: DESKTOP_CHROME_OS
- osType: DESKTOP_MAC
minimumVersion: "10.15.0"
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.0"
allowedEncryptionStatuses:
- ENCRYPTED
# Combined Access Level (AND logic)
name: accessPolicies/POLICY_ID/accessLevels/secure_access
title: "Secure Access"
basic:
combiningFunction: AND
conditions:
- ipSubnetworks:
- "203.0.113.0/24"
- devicePolicy:
requireScreenlock: trueZero Trust Architecture
BeyondCorp Principles
┌─────────────────────────────────────────────────────────────────┐
│ BEYONDCORP / ZERO TRUST │
├─────────────────────────────────────────────────────────────────┤
│ │
│ TRADITIONAL (Perimeter-based) ZERO TRUST │
│ ───────────────────────────── ────────── │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ TRUSTED │ │ NEVER TRUST │ │
│ │ (Inside VPN) │ │ ALWAYS VERIFY │ │
│ │ │ │ │ │
│ │ ┌───────────────┐ │ │ Every request: │ │
│ │ │ Resources │ │ │ • Verify identity │ │
│ │ └───────────────┘ │ │ • Check device │ │
│ │ │ │ • Evaluate context │ │
│ └─────────────────────┘ │ • Grant minimal │ │
│ │ │ access │ │
│ │ └─────────────────────┘ │
│ ┌────────┴────────┐ │
│ │ UNTRUSTED │ │
│ │ (Internet) │ │
│ └─────────────────┘ │
│ │
│ ZERO TRUST COMPONENTS ON GCP: │
│ • Identity-Aware Proxy (IAP) │
│ • BeyondCorp Enterprise │
│ • VPC Service Controls │
│ • Context-Aware Access │
│ │
└─────────────────────────────────────────────────────────────────┘Identity-Aware Proxy (IAP)
┌─────────────────────────────────────────────────────────────────┐
│ IDENTITY-AWARE PROXY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ User Request │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ IAP │ │
│ │ 1. Authenticate user (Google Identity) │ │
│ │ 2. Check IAM permissions │ │
│ │ 3. Evaluate access level (device, location) │ │
│ │ 4. Forward request with identity headers │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ │ X-Goog-Authenticated-User-Email │
│ │ X-Goog-Authenticated-User-Id │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Backend Application │ │
│ │ • No public IP needed │ │
│ │ • Trust IAP headers │ │
│ │ • Focus on business logic │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ SUPPORTED BACKENDS: │
│ • Cloud Run │
│ • App Engine │
│ • Compute Engine (via Load Balancer) │
│ • GKE (via Ingress) │
│ • On-premises (via IAP Connector) │
│ │
└─────────────────────────────────────────────────────────────────┘Data Loss Prevention (DLP)
DLP Integration
┌─────────────────────────────────────────────────────────────────┐
│ CLOUD DLP ARCHITECTURE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ DATA SOURCES │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Cloud Storage BigQuery Datastore Text/Images │ │
│ └──────────────────────────┬──────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ CLOUD DLP │ │
│ │ │ │
│ │ INSPECT: Find sensitive data │ │
│ │ • PII (names, emails, phones) │ │
│ │ • Financial (credit cards, bank accounts) │ │
│ │ • Healthcare (medical records) │ │
│ │ • Custom patterns (employee IDs) │ │
│ │ │ │
│ │ DE-IDENTIFY: Transform sensitive data │ │
│ │ • Masking: John Doe → J*** D** │ │
│ │ • Tokenization: 4111-1111 → tok_abc123 │ │
│ │ • Encryption: Deterministic or format-preserving │ │
│ │ • Redaction: Remove entirely │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ ACTIONS │ │
│ │ • Alert security team │ │
│ │ • Quarantine data │ │
│ │ • Auto-remediate (de-identify) │ │
│ │ • Block access │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘DLP Job Configuration
json
{
"inspectJob": {
"storageConfig": {
"bigQueryOptions": {
"tableReference": {
"projectId": "my-project",
"datasetId": "customer_data",
"tableId": "users"
}
}
},
"inspectConfig": {
"infoTypes": [
{"name": "EMAIL_ADDRESS"},
{"name": "PHONE_NUMBER"},
{"name": "CREDIT_CARD_NUMBER"},
{"name": "VIETNAM_NATIONAL_ID"}
],
"minLikelihood": "LIKELY",
"limits": {
"maxFindingsPerRequest": 1000
}
},
"actions": [
{
"pubSub": {
"topic": "projects/my-project/topics/dlp-findings"
}
},
{
"saveFindings": {
"outputConfig": {
"table": {
"projectId": "my-project",
"datasetId": "dlp_results",
"tableId": "findings"
}
}
}
}
]
}
}Security Command Center
Findings & Recommendations
┌─────────────────────────────────────────────────────────────────┐
│ SECURITY COMMAND CENTER │
├─────────────────────────────────────────────────────────────────┤
│ │
│ FINDING CATEGORIES │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ VULNERABILITY: Misconfigurations, CVEs │ │
│ │ • Public bucket │ │
│ │ • Firewall allows 0.0.0.0/0 │ │
│ │ • Outdated OS image │ │
│ │ │ │
│ │ THREAT: Active threats detected │ │
│ │ • Malware detected │ │
│ │ • Cryptomining activity │ │
│ │ • Suspicious API calls │ │
│ │ │ │
│ │ MISCONFIGURATION: Best practice violations │ │
│ │ • MFA not enabled │ │
│ │ • Logging disabled │ │
│ │ • Default service account used │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ SEVERITY LEVELS │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ CRITICAL: Immediate action required │ │
│ │ HIGH: Address within 24 hours │ │
│ │ MEDIUM: Address within 1 week │ │
│ │ LOW: Address in next sprint │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Best Practices Checklist
- [ ] Implement VPC Service Controls for sensitive data
- [ ] Define access levels based on identity AND context
- [ ] Use IAP for internal application access
- [ ] Enable Security Command Center Premium
- [ ] Configure DLP scanning for data stores
- [ ] Implement data classification labels
- [ ] Set up automated remediation for findings
- [ ] Regular security posture reviews
⚖️ Trade-offs
Trade-off 1: VPC-SC Strictness vs Usability
| Approach | Security | Usability |
|---|---|---|
| Strict perimeter | Cao nhất | Khó khăn |
| Ingress policies | Cao | Balanced |
| Dry-run mode | Visibility only | Full access |
Khuyến nghị: Bắt đầu với dry-run, analyze logs, then enforce.
Trade-off 2: DLP Scope vs Cost
| Scope | Coverage | Cost |
|---|---|---|
| Full scan | 100% | Rất cao |
| Sampling | Statistical | Moderate |
| New data only | Real-time | Low |
Trade-off 3: IAP vs Traditional VPN
| Approach | Security Model | User Experience |
|---|---|---|
| IAP | Zero trust | Browser-native |
| VPN | Perimeter trust | VPN client |
| Hybrid | Defense-in-depth | Varies |
🚨 Failure Modes
Failure Mode 1: VPC-SC Blocks Legitimate Traffic
🔥 Incident thực tế
VPC-SC enabled without proper ingress rules. Cloud Build cannot push to Artifact Registry. All deployments blocked. 4-hour outage.
| Cách phát hiện | Cách phòng tránh |
|---|---|
| VPC-SC deny logs | Dry-run first |
| API errors | Proper ingress policies |
| Service failures | Testing in staging |
Failure Mode 2: DLP False Positives
| Cách phát hiện | Cách phòng tránh |
|---|---|
| High finding volume | Tune likelihood thresholds |
| Team ignores alerts | Custom info types |
| Legitimate data flagged | Exclusion rules |
Failure Mode 3: IAP Misconfiguration
| Cách phát hiện | Cách phòng tránh |
|---|---|
| 403 errors | Verify IAM bindings |
| Access denied | Check access levels |
| Header spoofing vulnerability | Verify JWT, not just headers |
🔐 Security Baseline
Security Perimeter Requirements
| Requirement | Implementation | Verification |
|---|---|---|
| VPC-SC for sensitive data | Service perimeter | SCC findings |
| Access levels | Corp network + device | Access level audit |
| IAP for internal apps | IAP-enabled backends | Configuration review |
| DLP scanning | Regular scans | Finding review |
| SCC Premium | Enabled org-wide | Active threats |
VPC-SC Security Checklist
| Item | Status |
|---|---|
| Perimeter covers sensitive projects | ☑ Required |
| All sensitive services restricted | ☑ Required |
| Access levels defined | ☑ Required |
| Ingress policies for CI/CD | ☑ Required |
| Egress policies restrictive | ☑ Required |
| Dry-run tested | ☑ Before enforcement |
📊 Ops Readiness
Metrics cần Monitoring
| Metric | Source | Alert Threshold |
|---|---|---|
| VPC-SC deny events | Cloud Logging | Any |
| SCC findings Critical/High | SCC | Any new |
| DLP finding rate | DLP | Spike |
| IAP auth failures | Cloud Logging | > baseline |
| Access level evaluation failures | Cloud Logging | Any |
Runbook Entry Points
| Tình huống | Runbook |
|---|---|
| VPC-SC blocks CI/CD | runbook/vpc-sc-troubleshooting.md |
| High DLP findings | runbook/dlp-finding-triage.md |
| SCC critical alert | runbook/scc-incident-response.md |
| IAP access issues | runbook/iap-troubleshooting.md |
| Data exfiltration detected | runbook/data-exfiltration-response.md |
✅ Design Review Checklist
VPC Service Controls
- [ ] Perimeter scope defined
- [ ] Services restricted
- [ ] Access levels configured
- [ ] Ingress/egress policies
- [ ] Dry-run tested
Zero Trust
- [ ] IAP enabled
- [ ] Device policies defined
- [ ] Context-aware access
- [ ] No VPN-only access
Data Protection
- [ ] DLP scanning configured
- [ ] Data classification
- [ ] CMEK for sensitive data
- [ ] Audit logging
Threat Detection
- [ ] SCC Premium enabled
- [ ] Alerting configured
- [ ] Auto-remediation where possible
- [ ] Regular posture reviews
📎 Liên kết
- 📎 AWS Security Posture - So sánh với AWS security services
- 📎 GCP IAM Model - IAM trong context của security
- 📎 VPC & Networking - Network security integration
- 📎 Observability & Audit - Security monitoring
- 📎 AWS Secrets Management - Key management comparison