cloud-project

GCP: Implementing Zero-Trust Architecture

CyberPreacher Edition

A mid-sized company is transitioning to a Zero-Trust security model in Google Cloud (GCP). Previously, they relied on perimeter security but lacked identity-based access controls, making them vulnerable to unauthorized access and insider threats. Their new Zero-Trust strategy focuses on:

For all resources in this lab, we are using the GCP us-east1 region.


Lab Objectives

In this GCP lab, you will complete the following exercises:

  1. Exercise 1: Enable Identity-Aware Proxy (IAP) and Conditional Access.
  2. Exercise 2: Configure Multi-Factor Authentication (MFA) for users.
  3. Exercise 3: Implement VPC Network Segmentation and Private Access.
  4. Exercise 4: Monitor and Audit Access Logs.

Pre-exercise

Bulk Import of Users

Task 1: Bulk operations for creating users with a .csv file

  1. Navigate to Google Cloud Console and open IAM & Admin.

  2. Under Users, select Bulk Import.

  3. Download the CSV template and populate it with user details.

  4. Modify the file to add users in bulk. Ensure fields like username, display name, and initial password are filled.

  5. Upload the CSV file and submit the bulk creation request.

  6. Create a new IAM Group named Management and add the imported users.


Exercise 1: Configure Conditional Access Policies in GCP IAM

Estimated Timing: 15 minutes

Task 1: Create IAM Policies for Zero-Trust Access Control

  1. Navigate to Google Cloud Console and open IAM & Admin.

  2. Under IAM Policies, click Create Policy and name it Zero-Trust Access Control.

  3. Configure the following settings:
    • Users: Assign to a specific IAM group (e.g., Management).
    • Conditions:
      • Restrict access based on device type (Windows, iOS).
      • Enforce sign-in risk levels (High, Medium).
    • Actions:
      • Require multi-factor authentication (MFA).
  4. Attach the policy to the Management IAM Group.

Task 2: Enable Identity-Aware Proxy (IAP)

  1. Navigate to Security > Identity-Aware Proxy in the Google Cloud Console.

  2. Enable IAP for applications that require Zero-Trust access.

  3. Configure access policies to enforce context-aware authentication.


Exercise 2: Configure Multi-Factor Authentication (MFA) for Users

Estimated Timing: 10 minutes

Task 1: Enforce MFA through IAM Policies

  1. Navigate to Google Cloud Console and open IAM & Admin.

  2. Under Security Settings, enable Multi-Factor Authentication (MFA).

  3. Require authentication via Google Authenticator or hardware security keys.

  4. Apply MFA enforcement to all users in the Management IAM Group.


Exercise 3: Implement VPC Network Segmentation and Private Access

Estimated Timing: 20 minutes

Task 1: Configure GCP VPC Segmentation

Task 2: Apply Firewall Rules and IAM Policies

Task 3: Implement Private Service Connect for Secure Access


Exercise 4: Monitor and Audit Access Logs

Estimated Timing: 15 minutes

Task 1: Enable Cloud Logging and Cloud Audit Logs

  1. Navigate to Google Cloud Console and open Cloud Logging.

  2. Enable logging for:
    • Sign-in attempts.
    • IAM policy changes.
    • Network activity.
  3. Use Cloud Audit Logs to track security compliance.

Task 2: Review Security Logs Using Cloud Monitoring

  1. Open Cloud Monitoring and run queries to detect anomalies:
    SELECT * FROM audit_logs WHERE eventName = 'ConsoleLogin' AND riskLevel != 'None'
    
  2. Investigate suspicious login attempts and adjust policies accordingly.

Outcome

By following these steps, you successfully implemented a Zero-Trust Architecture in GCP, securing identity access and network traffic. The organization now has a robust identity-based security model, protecting against unauthorized access and insider threats.

For further details, check out Google’s official guidance on Zero Trust architectures here and here.