google-cloud-waf-security

What this skill does

# Google Cloud Well-Architected Framework skill for the Security pillar

## Overview

The security pillar of the Google Cloud Well-Architected Framework provides
design principles and best practices for building a robust security posture by
integrating security into every layer of the architecture for cloud workloads.
It focuses on maintaining confidentiality and integrity of data and systems
while ensuring compliance and privacy. It provides a structured approach to risk
management, threat defense, and identity control, enabling you to operate cloud
workloads securely and at scale.

## Core principles

The recommendations in the security pillar of the Well-Architected Framework are
aligned with the following core principles:

-  **Implement security by design**: Integrate cloud security and network
   security considerations starting from the initial design phase of your
   applications and infrastructure. Google Cloud provides architecture
   blueprints and recommendations to help you apply this principle. Grounding
   document:
   https://docs.cloud.google.com/architecture/framework/security/implement-security-by-design

-  **Implement zero trust**: Use a _never trust, always verify_ approach, where
   access to resources is granted based on continuous verification of trust.
   Google Cloud supports this principle through products like Chrome Enterprise
   Premium and Identity-Aware Proxy (IAP). Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/implement-zero-trust

-  **Implement shift-left security**: Implement security controls early in the
   software development lifecycle. Avoid security defects before system changes
   are made. Detect and fix security bugs early, fast, and reliably after the
   system changes are committed. Google Cloud supports this principle through
   products like Cloud Build, Binary Authorization, and Artifact Registry.
   Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/implement-shift-left-security

-  **Implement preemptive cyber defense**: Adopt a proactive approach to
   security by implementing robust fundamental measures like threat
   intelligence. This approach helps you build a foundation for more effective
   threat detection and response. Google Cloud's approach to layered security
   controls aligns with this principle. Google Cloud supports this principle
   through products like Security Command Center, Google Threat Intelligence,
   and Google SecOps. Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/implement-preemptive-cyber-defense

-  **Use AI securely and responsibly**: Develop and deploy AI systems in a
   responsible and secure manner. The recommendations for this principle are
   aligned with guidance in the AI and ML perspective of the Well-Architected
   Framework and in Google's Secure AI Framework (SAIF). Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/use-ai-securely-and-responsibly

-  **Use AI for security**: Use AI capabilities to improve your existing
   security systems and processes through Gemini in Security and overall
   platform-security capabilities. Use AI as a tool to increase the automation
   of remedial work and ensure security hygiene to make other systems more
   secure. Google Cloud supports this principle through products like Google
   Threat Intelligence and Google SecOps. Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/use-ai-for-security

-  **Meet regulatory, compliance, and privacy needs**: Adhere to
   industry-specific regulations, compliance standards, and privacy
   requirements. Google Cloud helps you meet these obligations through products
   like Assured Workloads, Organization Policy Service, and our compliance
   resource center. Grounding document:
   https://docs.cloud.google.com/architecture/framework/security/meet-regulatory-compliance-and-privacy-needs

## Relevant Google Cloud products

The following are _examples_ of Google Cloud products and features that are
relevant to security:

- **Identity and access management**

  - **Identity and Access Management (IAM)**: Fine-grained access control for
    Google Cloud resources.
  - **Identity-Aware Proxy (IAP)**: Secure access to applications without a VPN.
  - **Chrome Enterprise Premium**: Endpoint security and context-aware access.

- **Network security**

  - **Google Cloud Armor**: DDoS protection and Web Application Firewall (WAF).
  - **VPC Service Controls**: Define security perimeters to prevent data
    exfiltration.
  - **Cloud Next-Generation Firewall (NGFW)**: Advanced threat protection for
    network traffic.
  - **Shared VPC**: Centralized network management across projects.
  - **Cloud Interconnect and IPsec VPN**: Secure, private connectivity.

- **Data security**

  - **Cloud Key Management Service (KMS)**: Manage encryption keys.
  - **Sensitive Data Protection (formerly Cloud DLP)**: Discover and redact
    sensitive data.
  - **Confidential Computing**: Encrypt data in use (memory).

- **Security operations (SecOps)**

  - **Google SecOps (Chronicle)**: Threat detection and security analytics.
  - **Security Command Center (SCC)**: Centralized vulnerability and threat
    management.
  - **Cloud Logging and Cloud Monitoring**: Visibility into system activity.

- **Automation and supply chain**

  - **Cloud Build**: Secure CI/CD pipelines.
  - **Artifact Analysis**: Vulnerability scanning for container images.
  - **Binary Authorization**: Deploy-time policy enforcement.
  - **Assured open source software**: Use secured OSS packages.

## Workload assessment questions

Ask appropriate questions to understand the security-related requirements and
constraints of the workload and the user's organization. Choose questions from
the following list:

- **Security by design**:

  - How do you incorporate security considerations into your project's initial
    planning and design phases?
  - How do you define and document security requirements for new applications
    and services?
  - How do you ensure that security is integrated into your development
    lifecycle?
  - What tools and techniques do you use to perform threat modeling during the
    design phase?
  - How do you manage and prioritize security vulnerabilities discovered during
    the design and development process?
  - How do you handle security updates and patches for your applications and
    infrastructure?
  - How do you document and communicate security design decisions to your team
    and stakeholders?
  - How do you ensure that security configurations are consistently applied
    across your environments?
  - How do you validate the effectiveness of your security controls and
    measures?
  - How do you handle security exceptions and deviations from your security
    design?

- **Zero trust**:

  - How do you verify and authenticate users and devices accessing your Google
    Cloud resources?
  - How do you implement the principle of least privilege for access control?
  - How do you monitor and control network traffic within your Google Cloud
    environment?
  - How do you secure data in transit and at rest in your Google Cloud
    environment?
  - How do you implement continuous monitoring and logging of user and device
    activity?
  - How do you handle and respond to security incidents and breaches in a Zero
    Trust environment?
  - How do you manage and update security policies and controls in a Zero Trust
    environment?
  - How do you ensure that third-party applications and services comply with
    your Zero Trust principles?
  - How do you handle remote access and BYOD devices in a Zero Trust
    environment?
  - How do you educate and train your employees on Zero Trust principles and
    practices?

- **Shift-left security**:

  - How do you integrate security testing into your development pipeline early
    in the process?