From Data Center to Cloud: Changing Perspectives on Network Security

Within a data center, considerable time and resources are allocated to managing individual devices. This includes implementing robust passwords, fortifying configurations for networking devices, and establishing firewall rules for each endpoint.

In the realm of cloud networking, where physical infrastructure is absent, the security emphasis pivots from safeguarding hardware to prioritizing software-defined networking and securing virtual devices.

Consequently, concerns related to fortifying router configurations or setting up high availability become less pressing. Nonetheless, transitioning from a data center to cloud infrastructure necessitates a definitive paradigm shift.

 

Kick Start: The Foundation of Identity Access Management (IAM)

Identity Access Management (IAM) in cloud services manages access control. Assigning an identity to an IAM role enables configuration and changes to networking resources.

Users receive roles based on their cloud access needs. For instance, roles in Google Cloud align with specific tasks, regulated by IAM through allow and deny policies.

  • Allow policy = who + can do what + on what resource
  • Deny policy = who + cannot do what + on what resource

This gives you the ability to provide separation of duties by providing access to a service. With Google Cloud, you can refactor network access as your organization evolves and grows.

The Compute network administrator handles most networking tasks in Google Cloud, except for firewall configurations, managed by the Compute security administrator. This division allows separate responsibilities for network operations and security. Check out various roles for your organization’s needs here.

 

Virtual Private Cloud (VPC) architecture

In Google Cloud, there are two common network setups: shared VPCs and hub-and-spoke. Both offer centralized network rules but with different control methods. We recommend using a custom VPC network to create your own setup for full control over your network structure.

 

Shared VPC architecture

One of the ways to help build a network on Google Cloud is to use a shared VPC architecture. Google Cloud lets you connect resources from multiple projects to a common VPC network. This approach allows your resources to communicate with each other securely and efficiently using internal IP addresses from that network. This also allows your security team to enforce security policies across your entire organization.

If you need to have multiple shared VPCs, you can create connectivity between multiple shared VPC using Cloud VPN, VPC peering, or Network Connectivity Center.

A host project with a Shared VPC network provides internal connectivity for two service projects, while a standalone project does not use Shared VPC

Network design

Your Google Cloud network design hinges on centralized or decentralized control based on your needs. Decide if you want centralized control over IP addressing, routing, and firewalls between workloads, or if teams should manage their own environments independently.

Consider if your organization requires traffic between workloads to go through centralized appliances like next generation firewalls (NGFW), affecting your VPC network design. The ideal design depends on workload volume and resource consumption.

VPC Peering offers a solution by linking VPCs in a hub-and-spoke architecture. The hub holds shared resources, while spoke VPCs cater to specific department needs. Connecting them allows shared resources access across VPCs.

Google Cloud network security services: Protecting your Cloud resources

After setting up your organization’s network, strengthen its security using Google Cloud’s services:

  • Load Balancers: Google offers Application and Network Load Balancers that support various protocols, ensuring robust configurations.
  • Cloud Armor: Safeguard your assets from threats like DDoS attacks, cross-site scripting (XSS), and SQL injection (SQLi) with this tool.
  • Cloud Firewall: Manage firewall rules efficiently using global policies. You can apply these policies to specific networks or multiple networks within a project. For centralized control, explore hierarchical firewall policies.
  • Intrusion Prevention: Monitor and prevent malicious activities, such as intrusions, malware, and command-and-control attacks on your Google Cloud workload traffic. Cloud Firewall Plus adds advanced threat protection and next-generation firewall capabilities.
  • Other Options: Google offers Network Intelligence Center, BeyondCorp, Cloud Ops, and more for comprehensive network security. Explore further details here.

By leveraging these tools, you can fortify your Google Cloud network against various threats. See this for more details on how you can secure your Google Cloud network.

 

 

Microfusion Technology is a premier partner of Google Cloud, assisting numerous renowned enterprises in establishing a stable cloud infrastructure. They safeguard sensitive corporate data, thwart malicious software attacks, and counter threats. Our clientele spans across industries such as logistics, retail, gaming, and the public sector. Curious about cloud security strategies? Feel free to fill out the contact form to have Microfusion Technology’s dedicated advisory team offer you world-class Google Cloud security solutions, ensuring your enterprise confidently embraces the cloud! This article’s translation and adaptation were derived from the official Google Cloud blog.