This principle in the security pillar of theGoogle Cloud Well-Architected Framework helps you ensure comprehensive security across your cloud workloads. The principleof zero trust emphasizes the following practices:

• Eliminating implicit trust
• Applying the principle of least privilege to access control
• Enforcing explicit validation of all access requests
• Adopting anassume-breach mindset to enable continuous verification andsecurity posture monitoring

Principle overview

Thezero-trust model shifts the security focus from perimeter-based securityto an approach where no user or device is considered to be inherentlytrustworthy. Instead, every access request must be verified, regardless of itsorigin. This approach involves authenticating and authorizing every user anddevice, validating their context (location and device posture), and grantingleast privilege access to only the necessary resources.

Implementing the zero-trust model helps your organization enhance itssecurity posture by minimizing the impact of potential breaches and protectingsensitive data and applications against unauthorized access. The zero-trustmodel helps you ensure confidentiality, integrity, and availability of data andresources in the cloud.

Recommendations

To implement the zero-trust model for your cloud workloads, consider therecommendations in the following sections:

• Secure your network
• Verify every access attempt explicitly
• Monitor and maintain your network

Secure your network

This recommendation is relevant to the followingfocus area:Infrastructure security.

Transitioning from conventional perimeter-based security to a zero-trust modelrequires multiple steps. Your organization might have already integrated certainzero-trust controls into its security posture. However, a zero-trust modelisn't a singular product or solution. Instead, it's a holistic integration ofmultiple security layers and best practices. This section describesrecommendations and techniques to implement zero trust for network security.

• Access control: Enforce access controls based on user identity andcontext by using solutions likeChrome Enterprise Premium andIdentity-Aware Proxy (IAP).By doing this, you shift security from the network perimeter to individualusers and devices. This approach enables granular access control andreduces the attack surface.
• Network security: Secure network connections between youron-premises, Google Cloud, and multicloud environments.
  • Use the private connectivity methods fromCloud Interconnect andIPsec VPNs.
  • To help secure access to Google Cloud services and APIs, usePrivate Service Connect.
  • To help secure outbound access from workloads deployed onGoogle Kubernetes Engine (GKE) and related products,useCloud Service Mesh egress gateways.
• Network design: Prevent potential security risks by deleting defaultnetworks in existing projects and disabling the creation of defaultnetworks in new projects.
  • To avoid conflicts, plan your network and IP address allocationcarefully.
  • To enforce effective access control, limitthe number of Virtual Private Cloud (VPC) networks per project.
• Segmentation: Isolate workloads but maintain centralized networkmanagement.
  • To segment your network, useShared VPC.
  • Define firewall policies and rules at the organization, folder, and VPCnetwork levels.
  • To preventdata exfiltration,establish secure perimeters around sensitive data and services by usingVPC Service Controls.
• Perimeter security: Protect against DDoS attacks and web applicationthreats.
  • To protect against threats, useGoogle Cloud Armor.
  • Configure security policies to allow, deny, or redirect traffic at theGoogle Cloud edge.
• Automation: Automate infrastructure provisioning by embracinginfrastructure as code (IaC) principles and by using tools like Terraform,Jenkins, andCloud Build.IaC helps to ensure consistent security configurations, simplifieddeployments, and rapid rollbacks in case of issues.
• Secure foundation: Establish a secure application environment byusing theEnterprise foundations blueprint.This blueprint provides prescriptive guidance and automation scripts tohelp you implement security best practices and configure yourGoogle Cloud resources securely.

Verify every access attempt explicitly

This recommendation is relevant to the followingfocus areas:

• Identity and access management
• Security operations (SecOps)
• Logging, auditing, and monitoring

Implement strong authentication and authorization mechanisms for any user,device, or service that attempts to access your cloud resources. Don't rely onlocation or network perimeter as a security control. Don't automatically trustany user, device, or service, even if they are already inside the network.Instead, every attempt to access resources must be rigorously authenticated andauthorized. You must implement strong identity verification measures, such asmulti-factor authentication (MFA). You must also ensure that access decisionsare based on granular policies that consider various contextual factors likeuser role, device posture, and location.

To implement this recommendation, use the following methods, tools, andtechnologies:

• Unified identity management: Ensure consistent identity managementacross your organization by using a single identity provider (IdP).
  • Google Cloud supports federation with most IdPs, includingon-premisesActive Directory.Federation lets you extend your existing identity management infrastructureto Google Cloud and enable single sign-on (SSO) for users.
  • If you don't have an existing IdP, consider usingCloud Identity Premium orGoogle Workspace.
• Limited service account permissions: Useservice accounts carefully, and adhere to the principle of least privilege.
  • Grant only thenecessary permissions required for each service account to perform itsdesignated tasks.
  • UseWorkload Identity Federation for applications that run on Google Kubernetes Engine (GKE) or run outsideGoogle Cloud to access resources securely.
• Robust processes: Update your identity processes to align with cloudsecurity best practices.
  • To help ensure compliance with regulatoryrequirements, implement identity governance to track access, risks, andpolicy violations.
  • Review and update your existing processes for grantingand auditing access-control roles and permissions.
• Strong authentication: Implement SSO for user authentication andimplement MFA for privileged accounts.
  • Google Cloud supports variousMFA methods, includingTitan Security Keys,for enhanced security.
  • For workload authentication, use OAuth 2.0 or signed JSON Web Tokens (JWTs).
• Least privilege: Minimize the risk of unauthorized access and databreaches by enforcing the principles of least privilege and separation ofduties.
  • Avoid overprovisioning user access.
  • Consider implementing just-in-time privileged access for sensitiveoperations.
• Logging: Enable audit logging for administrator and data accessactivities.
  • For analysis and threat detection, scan the logs by usingSecurity Command Center Enterprise orGoogle Security Operations.
  • Configure appropriate log retention policies to balance security needswith storage costs.

Monitor and maintain your network

This recommendation is relevant to the followingfocus areas:

• Logging, auditing, and monitoring
• Application security
• Security operations (SecOps)
• Infrastructure security

When you plan and implement security measures, assume that an attacker isalready inside your environment. This proactive approach involves using the followingmultiple tools and techniques to provide visibility into your network:

• Centralized logging and monitoring: Collect andanalyze security logs from all of your cloud resources through centralizedlogging and monitoring.

  • Establish baselines for normal network behavior, detect anomalies, andidentify potential threats.
  • Continuously analyze network traffic flows to identify suspicious patternsand potential attacks.

• Insights into network performance and security: Use tools likeNetwork Analyzer.Monitor traffic for unusual protocols, unexpected connections, or sudden spikesin data transfer, which could indicate malicious activity.

• Vulnerability scanning and remediation: Regularly scan your network and applications for vulnerabilities.

  • UseWeb Security Scanner,which can automatically identify vulnerabilities in your Compute Engineinstances, containers, and GKE clusters.
  • Prioritize remediation based on the severity of vulnerabilities and theirpotential impact on your systems.

• Intrusion detection: Monitor network traffic for malicious activity andautomatically block or get alerts for suspicious events by usingCloud IDS andCloud NGFW intrusion prevention service.

• Security analysis: Consider implementingGoogle SecOps to correlate security events from various sources, provide real-time analysis ofsecurity alerts, and facilitate incident response.

• Consistent configurations: Ensure that you have consistent securityconfigurations across your network by using configuration management tools.