Open in app

Sign in

Write

Sign in

Memo: Learn Security, Identity, Access

Supanut Laddayam
2 min readMay 17, 2024

--

this section focus on Security, Identity & Access service on GCP

<Identity & Access>

  • IAM: Grain identity & access for Gcloud resource.
  • Cloud Identity: Central manage user & group.
  • Beyond Crop: Zero-trust, secure access with threat & data protection
  • Identity aware proxy: Central authorization layer, Guard access to VM

<Security>

  • Cloud Data Loss Prevention: Detect & protect sensitive info eg. Personally identifiable info (PII), Personally, Health, info (PHI)
  • Security Command Center: Centralize security and risk manage platform eg. threat detection, threat prevention

<Directory>

  • Directory service: service that map resource on network.
  • Active Directory(AD): Microsoft’s service manage multiple on-premise infra components, using a single identity per user.
  • Manage Microsoft AD: Gcloud’s service help to manage on-premise data center and Gcloud.
  • Identity Provider(IDp): manage identity info to provide authentication.
  • Single-Sign-On (SSO): Authenticate allow user to single authen and access different system.
  • Lightweight Directory Access Protocol (LDAP): a protocol for access and maintain distributed directory info service, Same-sign on => enter with every time login.
  • Gcloud Directory Sync: enable admin to synchornize user, group from Active Directory / LDAP service

<GCP Resource Hierarchy>

  • Organize: Root node, define setting, permissions & policies | centrally manage ur GCloud resource.
  • Folder: Group of project eg. Department.
  • Project: Group of service-level resource eg. ENV.
  • Resource: Service-level used to process workload.

3 strategy hierarchy:
1.Env Oriented Hierarchy: One Org that contain One folder per ENV (Dev, Stg, Prod) => Simple to implement.
2.Function Oriented Hierarchy: One Org that contain One folder per business function.
3.Granular-Access Oriented Hierarchy: One Org that contain One folder per business unit.

<Pricing>

  • Free trial: free trial period.
  • Free tier: Minimum monthly limit of free-use.
  • Committed use discount: 1 or 3 year contract discount.
  • Sustain use discount: Passive saving when using period of continue.
  • SpotVM: Saving but being interrupted.
  • Flat-rate: Stable cost for quries (only Cloud BigQuery).
  • Sole tenant: Dedicate compute.

<Billing>

  • Cloud Bill Account: Cloud-level resource, track all cost, result as single invoice (bill only GCP).

2 types:

1. Self-serve (online) account: payment is a credit or debit card.
2. Invoiced (offline) account: payment is a check or transfer

3 features built-in:
1.Billing report: pricing explorer -> graph visualization.
2.Cost table report: breakdown of cost to analyze detail of invoice.
3. Cost Breakdown report: waterfall overview of monthly charge.

  • Payment Profile: Google-level resource, process payment for ALL Google service.
    2 types:
    1. Individual: own personal payment, won’t be able to add or remove users.
    2. Business: Org, partnership, allow to add or remove user.

--

--

Supanut Laddayam
Supanut Laddayam

Written by Supanut Laddayam

54 Followers
44 Following

Novice DevOps

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams