Best Practices for Avoiding Data Exfiltration in Google Cloud
Question
Your company has a Google Cloud project that uses BigQuery for data warehousing.
They have a VPN tunnel between the on-premises environment and Google Cloud that is configured with Cloud VPN.
The security team wants to avoid data exfiltration by malicious insiders, compromised code, and accidental oversharing.
What should they do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://cloud.google.com/vpc-service-controls/docs/overviewThe security team's objective is to prevent data exfiltration by malicious insiders, compromised code, and accidental oversharing. To achieve this, they need to implement appropriate security measures. Let's examine each option:
Option A: Configure Private Google Access for on-premises only. Private Google Access enables VM instances without external IP addresses to reach Google APIs and services, including BigQuery, using internal IP addresses. However, this option only addresses the connectivity between the on-premises environment and Google Cloud. It does not provide any protection against data exfiltration by insiders or compromised code.
Option B: Perform the following tasks: 1. Create a service account. 2. Give the BigQuery JobUser role and Storage Reader role to the service account. 3. Remove all other IAM access from the project. This option limits access to the BigQuery and Storage APIs to a specific service account. By removing all other IAM access from the project, only the designated service account can interact with BigQuery and Storage. However, this option does not prevent accidental oversharing of data, as the service account could still be used to grant access to unauthorized users.
Option C: Configure VPC Service Controls and configure Private Google Access. VPC Service Controls allow organizations to configure private communication between services across organizational boundaries. By configuring VPC Service Controls, the organization can restrict access to the BigQuery and Storage APIs to only authorized parties. Private Google Access can be used to further restrict access to the BigQuery and Storage APIs to only the on-premises environment. This option provides comprehensive protection against data exfiltration.
Option D: Configure Private Google Access. As mentioned earlier, Private Google Access enables VM instances without external IP addresses to reach Google APIs and services, including BigQuery, using internal IP addresses. However, this option only addresses the connectivity between the on-premises environment and Google Cloud. It does not provide any protection against data exfiltration by insiders or compromised code.
Therefore, option C, Configure VPC Service Controls and configure Private Google Access, is the best solution for preventing data exfiltration by malicious insiders, compromised code, and accidental oversharing.
