Introducing VPC Service Controls with Private IPs to increase the protection against data exfiltration
GCP VPC service controls
Organisations may reduce the risk of data exfiltration from their Google Cloud managed services by utilising Google Cloud’s VPC Service Controls. In order to assist you restrict access to your sensitive data, Google Cloud’s VPC Service Controls (VPC-SC) build isolation perimeters around networks and cloud services.
Google Cloud VPC service controls
Google cloud is thrilled to announce support for private IP addresses in VPC Service Controls today. This new feature allows protected resources to be accessed by traffic from particular internal networks.
Expanding the use of VPC-SC to safeguard resources within private IP address space
With specified perimeters accessible only by authorised users and resources, VPC-SC aids in preventing data exfiltration to unauthorised Cloud organisations, folders, projects, and resources. Clients using VPC-SC can enforce least privilege access to Google Cloud managed services by utilising its extensive access rule features. Our customers can now grant access from specific on-premise settings to resources within a service perimeter thanks to this new feature.
Enterprise security teams can specify fine-grained perimeter restrictions and enforce that security posture across many Google Cloud services and projects using VPC Service Controls. To readily scale their security controls, users can create, update, and remove resources inside service boundaries.
Crucially, clients can designate private IP address ranges for a VPC network using basic access levels. Customers are able to extend perimeters into private address space by attaching these access levels to ingress and egress access rules, which impose granular access controls for Google services.
The usage of a macro, or “mega,” perimeter is advised by Google Cloud as best practice since it is simple to scale and administer. Private IP now gives you more options for clients with particular use cases that call for finer-grained segmentation.
Here are a few use cases where the private IP functionality offered by VPC Service Controls might help you create a more secure infrastructure.
Apply scenario: extending your on-site setup to a safe cloud boundary
For access-related reasons, VPC Service Controls views a customer’s on-premise environment as a single network. Consequently, the entire on-premise environment is subject to the enforcement of network-based access controls. Because only certain on-premise clients need access to the VPC-SC border, some customers are worried about overprovisioning access. Private address-based ingress and egress rules can be applied to on-premise systems to enable more granular access control from on-premise workloads to perimeter resources.
Apply scenario: dividing up your cloud projects in a shared VPC
VPC-SC verifies whether the source network is a part of a project within the trusted perimeter as part of the evaluation process for requests. The network in shared virtual private cloud settings is owned by the host project and shared with the service project. Customers were thus unable to divide the host and service projects into distinct perimeters. The host and service projects can be situated in distinct perimeters, with access being enabled by the rules, thanks to support for private address-based entry and egress rules. This also restricts the amount of unapproved services that can access resources.
Examining cases: Increasing security at MSCI with VPC Service Controls
MSCI, a well-known provider of vital services and tools for the international investment industry, leverages cloud computing for more than simply infrastructure; it is their fundamental underpinning for fostering innovation.
In their pursuit of safe, scalable, and agile computing, MSCI and Google Cloud have been working together since 2022. Built on their dedication to cutting edge technology is their Google Cloud environment, a well planned jumble of services that includes Compute Engine, BigQuery, and Kubernetes Engine.
MSCI looked to VPC-SC to protect sensitive data while taking advantage of the scalability offered by the cloud. The need for a defense-in-depth strategy that could secure data at several levels and the sensitivity of the data were the driving forces behind this choice. On top of Google’s cloud-first controls, such IAM and firewall, VPC Service Controls gave MSCI an extra line of protection with its strict egress and ingress restrictions. On the other hand, MSCI has stipulated precise specifications for private IP-based subnetwork granular access.
“Access to protected resources for particular private IP ranges within the VPC network is made possible by the newly added VPC private address support feature, which gives MSCI the ability to establish precise constraints. Better detailing in MSCI’s security configurations is the outcome of this breakthrough. According to Sandesh D’Souza, executive director of Cloud Engineering at MSCI, “the bespoke solution has emerged as a key addition in the organization’s security repository,Particularly for its support of private IP management, which demonstrates the immense potential of cloud technology when combined with planning and collaborative solution-building.”
Next actions
For the majority of Google Cloud users, VPC Service Controls are a fundamental security measure. They can provide clients with more precise controls to better suit their needs by supporting private IPs. Before going live in production, you can verify your configurations using their newly released VPC Service Controls Dry Run mode.
