October 17th NET+ GCP Tech Share: Compliance, Security, and Networking in Higher Education

Estimated reading time: 4 minutes

The October GCP NET+ Tech Share covered compliance challenges in GCP, SSL certificate renewal periods, and networking security issues in higher education. Here's a summary of the key discussions:

Recent Events Recap

Two significant events preceded this Tech Share:

1. The Google Rapid Innovation Team (RIT) Project Pitch Session showcased several innovative projects.
2. The NET+ GCP SAB meeting in NYC featured these RIT project pitches and a presentation from Washington University on GCP Support Plan challenges.

Upcoming Events

Several important events are on the horizon:

• Are you leveraging GCP to power your research or innovate cloud strategies on campus? Share your insights! Submit your Cloud Forum proposal by December 20th
• Webinar on NET+ AWS, NET+ GCP, NET+ Kion, and CICP (October 31, 11am PT/2pm ET)
• R&E FinOps Virtual Conference - January 23, 2025 10am-2pm PST/ 1-5pm EST (tentative)

Compliance in GCP

Vanderbilt University raised concerns about compliance in GCP, particularly in light of new CMMC changes. Key points of discussion included:

• Challenges of self-auditing vs. external audits for Controlled Unclassified Information (CUI)
• Difficulties in maintaining compliance in distributed environments
• The need for tooling or partnerships to create compliant accounts that can't be undone
• Interest in publicly available Terraform scripts (or other infrastructure as code) for setting security baselines

Jeff from Google mentioned a dedicated team that supports compliance audits and shared resources:

• Google Cloud Compliance
• Risk and Compliance as Code

Jeff will look internally to see if there is a team working on IaC for automated compliance checks.

SSL Certificate Renewal and Network Security

The discussion shifted to SSL certificate management and network security:

• Apple is lowering their SSL cert renewal period to 45 days, while Google is shortening theirs to 90 days
• Tailscale was suggested as a potential solution for servers with limited network access to renew SSL certs
• Penn State University expressed interest in moving towards hierarchical firewall rules to simplify complex routing and peering for compliance requirements

Northwestern University shared their experience with Next-Generation Firewall (NGFW) in their Secure Enclave setup, noting challenges with licensing and idle resources.

Future Discussions

The challenges around SSL certificate renewals on network-restricted machines naturally circled back to the conversation about compliance. This prompted planning a networking session with GCP Networking SMEs to address secure access for regulated workloads that remains user-friendly and manageable for IT administrators.

Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.