Google Cloud Platform (GCP) is a suite of cloud computing services that is unique because of its integration with Google Workspace. The University of Maryland (UMD) GCP is currently active and open with no management or controls in place. The Research Technology team’s goal is to configure an organizational hierarchy, establish roles and permissions, enable basic security features and document a billing process that will enable campus stakeholders to use GCP while allowing the Division of Information Technology to maintain an appropriate level of security and uniformity, and to ensure consistent implementations and support across projects.
The UMD GCP leverages existing IAM configurations for UMD Google Workspace in order to create and provision identities, and integrates with the UMD CAS for access. All active UMD Google Workspace account holders can visit console.cloud.google.com and authenticate into UMD GCP.
In general, project and resource access is determined based on roles, and will be configured such that only designated admins can create Billing Accounts and Projects (these are the basis of all resource usage in GCP).
Students may leverage sponsored UMD Google Workspace accounts to access GCP or Project Owners can add students to their projects using their @terpmail.umd.edu identities.
UMD partnered with the Burwood Group to support our billing process for our Google GCP implementation. For a successful provision of GCP services, your business office representative collaborates with DIT Research Computing and Burwood. The GCP Billing Process document will explain in more detail.
Each college (or smaller unit) will manage their own billing and interface with Burwood Group (our reseller), their billing portal and the GCP billing portal.
This new implementation allows researchers to work with Research Technology Services and Google to acquire credits. The new billing process will accommodate GCP credits.
Because of the hierarchical structure of GCP, system administration for GCP will be distributed across support groups within DIT, local department IT support staff and the GCP Project Owner. Organizational admins for GCP will be DIT staff, primarily from the Research Technology, Unified Communications, and Security, and Network teams.
Folder and sub-folder admins will be local to each department or unit, ideally starting with technical contacts for the group. The customer (roles will be reused at the folder level in order to delegate administrative tasks but limit permissions to a specific area of GCP.
All Google Workspace for Education Super Admins have the capability within GCP to modify their roles at will. Google Workspace for Education Super Admins access will need to continue to be carefully controlled and monitored. For other admins (Billing, Project, Folder, etc.), there are GCP predefined roles assigned according to the responsibility of the project administrator. Roles can be attached to individual users or to Google Groups (thus assigning the role to all group members). Broad level permissioned roles (Org Admin, Owner, etc.) will only be assigned at the individual level. Google Groups will be used for custom roles at the College / Division level. Project owners will manage roles within their projects, via individual or group assignment.
The Security Command Center provides visibility into all of the resources in the GCP environment. The tool detects anomalies in GCP logging, and analyzes GCP resources in order to provide a list of findings, vulnerabilities, and threats.
The GCP environment is configured with Stackdriver logging, and logs are pushed to the DIT Splunk indexes for monitoring and reporting.
By default, custom VPCs have no firewall rules, therefore nothing on the custom VPC would be accessible. During the provisioning process, the DIT team creates firewall rules in your custom VPC to allow for connectivity testing (ICMP) and remote management from campus using RDP for Windows Instances and SSH for Linux instances. Similar rules are created to allow connectivity between subnets (us-central1, us-east1), when requested.
IDS is enabled and reported by default in GCP and is tracked in the Security Command Center. IDS will not block anything and 3rd party IDS or IPS providers can be deployed as required but are not a native GCP product. Data classification of resources will be determined on a case by case basis and be aligned with the University’s security policy. All access will be captured in the audit logs and viewable in Stackdriver who has a default retention of 1 year.
The initial vision for GCP is that it will not directly integrate with campus networks or systems, thus no Interconnect or VPN is planned between campus and GCP at this time. Initially, it is also not anticipated that projects will need to talk to each other, so default subnets should be acceptable for our first use cases.
In the event we need to create hybrid connectivity in the future, a private IP space has been defined for GCP that we will be able use (10.62.0.0/15). GCP offers three solutions to support hybrid connectivity; Cloud Interconnect, Cloud VPN and Peering. Collaboration with the platform engineering, network and security teams will be required prior to establishing hybrid connectivity.
UMD's GCP implementation has a Role Based Support Agreement with Google for production issues. All users providing technical support will go through Research Computing to issue ticket with Google. All billing issues are directed to our partner the Burwood Group. Each User GCP project has the option to purchase additional support via Google or the Burwood Group through the UMD’s GCP contract, contact Research Technology Services.
General use of GCP for HIPAA data is not permitted at this time on the UMD GCP implementation. DIT continues to work with the UMD data steward and compliance owner for HIPAA data to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. If you have any questions for HIPAA data contact Research Technology Services.
As part of the implementation project, we are creating an As-Built doc with our implementation partner and drafting a DIT Runbook for submission to the Runbook Committee.
There may be multiple projects on GCP associated with umd.edu email addresses. Do you need all of those migrated to campus agreement? Is there a similar requirement for terpmail.umd.edu email addresses?
We will perform best efforts to migrate all existing Free Tier projects. The new implementation is assessing the current ability to create free tier projects without collaboration with department IT and Research Technology Services.
We have developed a permissions delegation model in order to allow management of projects and billing.
We are piloting GCP with a few researchers now, and new projects can be onboarded at this point. The migration of projects will occur over the next 6 months.
This does not show up on the google cloud pricing calculator. Many of our users use Google Earth Engine. It would be important for us to understand if we can purchase resources beyond the free tier and if it is part of the GCP contract. We are currently researching this service and will provide more details in the future.