UMD Google Cloud Platform Services Frequently Asked Questions (FAQ)


What is the goal and primary motivation for setting up GCP?

Google Cloud Platform (GCP) is a suite of cloud computing services that is unique because of its integration with Google Workspace. The University of Maryland (UMD) GCP is currently active and open with no management or controls in place. The Research Technology team’s goal is to configure an organizational hierarchy, establish roles and permissions, enable basic security features and document a billing process that will enable campus stakeholders to use GCP while allowing the Division of Information Technology to maintain an appropriate level of security and uniformity, and to ensure consistent implementations and support across projects.

How can people access the GCP console?

The UMD GCP leverages existing IAM configurations for UMD Google Workspace in order to create and provision identities, and integrates with the UMD CAS for access. All active UMD Google Workspace account holders can visit console.cloud.google.com and authenticate into UMD GCP.

In general, project and resource access is determined based on roles, and will be configured such that only designated admins can create Billing Accounts and Projects (these are the basis of all resource usage in GCP).

Can students use GCP?

Students may leverage sponsored UMD Google Workspace accounts to access GCP or Project Owners can add students to their projects using their @terpmail.umd.edu identities.

How will billing and GCP work?

UMD partnered with the Burwood Group to support our billing process for our Google GCP implementation. For a successful provision of GCP services, your business office representative collaborates with DIT Research Computing and Burwood. The GCP Billing Process document will explain in more detail.

How does billing work? Do we get quotes or use existing campus quotes similar to AWS?

Each college (or smaller unit) will manage their own billing and interface with Burwood Group (our reseller), their billing portal and the GCP billing portal.

One of the most common requirements for our researchers is the ability to buy credits ahead of time for projects so that they can use them as needed. Can this be done through the new billing process?

This new implementation allows researchers to work with Research Technology Services and Google to acquire credits. The new billing process will accommodate GCP credits.

Who is going to be a system admin for the platform?

Because of the hierarchical structure of GCP, system administration for GCP will be distributed across support groups within DIT, local  department IT support staff and the GCP Project Owner. Organizational admins for GCP will be DIT staff, primarily from the Research Technology, Unified Communications, and Security, and Network teams.

Folder and sub-folder admins will be local to each department or unit, ideally starting with technical contacts for the group. The customer (roles will be reused at the folder level in order to delegate administrative tasks but limit permissions to a specific area of GCP.

How will permissions and roles be managed?

All Google Workspace for Education Super Admins have the capability within GCP to modify their roles at will. Google Workspace for Education Super Admins access will need to continue to be carefully controlled and monitored. For other admins (Billing, Project, Folder, etc.), there are GCP predefined roles assigned according to the responsibility of the project administrator. Roles can be attached to individual users or to Google Groups (thus assigning the role to all group members). Broad level permissioned roles (Org Admin, Owner, etc.) will only be assigned at the individual level. Google Groups will be used for custom roles at the College / Division level. Project owners will manage roles within their projects, via individual or group assignment.

What security measures are you implementing?

Security Command Center

The Security Command Center provides visibility into all of the resources in the GCP environment. The tool detects anomalies in GCP logging, and analyzes GCP resources in order to provide a list of findings, vulnerabilities, and threats.

Logging

The GCP environment is configured with Stackdriver logging, and logs are pushed to the DIT Splunk indexes for monitoring and reporting.

Firewall Rules

By default, custom VPCs have no firewall rules, therefore nothing on the custom VPC would be accessible. During the provisioning process, the DIT team creates firewall rules in your custom VPC to allow for connectivity testing (ICMP) and remote management from campus using RDP for Windows Instances and SSH for Linux instances. Similar rules are created to allow connectivity between subnets (us-central1, us-east1), when requested.

Intrusion Detection / Prevention

IDS is enabled and reported by default in GCP and is tracked in the Security Command Center.  IDS will not block anything and 3rd party IDS or IPS providers can be deployed as required but are not a native GCP product. Data classification of resources will be determined on a case by case basis and be aligned with the University’s security policy.  All access will be captured in the audit logs and viewable in Stackdriver who has a default retention of 1 year.

Will the network configuration require integration with campus systems? What is the long term plan?

The initial vision for GCP is that it will not directly integrate with campus networks or systems, thus no Interconnect or VPN is planned between campus and GCP at this time. Initially, it is also not anticipated that projects will need to talk to each other, so default subnets should be acceptable for our first use cases.

In the event we need to create hybrid connectivity in the future, a private IP space has been defined for GCP that we will be able use (10.62.0.0/15). GCP offers three solutions to support hybrid connectivity; Cloud Interconnect, Cloud VPN and Peering.  Collaboration with the platform engineering, network and security teams will be required prior to establishing hybrid connectivity.

What support contracts are available for GCP via University of Maryland?

UMD's GCP implementation has a Role Based Support Agreement with Google for production issues. All users providing technical support will go through Research Computing to issue ticket with Google. All billing issues are directed to our partner the Burwood Group. Each User GCP project has the option to purchase additional support via Google or the Burwood Group through the UMD’s GCP contract, contact Research Technology Services.

Is GCP HIPAA compliant?

General use of GCP for HIPAA data is not permitted at this time on the UMD GCP implementation. DIT continues to work with the UMD data steward and compliance owner for HIPAA data to establish processes and practices for the appropriate collection, processing, storage, and maintenance of HIPAA data in the Cloud. If you have any questions for HIPAA data contact Research Technology Services.

What are other schools doing in terms of GCP implementation?

Do you have a more detailed plan or information document?

As part of the implementation project, we are creating an As-Built doc with our implementation partner and drafting a DIT Runbook for submission to the Runbook Committee.

There may be multiple projects on GCP associated with umd.edu email addresses. Do you need all of those migrated to campus agreement? Is there a similar requirement for terpmail.umd.edu email addresses?

Most of the existing GCP projects are using free tier provided through GCP.  Do you require those to migrate as well?

We will perform best efforts to migrate all existing Free Tier projects. The new implementation is assessing the current ability to create free tier projects without collaboration with department IT and Research Technology Services.

Would permissions be delegated to department IT to manage individual projects by us?

We have developed a permissions delegation model in order to allow management of projects and billing.

When would this service be available for us to be able to take advantage of?

We are piloting GCP with a few researchers now, and new projects can be onboarded at this point. The migration of projects will occur over the next 6 months.

Is Google Earth Engine part of GCP environment?

This does not show up on the google cloud pricing calculator. Many of our users use Google Earth Engine. It would be important for us to understand if we can purchase resources beyond the free tier and if it is part of the GCP contract. We are currently researching this service and will provide more details in the future.