Last year ( 2021) I managed to visit a number of castles in Wales. It got me thinking how much the medieval castles were designed with defence in depth and how similar it is to applying defence in depth when using Google Cloud.
A medieval castle has layers of defences here’s a list of some of them ( and yes I am aware I have left some parts out but if this post entices you to learn more about medieval castles there are plenty of great posts that dive into the detail.) :
Inhospitable terrain - They were often built in terrain which would slow down attacks from invaders . Surrounded by hills were a common location.
Traps- Traps hidden in the terrain heading towards the castle would also be a feature that could be found in some castles
Towers & Turrets - used to look out for invaders approaching the castle. Towers were built from the ground up while turrets were built on top of the walls
Watch towers - The name is pretty explanatory. Used to look at the surrounding terrain and used as an early warning system of approaching invaders
Moat - Many castles were surrounded by moats - a body of water that surrounded the castle . In some cases there could be an inner most surrounding the keep.
Drawbridge - The bridge over the moat. This bridge could be drawn up to make it harder for invaders to breach the castle
Portcullis - Defensive gate for the main entrance to the castle
Ramparts - These are the defensive walls that surround the main castle ( battlements are ramparts built at the top of castle walls )
Arrow slits - Archers would use these to fire arrows at approaching invaders while keeping themselves protected behind the big stone walls of the castle
Keep - The main living area of the castle located within the main walls of the castle.
Murder holes - Strategically built holes that can be found in the ceiling of the gateway or built into the outside walls used to throw large objects and hot stuff such as tar and boiling oils onto invaders
This photo I took of Caerphilly castle has some of the defenses I listed .
You may now be asking that is all very interesting and probably thinking that murder holes were aptly named but how do medival castle defences map to using Google cloud? Well let’s look at each of the defences I mentioned and see what that looks like when designing your defences when using google cloud. There are variations on my mappings that you can easily make though and as everything overlaps you can place some controls against other Castle controls.
Inhospitable terrain - Cloud Armor to provide Denial of Service and Web Application Firewall (WAF) protection for applications and services hosted on Google Cloud.
Towers & Turrets - Detect anomalous activity . Cloud Audit Logs ; Cloud IDS to help detect network-based threats such as malware ; Security Command Center to aggregate and monitor for adverse activities , Use ETD to monitor for dubious activity ; Chronicle to retain, analyze, and search massive amounts of security and network telemetry that provides the ability to correlate, and analyze data to provide instant analysis and context on risky activity
Watch towers - Detect anomalous activity . Cloud Audit Logs ; Cloud IDS to help detect network-based threats such as malware ; Security Command Center to aggregate and monitor for adverse activities , Use ETD to monitor for dubious activity ; Chronicle to retain, analyze, and search massive amounts of security and network telemetry that provides the ability to correlate, and analyze data to provide instant analysis and context on risky activity
Moat - VPC Service Controls to provide a perimeter around your GCP resources. Use Organization policy constraints to configure restrictions on how your organization’s resources can be used . To Define and establish guardrails
Drawbridge - BeyondCorp Implement zero trust techniques , Cloud Armor to provide Denial of Service and Web Application Firewall (WAF) protection for applications and services hosted on Google Cloud
Portcullis - Cloud IAM to implement least privilege. BeyondCorp to Implement zero trust techniques
Ramparts - Hierarchical firewall to create and enforce a consistent firewall policy across your organization.
Arrow slits - I know I may be stretching it a bit here but humour me. Here we are using controls that provide a way to reverse or prevent anomalous behaviour. Use Binary Authorization to sign images by trusted authorities during the development process and then enforce signature validation when deploying. Use cloud functions or Cloudrun via eventarc to react to events identified in audit logs. Cloud Armor WAF rules
Keep - Cloud IAM to implement least privilege, Implement VPC firewall rules patching , container scanning
As for traps & Murder holes there isn’t anything directly that I could map to and tbh I am glad there isn’t as planning traps and murder holes is a very dubious practice.