Conformity Google Cloud Platform data source setup

Procedure

1. For customers that do not already have Conformity, sign up for a free trial.
   1. Go to the sign up form.
      https://cloudone.trendmicro.com/trial
   2. Provide all the required information and complete the reCAPTCHA.
   3. Agree to the terms and conditions, privacy notice, and data collection notice.
   4. Click Sign Up.
   5. Click the Verify Email link in the confirmation email sent to your business email account.
   6. Sign in to activate your Trend Cloud One console.
      Allow a few moments to provision your new console.
   7. Specify an Account Alias for your account.
      You can change your alias later using the console.
   8. Specify the Region in which Trend Cloud One stores all of your data.
   9. Click Continue.
2. Ensure that you go to Google Cloud and enable all APIs that Conformity requires.
   1. Sign in to Google Cloud.
   2. In the left menu, click APIs & Services.

      

   3. Verify that all of the following APIs display in the Enabled APIs & services table.

      API Keys API BigQuery API Cloud Dataproc API Cloud DNS API Compute Engine API

      Cloud Key Management Service (KMS) API Cloud Logging API Cloud Pub/Sub API Cloud Resource Manager API

      Cloud SQL Admin API Cloud Storage API Identity and Access Management (IAM) API Kubernetes Engine API

      

   4. Enable all missing APIs by repeating the following steps.
      1. Click ENABLE APIS AND SERVICES.

         

      2. Search for the API name and click the correct result.
      3. Click Enable.

         

3. Create the Google Cloud role for usage with the Conformity service account.
   1. In the left menu, go to IAM & Admin → Roles.

      

   2. Click CREATE ROLE.

      

   3. Specify the Title and ID for the new role.
   4. (Optional) Provide a description.
   5. Do not modify the default Role launch stage: Alpha.
   6. Click ADD PERMISSIONS.

      

   7. Next to the Filter, type the name of the permission.

      

      The role requires all of the 34 following permissions:

      apikeys.keys.list bigquery.datasets.get bigquery.tables.get cloudkms.cryptoKeys.getIamPolicy cloudkms.cryptoKeys.list cloudkms.keyRings.list cloudkms.locations.list cloudSql.instances.list compute.backendServices.list compute.firewalls.list compute.globalForwardingRules.list compute.images.getIamPolicy

      compute.images.list compute.instances.list compute.networks.list compute.projects.get compute.sslPolicies.list compute.subnetworks.list compute.targetHttpsProxies.list compute.targetSslProxies.list compute.urlMaps.list container.clusters.list dataproc.clusters.list

      dns.managedZones.list dns.policies.list iam.serviceAccounts.get logging.logMetrics.list logging.sinks.list monitoring.alertPolicies.list pubsub.topics.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy storage.buckets.getIamPolicy storage.buckets.list

   8. Select the permission in the list and click Add.

      

   9. Repeat for all permissions.
   10. After adding all the required permissions, select the check box at the top of the list for each page until all 34 permissions have been assigned.

       

   11. Click CREATE.
4. Create the service account in Google Cloud used for the Conformity integration.
   1. In Google Cloud, select the project that you want to protect with Conformity.
   2. In the left menu, go to IAM & Admin → Service Accounts.
   3. Click CREATE SERVICE ACCOUNT.

      

   4. Specify the Service account name, an optional Description, and click CREATE AND CONTINUE.

      

   5. Select the customer role you created in step 3 by clicking the Select a role field and locating the role.

      

   6. Click CONTINUE.
   7. Click DONE.

      Note You do not need to grant users access to this service account.

   8. Create the key used by the service account.
      1. In the Action column for the service account you just created, click the button and Manage keys.

         

      2. Click ADD KEY and Create new key.

         

      3. Leave the default JSON key type and click CREATE.

         

      4. Save the generated JSON file in a secure location for use in the Conformity console.

   Important Add the service account to all projects that you want to protect with Conformity.

5. Create you GCP Project account in Conformity.
   1. Sign in to Trend Cloud One.
   2. Click Conformity.
   3. Click GCP Project and click Next.
   4. Specify the display name of the service account used in the Conformity console.

      Note The display name does not need to match the name of the service account in Google Cloud.

   5. Upload the JSON file containing the Google Cloud service account key generated in step 4 and click Next.

      

   6. Select all the Google Cloud projects that you would want to protect using Conformity and click Next.

      Note You can only Google Cloud projects view that you assigned the service account to in the Google Cloud console.

      

   7. Review the settings and click Finish.
6. Connect Conformity with Attack Surface Risk Management using an API Key.
   1. Go to the home screen of the Trend Cloud One console, and click User Management.
   2. In the left menu, click API Keys.
   3. Click New.
   4. Specify the API Key Alias.
   5. In Role, select Read Only.
   6. Click Next.
   7. Copy the API Key immediately.

      Important You cannot access the API Key again after closing the dialog. Copy and store the API Key in a safe location.

   8. In the Trend Vision One console, open the Trend Cloud One - Conformity Data Source panel.
   9. Paste the API Key from Conformity in the API Key field.
   10. Acknowledge that your Conformity data may be transferred to another data center based on the Trend Vision One data center.
   11. Click Save.