1. Hash Passwords
2. Allow for third-party identity providers if possible
3. Seperate the concept of user identity and user account
4. Allow multiple identities to link to a single user account
5. Don’t block long or complex passwords
6. Don’t impose unreasonable rules for usernames
7. Allow users to change their username
8. Let your users delete their accounts
9. Make a conscious decision on session length
10. Use 2-Step Verification
11. Make user IDs case insensitive
12. Build a secure auth system
To secure VM instances, there are a variety of scenarios in which you want to keep the instances from being reached from the public internet:
Protecting services on machines with external IP addresses
- Firewalls
- HTTPS and SSL
- Port forwarding over SSH
- SOCKS proxy over SSH
Connecting to instances without external IP addresses
- Bastion hosts and SSH forwarding
- Cloud IAP for TCP forwarding
- VPN
- NAT gateway for egress
- Interactive serial console access
- HTTPS and SSL proxy load balancers
To know details, please refer to the link. [2]
For a reference, here are further general strengthened security approaches. [3]
Note that this link contains information which has not been directly endorsed by Google.
[1] https://cloud.google.com/blog/products/gcp/12-best-practices-for-user-account
[2] https://cloud.google.com/solutions/connecting-securely
[3] https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/october/securing-google-cloud-platform-ten-best-practices/