While cloud helps accelerate business growth through its many benefits, such as massive scalability and agility, it also brings with it new security challenges. Cloud deployments can be quite complex in nature and are susceptible to cyber attacks and data breaches if the right security guardrails are not in place. In Google Cloud, what is known as a “shared fate” model for security dictates that both the cloud service provider and the customer are responsible for implementing security best practices for workload protection. For Google’s part, it provides customers with prescriptive recommendations for security guardrails related to different Google Cloud Platform (GCP) resources that can help ensure end-to-end security of applications in the cloud.
In this blog post, we cover some of the most important security best practices for protecting workloads in GCP environments.
Authentication and authorization
The Google Cloud Identity and Access Management (IAM) service helps you implement the appropriate restrictions for accessing Google Cloud resources. Customers can choose from a number of options for centralized identity management while using Google Cloud, including managing user accounts through Cloud Identity or Cloud Workspace, external IdP, or native Google Sign-In. If you are already using a third-party external IdP, you can leverage single sign-on using SAML to provide your users a seamless and secure experience.
Regardless of the identity service used, there are few simple best practices that you can adopt to ensure a secure authentication and authorization process. The first step is to secure the super admin account, the highly privileged account used to create the Google Cloud organization. It’s important to use a new account and not an existing account for this purpose and to secure it using multi-factor authentication (MFA).
While granting permissions to resources, you can leverage groups instead of individual user accounts to streamline the access management process.
Google Cloud IAM Policy Analyzer is a handy tool that can be used by administrators to review the level of permissions allocated to IAM principals, like users, groups, and service accounts on Google Cloud resources. Running custom queries can help determine the level of access a specific IAM principal has to a resource and what roles are assigned to those principals. This information helps identify overallocation of permissions and makes it easier to revoke them.
Google Cloud organization policies allow you to define specific constraints on Google Cloud resources. In order to get the most out of IAM and organization policies, it is important to understand the differences between the two.
IAM helps to define the “who” and authorizes the IAM principals, like users and groups, to take action on specific cloud resources. Organization policy, on the other hand, defines the “what,” such as how these resources can be configured by IAM principals with assigned permissions. For example, administrators can define a set of allowed IP addresses that can connect to a virtual machine.
Restrictions enabled by organization policies are called constraints and can either be a list or a boolean value. If a defined constraint is not met, it becomes a violation. While retroactive violations must be handled manually, an enforced organization policy will prevent violations proactively. Recommended constraints using organization policies include:
- Enable OS login for VMs (compute.requireOsLogin)
- Restrict users that can remove a shared VPC project lien/lock (compute.restrictXpnProjectLienRemoval)
- Restrict the compute engine instances that can have external IP addresses (compute.vmExternalIpAccess)
- Configure uniform bucket-level IAM access (storage.uniformBucketLevelAccess)
- Prevent cloud storage access from internet (storage.publicAccessPrevention)
- Disable creation of external keys for IAM service accounts (iam.disableServiceAccountKeyCreation)
- Prevent default service accounts of compute engine and app engine from being granted IAM role on projects (iam.automaticIamGrantsForDefaultServiceAccounts)
- Restrict assignment of public IP addresses on Cloud SQL (sql.restrictPublicIp)
Google Cloud offers the flexibility of shared virtual private cloud (VPC) networks, which can connect cloud resources from different projects through a common network. Using the concept of a host and service project, authorized resources in the service project can access subnets in the host project VPC. This enables cloud resources to connect to each other securely using internal IP addresses. The principle of least privilege can be employed here so that only a limited set of users have administrative rights on the shared VPC, while other users continue to manage resources connected to the network.
All projects have a default network created that has subnets in every cloud region. However, most of these networks could become redundant and cause IP overlap issues. Creating custom mode VPCs is therefore recommended since this allows for better control over the IP range, regions, and more.
You can further secure the resources deployed in a network with VPC service controls. These controls allow you to define security perimeters so that access to resources is restricted to clients within the perimeter. It is recommended mainly for preventing data exfiltration from services like Cloud Storage and BigQuery. The security is not IAM identity-based, but rather contextual in order to prevent sensitive data egress.
The Google Private Access service allows VMs connected to Virtual Private Cloud (VPC) to access Google as well as third-party APIs securely without external IP addresses. You can enable this configuration to access Google services in production environments or connect from serverless deployments (e.g., App Engine or Cloud Function) to workloads in VPC networks. Private Access ensures that traffic stays within the Google Cloud backbone network, making it more secure.
Log monitoring to identify anomalies is an important aspect of cloud security. The Google Cloud operations suite offers a number of services enabling collection of logs from different sources, including firewall rules, VPC flow logs, data access audit logs, and access transparency logs. Using the fully managed Google Cloud Logging service, you can collect, store, and analyze logs from all of these sources.
For centralized management of logs, you can create aggregated sinks to combine and route log entries from all cloud resources in an organization or folder to a Google Cloud Storage bucket, Pub/Sub Topic, or BigQuery data set. OtherGoogle Cloud operations suite services, such as Cloud Monitoring, Cloud Trace, and Cloud Profiler, can provide additional insights regarding the performance and security status of your workloads.
Key and secret management
In addition to securing the data and control plane of your applications, it is important to ensure that the keys and secrets you use for this remain protected. The Google Cloud Key Management Service (KMS) offers centralized and managed key management services for your cloud-hosted workloads. Customers can choose between software-based encryption keys or FIPs 140-2 Level 3-compliant HSMs for hardware protected keys. GCP’s External Key Management (EKM) service also makes it easy to integrate third-party key management services.
For protecting configuration information required at runtime, such as database passwords, TLS certificates, and APIs, Google Cloud facilitates integration with its Secret Manager service. Secret data (like credentials or keys) are stored, version controlled, and managed centrally using this service.
Google Cloud provides a layered security framework for infrastructure, where the Google Cloud data centers, hardware, and associated access controls follow industry best practices. However, customers should implement the required security guardrails for services like virtual machines and containers for end-to-end security.
The OS patch management service in Google Cloud ensures Windows and Linux distributions are updated with the latest patches. For container OS, the Container Analysis service can be used to identify OS and software vulnerabilities. In addition, you should use the built-in vulnerability and drift detection capabilities of the Security Command Center to get a better understanding of the overall security posture and deviation from security standards.
In environments prone to malware and ransomware attacks, integration of Google Cloud Threat Intelligence for Chronicle employs industry-leading VirusTotal malware database and visualization tools on the backend.
By default, Google encrypts all data at rest using AES-256 before writing it to a hard disk or storage system. On the backend, Google uses a FIPS 140-2 validated encryption module for all production deployment encryptions. You can choose between GCP’s default managed encryption or customer-managed encryption keys (CMEK), where the keys can be created, enabled, disabled, and rotated using KMS. This is helpful in scenarios where you need control over the key management process using appropriate IAM permissions.
Ensure transit data security using front-end services like HTTPS External Load Balancers/SSL Proxy Load Balancers or by using secure connectivity services like Cloud VPN or Cloud Interconnect. GCP’s Binary Authorization service offers end-to-end software supply-chain security of containerized applications hosted on GKE, Cloud Run, and Anthos. The service prevents deployment of containerized applications that do not meet a set of defined security policies.
To encrypt data in use by VMs, opt for confidential VMs that feature the latest security capabilities offered by CPUs like 3rd Gen AMD EPYC. Confidential VMs ensure that data remains encrypted, even while it is being processed by hosted applications.
In addition to the best practices mentioned above, it’s important to consider integration with a SIEM solution for end-to-end threat visibility and investigation. Google Cloud natively provides these capabilities through Chronicle SIEM, which is part of Chronicle Security Operations Suite. For security posture and risk management of Google Cloud assets, GCP offers its Security Command Center Premium service. Google Cloud also offers DDoS protection out of the box through Cloud Armor.
These are just some of GCP’s robust security tools.
Third-party integrations for GCP security
In today’s ever-evolving threat landscape, augmenting native GCP security capabilities using specialized, third-party tools is a must. If you have an extensive workload footprint in GCP, threat detection and mitigation should be automated and integrated as much as possible. The Vulcan Cyber® risk remediation platform provides end-to-end control of the risk lifecycle.
The Vulcan Cyber GCP connector connects to your GCP environments in just a few steps. Once configured, the connector collects the GCP inventory, providing a detailed overview of vulnerabilities associated with Google Cloud resources.
Vulcan provides contextual information about the risks associated with your cloud resources and prioritizes the mitigation process, an especially helpful feature for large-scale deployments that span across multiple cloud environments, as well hybrid and on-premises. Vulcan’s remediation intelligence also creates structured mitigation plans using patches, scripts, workarounds, and more for quick remediation of the vulnerabilities that affect you most.