If you’ll be at Google Next this week in San Francisco, stop by booth S1739 and check out a demo of how we help secure public cloud environments.
Google has been making some great inroads with their cloud expansion. As with AWS and Azure, developers can adopt Google Cloud Platform (GCP) easily, seeking features for use in their application stacks. Also, with the wide adoption of containers and Kubernetes, Google’s leadership in developing container technologies has earned them a reputation as a great cloud option to run these types of workloads. Finally, some organizations are choosing GCP to augment their multi-cloud strategy.
As stated in my previous AWS and Azure blog posts, no two clouds are alike. So, we must be mindful of what the basic security settings are for GCP. While there are significant differences in the details of how to secure GCP compared to other cloud platforms, one tenet remains the same: security is a shared responsibility. You can’t assume Google will secure the cloud for you. Educating yourself is key. I recommend the following resources for in-depth information on security-centric and other cloud-focused best practices to help you get the most out of Google Cloud:
- Google Security Whitepaper
- Best Practices for Enterprise Organizations
- A Security Practitioners Guide to Best Practice GCP Security (Cloud Next ’18)
With that, let’s dive into the fundamentals. The following are eight challenges and best practices to help you mitigate risk in Google Cloud.
Like other clouds, GCP resources can be ephemeral, which makes it difficult to keep track of assets. According to our research, the average lifespan of a cloud resource is two hours and seven minutes. And many companies have environments that involve multiple cloud accounts and regions. This leads to decentralized visibility, and since you can’t secure what you can’t see, this makes it difficult to detect risks.
Best Practice: Use a cloud security offering that provides visibility into the volume and types of resources (virtual machines, load balancers, virtual firewalls, users, etc.) across multiple projects and regions in a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular policies and reduce risk. While GCP’s native Cloud Security Command Center works well, monitoring at scale or across clouds requires third-party visibility from platforms such as RedLock by Palo Alto Networks.
2. Resource hierarchy
One of the basic principles in GCP is the resource hierarchy. While other clouds have hierarchical resource systems, GCP’s is very flexible, allowing admins to create nodes in different ways and apply permissions accordingly. This can create sprawl very quickly and confusion when it comes to determining at which level in the hierarchy a permission was applied. To demonstrate, GCP allows the creation of Folders, Teams, Projects and Resources under an Organization.
Best Practice: Create a hierarchy that closely matches your organization’s corporate structure. Or, if you currently don’t have a well-defined corporate structure, create one that makes sense and take into account future growth and expansion.
3. Privilege and scope
GCP IAM allows you to control access by defining who has what access to which resource. The IAM resources in play are Users, Roles and Resources. Understanding how to apply policies to these resources is going to be important to implement least-privilege access in your GCP environment.
Best Practice: Instead of applying permissions directly to users, add users to well-defined Groups and assign Roles to those Groups, thereby granting permission to the appropriate resources only. Make sure to use custom roles, as built-in roles could change in scope.
4. Identity management
Lost or stolen credentials are a leading cause of cloud security incidents. It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect these account compromises.
Best Practice: Strong password policies and multi-factor authentication (MFA) should always be enforced. GCP supports MFA for both Cloud Identity and corporate entities. Additionally, you can integrate Cloud Identity support with SSO for your corporate identities so that you inherit corporate MFA policies.
It goes without saying that humans aren’t the only users of GCP resources. Development tools and applications will need to make API calls to access GCP resources.
Best Practice: Create descriptive Service Accounts, such that you know the purpose of those accounts. Also, be sure to protect service account keys with Cloud KMS and store them encrypted in Cloud Storage or some other storage repository that doesn’t have public access. Finally, ensure that you are rotating your keys on a regular basis, such as 90 days or less.
6. Managing firewalls and unrestricted traffic
VPC firewalls are stateful virtual firewalls that manage network traffic to VPC networks, VMs, and other compute resources in those networks. Unfortunately, admins often assign IP ranges to firewalls, both inbound and outbound, which are broader than necessary. Adding to the concern, research from Unit 42’s cloud threat intelligence team found that 85% of resources associated with security groups don’t restrict outbound traffic at all. Further, an increasing number of organizations are not following network security best practices, and as such had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
Best Practice: Limit the IP ranges that you assign to each firewall to only the networks that need access to those resources. GCP’s advanced VPC features allow you to get very granular with traffic by assigning targets by tag and Service Accounts. This allows you to express traffic flows logically in a way that you can identify later, such as allowing a front-end service to communicate to VMs in a back-end service’s Service Account.
7. Setup and review of activity logs
Organizations need oversight into user activities to reveal account compromises, insider threats and other risks. Virtualization – the backbone of cloud networks – and the ability to use the infrastructure of a very large and experienced third-party vendor affords agility as privileged users can make changes to the environment as needed. The downside is the potential for insufficient security oversight. To avoid this risk, user activities must be tracked to identify account compromises and insider threats as well as to assure that a malicious outsider hasn’t hijacked an account. Fortunately, businesses can effectively monitor users when the right technologies are deployed. GCP records API and other admin activity in Stackdriver Admin Activity Logs as well as captures other data access activity in Data Access Logs.
Best Practice: Monitoring Admin Activity Logs is key to understanding what’s going on with your GCP resources. Admin Activity Logs are stored for 400 days, Data Access Logs for 30 days; so make sure to export logs if you’d like to keep them around longer for regulatory or legal purposes. RedLock ingests alerts based on activity log issues.
8. Managing VM image lifecycles
It is your responsibility to ensure the latest security patches have been applied to hosts within your environment. The latest research from Unit 42 provides insight into a related problem: traditional network vulnerability scanners are most effective for on-premises networks but miss crucial vulnerabilities when they’re used to test cloud networks. In GCP, however, patching running VMs may not be the ideal approach.
Best Practice: Use the power of automation to manage your VM image lifecycles. Create a custom image that’s either been patched or blessed from a security or compliance perspective, and then deny access to non-custom (trusted) images using a Resource Manager Constraint. Additionally, you can remove obsolete, older images to ensure that you are using the latest and greatest VM image.
In conclusion, no matter which cloud you choose, security remains a shared responsibility. It is important to have a fundamental understanding of best practices to manage your part of this responsibility. It may be unrealistic, however, to expect every person in your organization to know all best practices and follow them consistently. This becomes especially difficult when you have more than a handful of people with hands in your cloud environment.
But there is good news. RedLock can help monitor these best practices across your organization, across all clouds, and suggest best practices for remediation. If you’ll be at Google Next, stop by our booth S 1739 and check out a demo. Or, if you’re interested to try it for yourself, you can sign up here.