Learn about the importance of strong GCP cloud security.
Rapid7 Cloud Risk CompleteGoogle Cloud Platform (GCP) security refers to the practice of implementing processes, technologies and standards to secure applications, resources and data running on Google’s cloud infrastructure service.
What is GCP? It is a cloud computing service distributed all over the world via physical and virtual resources and hosted in Google data centers. The various services available to GCP users include data management, hybrid and multi-cloud architecture, and AI and Machine Learning (ML).
Known as the shared responsibility model, there are two ways to look at cloud security when using any cloud platform: the cloud provider will work to secure the cloud environment and its perimeter, while a customer will work to secure the operations running within that cloud environment.
By definition, public cloud services like GCP, are delivered over the public internet. That means your sensitive and mission-critical applications and data can be accessed by authorized users and/or threat actors – if the proper measures aren't put in place to stop them.
This is obviously easier said than done, and can result in so many data breaches from misconfigured resources or gaps/weaknesses in an organization's security posture. To help address this, there are a wide variety of best practices and standards that have been developed, including those provided by Google.
GCP security is important because the tapestry of services it offers - backed by globally distributed software and hardware - is leveraged for complex user operations that can be difficult to secure. These operations include:
To that last point, the Center for Internet Security (CIS) recently released an updated version of their GCP Foundation Benchmarks. These benchmarks typically take the form of regulatory recommendations, in this instance covering configurations and policies ranging from resource segregation to compute and storage. These are not requirements, but they can go a long way toward mitigating future security headaches.
Database or container misconfigurations is another reason GCP security is important. Unfortunately, these flaws are all too common, and can leave a storage container vulnerable and exposed. Preventing, detecting, and repairing improperly configured cloud data services is a crucial part of the security process for running operations on GCP. Detection and response solutions can help mitigate potential exposure by collecting user ingress events, administrative activity, and log data generated by GCP to monitor running instances and account activity.
What does it mean to leverage a shared responsibility model (SRM) on GCP? As referenced above, a cloud provider is responsible for securing the infrastructure on which a user’s workloads run, but the user is responsible for securing their confidential workloads, resources, and data within that cloud infrastructure.
Learn more with our Practical Guide to Gartner's Cloud Security Archetypes
Google states:
“Understanding the shared responsibility model is important when determining how to best protect your data and workloads on Google Cloud. The shared responsibility model describes the tasks that you have when it comes to security in the cloud and how these tasks are different for cloud providers.”
To know what type of shared responsibility model they’re opting into, a user must first define the type of workloads they’ll need to run. Based on this information, they’ll then be able to determine the type(s) of cloud service(s) they’ll need to purchase. On GCP, these can include:
Key to a hybrid or multi-cloud environment is to educate DevOps talent about a cloud provider’s shared responsibility model (read about the AWS version). By knowing who is responsible for what type of security, there will be less errors that lead to fewer vulnerabilities.
We now know that cloud providers are responsible for securing the infrastructure of their platforms. Let’s take a look at some of GCP’s overarching security tools to assist customers and fulfill their side of the SRM.
The command center aids in asset discovery and inventory, threat prevention, and threat detection. It enables understanding of which resources are deployed at a given time as well as helping to identify misconfigurations and compliance violations.
Identity and Access Management (IAM) enables user admins to be gatekeepers on who can gain access to certain resources within specific cloud operations. Auditing capabilities provide visibility and culling at an organizational level.
A Key Management Service (KMS) puts encryption control in the hands of the user. Google’s KMS feature enables cryptographic key management in a central cloud service and provides the flexibility to encrypt data with either a symmetric or asymmetric key in control by the user.
Cloud monitoring and logging are essential security tools within GCP. Accessed from a centralized suite, logging is a managed service that ingests application data, log data, and data from other services inside and outside of Google Cloud. Monitoring imparts visibility into the health of applications running on GCP, including metrics, events, and metadata.
GCP’s Web Security Scanner checks for vulnerabilities in a user’s App Engine, Kubernetes, and Compute Engine web applications. It crawls an application to scan as many user inputs and event handlers as possible. It’s intended as an additive service that complements a user’s existing vulnerability-scanning operations.
Often, however, native tooling doesn’t extend to securing everything and can be hard to manage, thus the need for standalone cloud-security providers.
It’s a good idea to put in place a few best-practice methodologies to ensure not only that vulnerability risks are mitigated, but also that compliance is in continuous good standing and DevSecOps organizations are running from a solid knowledge base. Google recommends:
Build a layered security approach
Implement security at each level in your application and infrastructure by applying a defense-in-depth approach. Use the features in each product to limit access and configure encryption where appropriate.
Design for secured decoupled systems
Simplify system design to accommodate flexibility where possible, and document security requirements for each component. Incorporate a robust secured mechanism to account for resiliency and recovery.
Automate deployment of sensitive tasks
Take humans out of the workstream by automating deployment and other admin tasks.
Automate security monitoring
Use automated tools to monitor your application and infrastructure. To scan your infrastructure for vulnerabilities and detect security incidents, use automated scanning in your continuous integration and continuous deployment (CI/CD) pipelines.
Meet the compliance requirements for your regions
Be mindful that you might need to obfuscate or redact personally identifiable information (PII) to meet your regulatory requirements. Where possible, automate your compliance efforts.
Comply with data residency and sovereignty requirements
You might have internal (or external) requirements that require you to control the locations of data storage and processing. These requirements vary based on systems design objectives, industry regulatory concerns, national law, tax implications, and culture. Data residency describes where your data is stored.
Shift security left
DevOps and deployment automation let your organization increase the velocity of delivering products. To help ensure that your products remain secure, incorporate security processes from the start of the development process.
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends