Are you currently experiencing an attack?

Are you currently experiencing an attack?

Securely Using GCP: New Capabilities

Attackers are targeting cloud-hosted workloads more than ever before. As one of the leading cloud service providers, Google Cloud Platform (GCP) includes many built-in security features. However, as with every CSP, Google Cloud Platform (GCP) security is also a shared responsibility, and customers need to make use of the services and features available on the platform to secure their applications.

We previously discussed cloud security for GCP, and many of the basics are still the same. Of course, Google has continued to add new capabilities and services since then, to further enhance the security of your hosted workloads. In this article, we’ll discuss them. 

Resource Hierarchy Management

The resource hierarchy in Google Cloud consists of organizations, folders, and projects. Cloud resources are always hosted in a project, and this hierarchy cannot be altered once the resource is deployed. In a previous article, we discussed best security practices for GCP hierarchies. It is always recommended to create separate projects for different environments like testing, staging, and production because it enables fine-grained security over the data plane where resources reside and the control plane accessed by administrators.

In large-scale deployments, ensuring the same standards in different environments can become a liability due to the possibility of human error creeping in during manual deployments.Hence, it is important to enable the automation of hierarchy management to ensure consistency, repeatability, and security—with GCP security best practices baked into the deployment process. Automation also helps with adherence to these practices throughout the lifecycle of the environment. 

Customers can use the Cloud Deployment Manager service, which delivers deployment automation capabilities natively. Using reusable configuration files and parameterized templates, the deployment manager delivers end-to-end automation of project creation and configuration. It can also configure IAM permissions to ensure that only authorized people can access your resources. Hence, while designing your resource hierarchy, make sure to factor in the automation process as well through Cloud Deployment Manager. 

Cloud IAM Federation

We have previously discussed IAM on GCP, for which Cloud Identity and Cloud IAM are the two most important aspects of control plane access management. While Cloud Identity and Google Accounts can be used to define who can access the resources, Cloud IAM plays a crucial role in defining what they can access. Customers can use roles, both pre-built and custom, to implement access restrictions based on the principle of least privilege. IAM policies are then used to bind these roles to target users or groups.

It is important to bring your accounts under a unified identity management process to ensure that the access restrictions are effectively implemented. Having unmanaged identities compromises unified management. These are user accounts that are not created in Google Cloud Identity or Google Workspace or managed by a third-party identity provider. The best practice is to identify any unmanaged identities being used to access Google Cloud and bring them under the purview of Cloud Identity. This is also essential in order to implement additional security measures like MFA, password complexity, and location/context-aware access.

In the case of hybrid deployments where corporate users might already have an existing identity provider (IdP), Google Cloud provides multiple options for identity federation. This ensures minimum disruption, as the current IdP can be leveraged for cloud resources. You can also extend your IdP to the cloud by synchronizing your identities and maintaining a copy of them on Google Cloud. Some identity providers that can be federated with Google Cloud identity are Microsoft’s Active Directory, Azure Active Directory, and AD LDS. 

Through federation, you can continue to use the existing IdP as the source of truth of organizational identities while ensuring consistent lifecycle management. The authentication process is also delegated to the IdP. One common use case in hybrid cloud deployments is integration with an existing Windows’ Active Directory. You can use Google Cloud Directory Sync and Active Directory Federation Services to federate your existing AD environment with Google Identity.

GCP Network Security

VPCs in Google Cloud provide an isolated network boundary to host your workloads. It can consist of multiple subnets in different regions, while egress and ingress traffic to attached resources can be managed using GCP Web Application Firewall (WAF) rules. In a previous article, we discussed the best security practices for VPCs and networks on GCP. This included recommendations like usage of custom VPCs for workloads, disabling external IPs, usage of Cloud NAT, etc.

In addition to a default and custom VPC, Google Cloud also supports the concept of a shared VPC, which is relevant from a security perspective. Resources from different Google Cloud projects in the same organization can be connected to a common shared VPC, enabling them to communicate with each other securely using Private IP addresses. This consists of a host project on the shared VPC with multiple service projects attached to it. Admins can delegate the permissions related to network administration to the networking team and keep them consistent across all connected projects. This helps in implementing the principle of least privilege where the service project admins only have instance-level access rights and cannot make changes to the network.

VPC service controls provide an additional layer of security for your resources like Cloud Storage and BigQuery by enforcing context-aware access control. You can define a security perimeter, restricting client access to resources outside of it. Activities like data copy and exchange can be controlled by context-aware access using attributes like the user identity type or network from which the request originates. This helps prevent data theft from unauthorized networks or data exfiltration attempts through compromised accounts.

Private Google Access is another feature that enables secure access to Google services from VM instances that have only internal IPs. Private Google Access is enabled for most Google services with a few exceptions like App Engine memcache, Memorystore, and Filestore. If you want to deploy VMs without exposing them to the internet but with no restrictions to Google Cloud services, you can enable Private Google Access on the subnets they are connected to.

GCP Security Products

Security Command Center (SCC) enables cloud security posture management by providing centralized visibility into the threats and vulnerabilities of your environments in GCP. We briefly touched upon the features of SCC in “GCP and Cloud Security, Part 1”. The built-in security health analytics service in SCC helps with real-time vulnerability assessments as well as the detection of misconfigurations. The findings can be mapped against standards like CIS benchmarks, PCI DSS, or ISO 27001 to assess the compliance of your cloud deployments. 

Data from Security Command Center can also be integrated with the Google Cloud-native SIEM tool Chronicle or other third-party SIEM tools for further analysis. For comprehensive risk profiling and management, you can explore Risk Manager as well, which provides visibility into your cloud environment’s technical risk posture. You can then integrate the findings from this service with SCC for remediation.

Organizations hosting containerized workloads in Google Cloud can additionally leverage Binary Authorization to implement software supply-chain security. The container images can be signed using a trusted authority, with the binary authorization control configured to validate this signature during deployment. This ensures that only trusted images are deployed to your cloud environment through CI/CD processes. 

Finally, GCP’s VM Manager helps you manage large-scale VM deployments through features like inventory management, configuration management, and patch management. The patch management feature of the service supports both Windows and Linux workloads, and it can be used to set up patch management scripts and configure patch jobs, approvals, etc. VM Manager comes with a centralized dashboard that provides a bird’s-eye view of the patching and compliance status of your VMs. 

Conclusion

GCP provides a large set of tools for securing all layers of your applications. To identify the right security controls for your environment and usage, due diligence is required. 

This includes web security. GCP provides some native capabilities for threat detection and traffic filtering, but they do not provide (nor are they meant to provide) all the protection that is needed in the modern threat environment. 

Reblaze provides cloud-native WAAP (Web Application and API Protection) in a web security platform that is fully integrated with GCP. Reblaze protects applications, sites, services, and APIs with a next-gen cloud WAF (Web Application Firewall), multi-layer DDoS protection, bot management, ATO (Account Takeover) prevention, and more, all running natively on Google Cloud Platform.

For more information or to get a demo, contact us here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.