Are you currently experiencing an attack?

Are you currently experiencing an attack?

GCP and Cloud Security, Part 1

Cyberthreats are more numerous and varied today than ever before. Data breaches are common; according to Have I Been Pwned, over 9 billion accounts have been compromised. Companies who are breached suffer not only from loss of reputation and customer badwill, but also face potentially ruinous fines thanks to regulations such as GDPR.

DDoS attacks cause service disruptions and loss of revenue. Data theft and scraping can erode competitive advantages. Malicious bots wage credential attacks, deny inventory, and commit credit card fraud. The list goes on.

Cloud computing adds a new dimension to this situation. As companies move to cloud, they are using compute and storage resources which are designed to be accessible to the Internet. If best practices are not followed, security incidents can result.

This series of articles will discuss security while using Google Cloud Platform (GCP). Here in Part 1, we’ll discuss some cloud security basics before diving into some security products offered by GCP. Later articles will dive deeper into specific topics, such as networking and Identity and Access Management (IAM), and provide some pragmatic advice, including industry best practices.

Security in the Cloud

Gone are the days when most businesses had to own their server infrastructure. With ownership comes responsibility, and with responsibility comes additional work and increased costs. The advantage of delegating work is that the responsibility becomes shared.  

Shared Responsibility Model

One of the significant advantages of using a cloud provider such as GCP is that you can delegate not only the management and operation of all infrastructure and hardware, but also the responsibility of securing it. In a nutshell, the cloud provider secures its cloud, and you–as a cloud user–secures whatever you use inside that cloud. 

This relieves you of some responsibility. And it allows you to focus your attention on the crucial tasks that are still your responsibility—such as securing your network traffic.

IaaS, PaaS, and SaaS

When discussing cloud services, the term “managed service” is used frequently. However, the level of management can vary widely. 

Traditional hosting providers typically offered physical or virtual machines, networking, and perhaps managed backups, but nothing more. These are known as Infrastructure as a Service (IaaS). Such offerings also exist in the cloud. In GCP, we have Compute Engine, which provides virtual machines (VMs) and offers both ephemeral (local) and persistent (network) disk storage, in addition to GPUs. Google secures the host machines, but the security of the operating system and anything running atop it are not their responsibility. The user still has the sole responsibility for many tasks such as patching, hardening, intrusion detection, and others.

While IaaS offerings may provide an easy migration path to the cloud, or for legacy workloads, more significant advantages begin with Platform as a Service (PaaS) products. Here are some examples:

  • Cloud SQL is a fully managed database service for multiple database engines. With Cloud SQL, you no longer need to know how to securely operate a database or even have such knowledge in-house. 
  • Google Kubernetes Engine (GKE) is a better way to use containers, compared to managing a Kubernetes cluster. 
  • There are many serverless platforms available in GCP: Cloud Run for running stateless containers; Cloud Functions for event-driven serverless functions; or App Engine, the earliest serverless platform.

Platforms abstract away much of the management. This enables smaller teams to build highly scalable and performant web applications, while shifting the security burden to the application layer and above.

At the far end of the “managed” spectrum, there is Software as a Service (SaaS). These are end products for which users have little to no management responsibility. One example in Google Cloud is G Suite, which provides productivity tools for businesses. 

From IaaS to PaaS to SaaS, the shared responsibility shifts away from the user to the provider. However, security should always be top-of-mind for cloud users; responsibility for security is never fully shifted to the provider. Even a SaaS product like G Suite, designed for end users and consumers, still requires following best practices for security (e.g., using a password manager and two-factor authentication).

Compliance

On the Compliance page in Google Cloud, there is a broad list of compliance offerings, such as PCI DSS, HIPAA, COPPA, GDPR, and many, many others. These also are a shared responsibility. All the compliances listed here mean that you can use Google Cloud in a compliant way. In other words, there is nothing on the cloud provider side that would prevent you from getting certified. Still, it is ultimately your job as a cloud user to ensure that your products and services are compliant. Even though the cloud provider is compliant, you do not automatically inherit that compliance.

GCP Security Products

In total, GCP today offers over a hundred products, dozens of which are related to security. Let’s look at some of the most commonly used ones, including several with compelling use cases.

Cloud Armor

Google Cloud Armor protects web services against distributed denial of service (DDoS) attacks. It can also help mitigate and protect against the most common types of web attacks, such as cross-site scripting (XSS) and SQL injection.

Cloud Armor works with Google’s Global HTTP(S) Load Balancer by applying security policies to the load balancer’s backend services. A set of pre-defined rules exist for XSS and SQL injection attacks.

By itself, Cloud Armor provides rudimentary protection. For robust security, it still requires an operator to monitor traffic and create rules in response to attacks. A better approach is to deploy Reblaze on GCP, which creates a ‘security engine’ for Cloud Armor. Out of the box, Reblaze includes a full set of default security rulesets that detect and block most forms of hostile traffic. Further customization for the protected sites/applications is straightforward, and Reblaze offers the most precise ACL (access control list) capabilities available in the industry. Additionally, Reblaze is a managed service that is continuously updated with the latest threat signatures. 

In use, Reblaze detects threats, and automatically updates Cloud Armor, which blocks hostile traffic at the edges. Reblaze and Google Cloud Armor together provide full, automated protection. 

Cloud Security Command Center

Cloud Security Command Center (CSCC) can work with many other GCP security products to provide visibility into GCP resources. For example, by integrating with Cloud Data Loss Prevention (DLP), CSCC can discover and alert you to sensitive or regulated data from a continuous scan of stored data. With the Event Threat Detection integration, it can also detect a plethora of threats from log analysis.

While this command center provides invaluable visibility, it does not automatically react to all threats. However, when using Reblaze, attacks are automatically blocked and reported directly to CSCC. You can read about this integration here: Cloud Security Command Center and Reblaze.

Cloud Audit Logs

Cloud Audit Logs provide highly secure, available, and immutable audit trails for user activity in Google Cloud. Today, most GCP services write audit logs; eventually, support is intended for all services.

There are three different audit logs: Admin Activity, System Event, and Data Access. The first two are always-on, are free of charge, and provide a 400-day retention period. The Data Access logs are very high volume and require configuration before being enabled. Once enabled, Data Access logs are standard Stackdriver Logging logs, are billed as such, and they have the same 30-day retention period.

Cloud Audit Logs help provide a significant step towards compliance.

Honorable mentions

A few other GCP products deserve a brief mention, as does the fact that encryption at rest is a default in Google Cloud. From keys that are fully managed by GCP, to customer-provided keys that Google Cloud uses in-memory and never stores, GCP is very flexible, depending on the security requirements.

Cloud Security Scanner is an automatic security scanner that can detect common web application vulnerabilities. The list includes XSS, mixed content, and outdated libraries or libraries with security vulnerabilities. This service is available for App Engine, Compute Engine, and GKE applications at no extra cost.

The Cloud Identity-Aware Proxy (IAP) offers the ability to access network protected applications and VMs from untrusted networks without the use of a VPN. IAP works with both cloud and on-premise applications, and instances don’t even require a public IP address. IAP is based on BeyondCorp, a zero-trust security model from Google, and is available for free.

Shielded VMs are hardened virtual machines that help protect sensitive workloads. Shielded VMs are automatically protected against boot-level and kernel-level malware and rootkits. They can also prevent data exfiltration by protecting secrets via a virtual trusted platform module (vTPM). The only requirement to enable these features is to choose a base VM image with Shielded VM support, which includes trusted UEFI firmware. There is no additional cost associated with Shielded VMs.

What’s next?

Now that you have a better understanding of what Google Cloud Platform offers and the basics of cloud security, the following parts of this series will dive deeper into specific topics of security in GCP.

In Part 2, you will learn all about resource management in GCP and Identity and Access Management (IAM), with examples and best practices. Stay tuned!

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.