I started my journey in to the Cloud Security Engineering space, Been looking in to several enterprises and their existing GCP Infrastructure/s from Cloud Security Architecture perspective — noticed some of the fundamental issues & gaps with their existing Cloud Architecture and Cloud Security Posture.
As I understood the gaps to some extent [still long way to go and experience many more business cases and scenarios though] - It has been going through my mind for couple of months now that ‘Why don’t I write and simplify it for easy and quick reference for everyone desired?’ to have a look and take this further to enhance their Cloud Security Posture from the very beginning of their Cloud Journey
and
The Time has come now to sit and start writing it down. Thanks to X’mas vacations/holidays which helps bit of free mind and enables the idea/s to flow easily. I prefer sitting at one-go and finish it in one-sitting from the very start to end irrespective of the time it takes to complete, that helps me to keep that continuous flow of thoughts in to my writing.
That’s me and Only Me!
The Perfect time to trigger my idea to blog here which aims to give initial *must* considerations for any GCP Cloud Project or Projects for your organisation
- Channelize your Resources and Structure your Resource Hierarchy
Fundamental issue I’ve noticed is that everything is jam-packed in to one single folder and isolation is existing only between the projects but within the same folder which leads to a potential attack surface
To avoid this, Channelize your resources and following ‘resource hierarchy’ allows you to map your organisation’s (operational) structure to Google Cloud and thus allow you to manage them in an organised manner
The Org Node aka ‘Organisation’ helps to provide central visibility and control over all the resources under that Organisation node
Folders help to create isolation between different teams or departments under the organisation. Folders can be further split in to sub-folders based on your business needs and there is no restriction on folder levels.
The bottom layer is the ‘Project’ level. Projects help contain GCP resources which help constitute your application/s. Projects can contain resources spread across multiple regions and geographies. Best Practice is to have one project per application per environment. For eg., if you’ve 2 applications ‘A’ and ‘B’, with a development, staging and production environment, you would have 6 projects in total such as A-dev, A-stage, A-prod and B-dev, B-stage, B-prod. This segregation helps in isolating the environments from each other so that changes in one project/env do not accidentally impact other project/env and also helps provide better access control too
2. Implement IAM [Identity and Access Management] as the standard
In a nut shell, most common issues found are like using ‘individual’ accounts instead of ‘groups’ to grant access to specific Google Cloud resources and fully ignoring the basic security principle of ‘least privilege’
To avoid this, follow the recommended IAM best practices such as:
- Always use fully managed google accounts which are tied to your corporate domain name through Cloud Identity. This forms a management layer through which enabling or disabling the access to your google cloud resources is easily possible
- Synchronise your user directory to Cloud Identity which lets your users to access the google cloud resources with their existing credentials. This leads to have your identity platform as the ‘single source of truth’ whereas Cloud Identity helps you to control the ‘how’ access to your google cloud resources
- Control access to resources using google groups instead of individual accounts and use Service Accounts where applicable. For all the server-to-server interactions, use service accounts. For example, avoid Automatic IAM permissions for default service accounts and Ability to create service accounts in a production environment
- Define Organization Policy/Policies which helps to set restrictions on specific resources to determine how those can be configured and used. For example, you can define a constraint to restrict any VM to not to use default service account.
3. Custom Network and Network Security —Think and Design Early
To be frank, the issues I noticed under this section are like eye-openers as I couldn’t believe my eyes when I first looked at it.
You know what — People are using ‘Default’ Networks. Just not that but also ‘Default’ firewall rules which are unbelievably true from my perspective. You cannot start worse than this ;>(
Let me simplify the bare minimum things to start considering from the beginning
- Avoid using ‘Default’ VPC Network especially in Google Cloud rather use ‘Custom’ VPC Network. There is a massive difference between other CSPs vs about GCP how the default VPC has been set up. Spend little time to understand that before you start. Google recommends enterprises to use custom mode VPC Networks for some valid reasons. Refer here for more information
- Avoid using ‘Default’ firewall rules instead create your own ‘custom’ firewall rules which brings loads of control about how you can group and isolate related resources with combination of the network and firewall rules. These firewall rules allow you to specify the type of traffic like ports and protocols and the source or destination of the traffic. Default firewall rules open up ports for a wide range of IP addresses for some protocols which is a potential security risk and not a recommended best practice
- Enable Firewall Rule Logging which helps to audit, verify and analyse the effectiveness of the firewall rules in action. It’s a recommended practice to enable these logs for audit and analysis purpose
- Use VPC Flow Logs and create a process to enable flow logs when needed. Theses logs can be used for network monitoring, forensics, real-time security analysis and also helps in expense optimisation too
- Avoid or Limit External Access to the internet to only those google cloud resources that need it. Resources within a VPC network can communicate among themselves anyhow through internal IP addresses and this can be further limited using Firewall rules if needed. Use google cloud services such as ‘Cloud NAT’ and ‘Private Google Access’ based on the use case to avoid simply opening up your resources to the internet. Common mistakes noted are like Every VM has an external IP address attached to it, GCS buckets are freely accessible apart from not using the earlier mentioned services
- Centralise and Control the Network using Shared VPC or VPC Peering. VPC Network Peering helps to connect different VPC networks and to communicate internally without traversing through the internet whereas Shared VPC allows an organisation to connect resources from multiple projects to a common network to communicate securely and efficiently using the internal IP from that network. In case if you are trying to connect from on-premises to Google Cloud, use Cloud VPN or Interconnect services depending on the business use case
4. Securing your Applications and Data
Google Cloud has many wonderful Products and Services which helps your applications and data to be more secure and safe in addition to the scale you are looking for. Start using them to get the best benefit
Some of the major gaps I’ve noticed with my different enterprise GCP foundation assessments are like No VPC Service Controls in place, No usage of Secret Manager at all, Poor Cloud SQL Security Configuration, Cloud Functions running with abnormalities and Steps not taken for Application Scalability and Security
Let me simplify ‘why’ you need to consider them from the get go:
- In case if you are using the services such as GCS and BigQuery, VPC Service Controls bring the ability to mitigate the risk of data exfiltration from these services. It is a recommended practice to configure VPC Service Controls to create perimeters that protect the resources and data on those services
- Sensitive information such as passwords, API keys or certificates are stored in plain-text format instead of using the Secret Manager. To protect and limit access to the sensitive information, start using the Secret Manager. It also comes with versioning and rotation mechanisms for more secure and control management. The best use case scenarios such as DB Passwords, API Keys and Certificates must be used with Secret Manager without fail
- In some cases, noticed Cloud Functions are running with deprecated run-time environments which poses a potential security risk due to existing vulnerabilities against it. In order to avoid, applicable Organisation Policies can be enabled and in addition to that implement a standard development practices and guidelines within your organisation. It is also recommended to implement a Monitoring and Review process of service usage and their versions at regular intervals
- SQL Security focus is another area where I’ve noticed fundamental issues during my assessments. In order to attain better SQL Security, consider implementing Restrict Public IP access on the Cloud SQL instances by enabling an organization policy. For additional security, consider using Cloud SQL Proxy. Also, through organization policy unauthorized network access can be disallowed as well. Always, allow only secured connections to access your Cloud SQL instances either through TLS protocol or SSL encryption
- To bring Application Security and Provide Scalability at the same time, use a combination of Global Load Balancer with Cloud Armor Security Policies for WAF Protection. You can also use Cloud CDN to accelerate your applications for the users and Identify Aware Proxy services to control access to your applications and thus implement Zero-Trust Access model. External Global Load Balancer enables to run and scale your applications behind a single external IP address whereas Cloud Armor helps to protect from multiple types of threats including DDoS attacks and application attacks like XSS and SQLi etc.,
5. Logging, Monitoring and Operations
Enterprises typically run multiple applications and processes and often across different platforms. Logging and Monitoring of these applications from Operations perspective is a key element which helps track the health of the applications. To help with these business needs, google cloud has Cloud Logging and Cloud Monitoring services to manage logging, monitoring, debugging, tracking, profiling and many more.
General tendency I’ve noticed during my assessments is that the business users are unaware these services and their benefits. In this blog, I’ll try to highlight ‘why’ it is beneficial to make use of these services to the best possible
- Enable logging for any historical analysis and monitoring purposes which helps to track the health of the applications and GCP resources regularly. It is a good practice to set up a separate Monitoring Project for the Production folder and export the logging through applicable log sink/s. Do keep a note that logging retains app and audit logs for a limited period of time. In case if you want to retain logs for longer duration to meet compliance regulations, utilise other GCP services to fit your purpose
- Setup required Alerts through notification channels to help act on the alerts as needed
- The centralised logging location must be highly secured with access to only privileged members and a SIEM to monitor these logs regularly. Secure mechanisms help prevent log manipulation which could cover up malicious activity or attacks and SIEM could monitor and alert for
- Use Security Command Center [SCC] and Security Scanner [SS] as both of these products enable to monitor and track the security vulnerabilities in the applications continuously through a single plain of glass to help mitigate and handle them aggressively. The SCC provides a centralised vulnerability and threat reporting service to help strengthen the security posture of the GCP infrastructure whereas SS identifies the security vulnerabilities in the applications
- To increate agility and reduce time-to-market for applications and features, break silos between different teams such as development, operations, security and networking team and build the DevOps culture and use the Tools where necessary to achieve it collaboratively
6. Billing and Management
Even though this sounds very critical as it deals with $, it was surprising to see in some cases that this section has been handled in a least effective manner.
Fundamentally, enterprises should take steps to understand ‘how each of these google cloud resources are charged’, ‘how they can setup a billing management controls’ and then plan for their capacity requirements by implementing cost controls and build centre of excellence over time
Budget Alerts are very critical for control and monitoring of the $$$ spent and implement ‘Labelling’ where ever applicable for easy tracking and isolation in breaking down the costs. These alerts help in the case of any excessive spending due to any malicious activity or attacks such as DDoS etc.,
In order to build a centre of excellence, it is a good practice to nominate Google Cloud Experts and Champions in your team/organisation. A range of training and certification options are available to help nominated champions to grow in their area and build their expertise. Teams can stay up to date on the latest news, announcements and customer stories by following the Google Cloud Blog
That’s it for now.
As you know, the topic is very huge and we can go on and on and on as there are too many things to consider and highlight in each of the sections above ….
but with this blog, I wanted to touch upon bare minimum things to start eyeing from the day one and start building it more and more securely as you progress.
Hope this information finds useful.
Thanks for taking time to read!