Security guardrails for End users.

Organization policy — Provides centralized and programmatic control over how the organization’s resources are deployed. For example, the organization policy constraint constraints/compute.requireShieldedVm, will prevent Engineers/users from deploying standard VMs. More info on Shielded VMs:

VPC Service Controls — Prevents unauthorized data movement by isolating GCP resources and restricting data flows with fine-grained rules. VPC Service Controls enable context-based perimeter security to secure API-based services. Users working on a protected service within a VPC Service Control perimeter will be restricted to the rules defined by the administrator, helping to mitigate the risk of data exfiltration.

Cloud IAM — Enables granular access to ensure Developers only have access to specific Google Cloud resources, apply the principle of least privilege, preventing overly permissive roles.

Recommender is a service that provides useful recommendations. It can be used to remove excessive permissions as well.

Security guard rail at the organization level:

VisibilityCloud resources are often ephemeral and difficult to monitor. To ensure visibility, you can leverage first-party and third-party cloud security and monitoring services.

Resource HierarchyGCP lets you define your own resource hierarchy. For example, you can organize folders, projects, and teams under an organization, and assign permissions accordingly.

Centralized Logging and MonitoringYou can implement logging and monitoring to ensure the health of your applications, pipelines, and various processes. Logging and monitoring systems collect and analyze the data needed to trace, profile, and debug. If you are running multiple environments, you should implement a centralized logging and monitoring solution that provides you with visibility of all assets.

Cloud LoggingTo collect logs that provide diagnostic information about the health of your assets you can use Cloud Logging, which is a native Google Cloud service. Cloud Logging integrates with the majority of Google Cloud services.

Cloud MonitoringTo monitor your assets, you can use Cloud Monitoring. This is a native Google Cloud service that enables you to gain information about the overall performance and health of your infrastructure and applications. Cloud Monitoring can ingest metrics, metadata, and events. It then generates insights, which are visualized in customizable dashboards. You can also get alerts when certain events occur. Cloud Monitoring integrates with Cloud Logging, a wide range of Google Cloud services, and third parties.

Misconfigurations:

Many cloud data breaches occur due to misconfigurations. Here are some best practices you can implement to protect your cloud environment:

  • Continuously manage access controls: to ensure permissions are always relevant and assigned according to current roles. You can do this by monitoring IAM policies to ensure they are properly implemented.
  • Enforce the principle of least privileges: you can do this by only giving users only the permissions they require for their jobs.
  • Implement logging: to identify changes across your cloud environments and determine the extent of incidents.
  • Automate as much as possible: to ensure you rapidly discover vulnerabilities, misconfigurations, and unauthorized activities.

Policy analyzer is a great tool to find out which users, service accounts, and groups have what access to which Google Cloud Services.

Other Google Cloud Security Tools:

Google Cloud KMSGoogle Cloud Key Management Service (KMS) lets you manage cryptographic keys. You can use Google’s KMS to create, rotate and destroy several types of cryptographic keys, including AES256, RSA 3072, RSA 2048, RSA 4096, EC P384, and EC P256. You can either manually rotate keys or opt to automate the process.

Google Cloud Security Command CenterThe Google Cloud Security Command Center can detect vulnerabilities in Google Kubernetes Engine (GKE), Google Compute Engine (GCE), and Google App Engine (GAE). Cloud Security Scanner lets you create, schedule, run and manage scans via the GCP console. Scanner can detect many vulnerabilities, such as Flash injection, cross-site scripting (XSS), and mixed content, as well as outdated or insecure JavaScript (JS) libraries.

Google Cloud ComplianceGoogle provides a wide range of resources and services you can use to maintain compliance in your global and regional resources. You can use Google Anthos to enforce compliance and security policies across your cloud environment.

Security guard rails at code level:

OWASP Foundation offers many valuable resources, among them the OWASP Top 10, which features the most common security risks and is a good starting point.

Access control: which includes authentication and authorization, is one of the basic building blocks of protecting your system.

Enforcing strong encryption: is another important aspect of keeping your system secure. There are many readily available libraries to help you implement encryption, thus requiring minimal custom code to be written.

Secrets management: is another important security measure. you should never hardcode or upload secrets such as passwords or access keys to code repositories.

Automated scanning & code reviews: Cross-site scripting (XSS)SQL injection, and other types of attacks can exploit security vulnerabilities in your code. Both XSS and SQL injection attacks result from weakness in your code. A combination of regular secure code reviews and automated tools that scan your code for these vulnerabilities can help prevent such attacks.

How to access apps, and VMs securely: BeyondCorp Enterprise is a zero-trust solution that enables secure access to applications.

If you are new to Google Cloud and looking to deploy infrastructure more securely and make it production-ready, a Secure landing zone is a great way to start.

Other Useful GitHub repos:

https://github.com/terraform-google-modules/terraform-google-project-factory

https://github.com/orgs/GoogleCloudPlatform/repositories

https://github.com/GoogleCloudPlatform/terraformer

https://github.com/GoogleCloudPlatform/security-response-automation

Write a Reply or Comment

Your email address will not be published. Required fields are marked *