When it comes to securing your workloads in the cloud, having a well-defined security strategy with the right controls means that the battle is only half won. This series explains the important security controls and categories that can help you build a strong cloud security strategy and how you can implement them in your cloud platform.
Reducing the attack surface, detecting breaches, and responding in a timely manner to attacks are the three main pillars on which your security strategy will rest. It’s important to get visibility into your applications or code in the cloud through monitoring and logging. Born In The Cloud holistic security for VMs, Kubernetes, CaaS, and FaaS solutions—along with integrated Linux threat detection—should also be taken into account while designing your cloud security strategy. In the first part of this series, we explored the controls and categories that align with these key focus areas and discussed them in detail.
In other posts in this series, we covered how to implement the controls using AWS and Azure services and tools. In this post, we’ll explore the built-in security services for GCP and how they integrate with your cloud security strategy.
GCP Cloud Security Controls
Like AWS and Azure, GCP provides multiple built-in services that customers can leverage to implement a cloud security strategy. Where a service is not readily available to implement security control, you can address the gap by using third-party solutions when appropriate.
Private deployments using VPC: In GCP, virtual private clouds (VPCs) provide the first level of segmentation by enabling secure private deployments for workloads. You can configure additional microsegmentation within VPC using firewall rules that allow you to control traffic based on ports, protocols, source, and destination. For containerized workloads in Google Kubernetes Engine (GKE) clusters, you can use network policies to implement defense in depth.
Since traffic between pods and services is controlled by pod-level firewall rules, if an attack occurs, it is limited to the compromised container. Istio-based microsegmentation for GKE workloads provides an additional layer of security through mutual TLS authentication, Istio authorization, and network access logging.
Cloud Armor: Google Cloud Armor is designed as a web application firewall (WAF) to protect workloads behind HTTP(s) load balancers from unauthorized access and attacks. It does this through security rules that restrict or allow traffic based on layer 3.4 and 7 attributes. The services come preconfigured with rules that protect your workloads from common types of attacks, such as cross-site scripting (XSS), SQL injection, remote file injection, and remote code execution.
Services deployed behind HTTP(s), SSL proxy, or TCP proxy load balancers are automatically protected from DDoS attacks. The load balancer acts as the first line of defense, offering protection from common DDoS attacks, like SYN floods, IP fragment floods, and port exhaustion.
Cloud Security Posture Management
GCP offers comprehensive cloud security posture management (CSPM) through the Security Command Center, a native GCP service that gives you visibility and control over your deployment with a bird’s-eye view of the state of cloud asset security. Comprehensive threat prevention capabilities are built in to uncover weak points, like legacy application libraries, reverse shells, or suspicious binaries.
Cloud assets are auto-discovered and onboarded to the Security Command Center for continuous monitoring. Any misconfigurations and cloud compliance violations are flagged with actionable recommendations to initiate remediation. GCP Security Health Analytics provides vulnerability assessment scanning for various services, including container runtime attack detection. It detects vulnerabilities in the cloud console, however, it is recommended to leverage third-party services to detect runtime vulnerabilities at app/resource level.
Patch deployment: OS patch management service from GCP helps keep your Windows and Linux VMs updated with the latest patches. You can review the patch status for your VMs from a centralized location through compliance reporting, and you can use the automated patch deployment option to deploy the missing patches in the systems during the designated maintenance window.
Web application vulnerability scanning: The cloud security scanner service scans your web applications deployed across Compute Engine, GKE, and App Engine to identify security loopholes and vulnerabilities. The service can identify and alert you about common vulnerabilities, like Flash injection, mixed content detection, cross-site scripting, or unsecured password transmissions. Cloud Security scanner is integrated with the Security Command Center and the outcomes are displayed in a centralized dashboard.
Cloud Workload Protection Platform
Shielded VMs hardened by security controls: Hardening your VMs with standard security best practices helps to protect them from multiple known vulnerabilities and attacks. Shielded VMs in GCP are hardened to protect from rootkit and bootkit threats. This advanced protection is enabled through a secure boot process, virtual trusted platform module (vTPM)-enabled Measured Boot, UEFI firmware, and integrity monitoring.
vTPM protects your keys and certificates that are used to authenticate system access. The secure boot process of Shielded VMs validates boot signatures to ensure that only trusted software is allowed to run. Thus, it offers protection against advanced threats like malicious insider attacks, guest firmware, as well as kernel or user-mode vulnerabilities.
It should be noted that hardening of VMs is not sufficient to protect from all runtime vulnerabilities. Your cloud ecosystem will probably consist of solutions like K8s, CaaS, FaaS, etc., in addition to VMs. Hence a third-party solution—like Intezer Protect which enables holistic protection for all of these services—can be incorporated to strengthen the security posture.