Why is Google Cloud Penetration Testing Important?
Google cloud pen testing is a critical work stream for organizations considering cloud deployment. Pen testing is a fundamental part of any security program. For pen testing to be a value to the organization, it needs to be relevant and with a purpose in mind. Testing just to test is both a waste of resources and capital.
Cloud environments separate common services or better known as the control plane. Data, however, Google segmented by client. Testing the control plane is not allowed within Google cloud.
The importance of google cloud pen testing is not limited in scope; however, here are few more points to consider when defining a Google Cloud test:
- When performing a Cloud pen test with the tenants project or VPC, the tenant is not required to notify Google.
- Google states tests should only affect the tester’s application or VPC, not other users or services. Google also has a Vulnerability Rewards Program to recognize the help of security researchers and professionals who find weaknesses in Google applications.
- Tenants need to follow the Cloud Platform Acceptable Use Policy ensuring that their tests only impact their projects or VPCs.
- Identify security vulnerabilities specific to the tenants’ VPC or project.
- Identify broken access controls entering and departing the VPC.
Google Cloud Platform Provides World Class Security, so Why Do I Need to Worry About Securing my Instance?
With Google Cloud Platform, your projects take advantage of the same security model that Google uses to keep its customers safe on other Google properties. However, if your instance becomes configured incorrectly, it could be vulnerable to an attack.
Is Google Cloud secure enough?
Google, compared to AWS and Microsoft, has a very strong technical and security advantage in the data center space. Google architects and builds their data centers with custom-designed servers, running their in-house operating system. Google developed their cloud platform from scratch including many services including kubernetes. The actual source code and custom cloud operating system, along with the storage algorithms, are not available outside of Google. By developing an entire in-house closed loop system, this gives Google an immense advantage over the cloud providers. Only Google knows when if their source code is vulnerable and what impact this could have on their tenants. AWS used similar in-house applications for their cloud offering, however Google has several years’ advantage in both experience and proven global stability.
What Should I Do if my Google I Have Compromised a Cloud Project?
As an owner of a project or tenant with a VPC, you secure the software installed on your virtual machine. The following steps will help with limiting the damage:
- Stop the instance immediately.
- Notify impacted users; they might wonder why your service is down.
- Identify the source of the vulnerability by analyzing the behavior of your instance and the software you’ve installed.
- Ensure that all the software is up to date.
What are the Various Pen Tests Available Through 3rd Party Providers Against a Google VPC?
There are several pen testing strategies that tenants can engage with a 3rd party firm. Each method of engagement comes at a cost and a variable level of complexity. Pen testing should not be a one time box checking activity. Specifically, to a Google cloud deployment, a pen test should apply to the application and level of privacy and compliance of the data. Most times, pen tests become part of the post Cloud remediation work stream.
1. Black Box Penetration Testing
Black box penetration testing is a human and technical attack engagement in which the cloud testers do not have authenticated access to your cloud systems. With black-box penetration testing, cloud penetration testers must work only with the information they can find online or through possibly social engineering. Black box testing often is the most comprehensive engagement. This engagement, specific to Google, could range from testing Gmail instances, projects, or a specific VPC hosting application.
2. White Box Penetration Testing
White box pen testing is a type which grants the white box tester admin-level access to google cloud systems or they have full knowledge of the systems. Most times, the tester team will interview the DEVOPS and SECOPS teams, along with application teams well ahead of the engagement. Most often, the white box tester team will offer post remediation pen test engagements.
3. Gray Box Penetration Testing
A gray box penetration test uses methods from both white box and black box pen testing. This engagement simulates an attack by internal cloud users having limited access to the google cloud. This is an excellent engagement to test if the simulated hacker is internal within the organization.
What is Discovered During a Pen Test Against Google VPCs?
Misconfigured In-bound ports
Inbound ports are also one of the major controls of GCP that need to be tested. The most important inbound ports need to be secured by the VPC firewall rules include SSH, web, and FTP traffic.
Why is Google Cloud Penetration Testing important?
Google cloud began as a consumer product, not enterprise or service provider. The origins of their platform did not include several enterprise or government level security controls like FEDRAMP and ISO27001. These compliance frameworks became added years later. Even with billions of dollars invested along with having 500+ engineers worldwide, Google still lacks similar enterprise expertise that Microsoft Azure and Amazon web services have today. Google is making major head roads in the local and state government markets through having a secured cloud offering and compliance services. Tenants of Google still should incorporate 3rd party pen testing against their Google projects and VPC. Real-life exploitation of security risks and vulnerabilities will exist in some form within the Google cloud. Having an independent 3rd party test team engage with your organization will ensure the highest level of objectivity and experience in validating the security within your Google instance.
