Google Cloud Security Best Practices recommended for all tenants
- Google cloud security offering and solutions provide visibility of the volume and types of resources, including all virtual machines, load balancers, virtual firewalls, users, across multiple projects and VPCs. Avoid using separate tools for each individual instance or Virtual Private Cloud or VPC. Using too many tools will create security holes within the cloud systems. With enabling more security tools, organizations lacking in resources will end up with an unmanageable platform resulting in security breaches due to security operations process failures.
- Enable proper cloud resource permissions to the users, admin roles and resource accounts. Avoid applying permissions directly to users. Add users into their respective groups and assign roles relevant to the job task. Avoid using non-group standalone accounts.
- Google Cloud grants tenants access to several of the identity management features that Google Workspace provides. The resources are cloud-native collaboration and productivity applications from Google.
- Multi-factor authentication enforces over one technique to authenticate a user. Combining a password with a biometric control is a common method of MFA.
- GCP Cloud Key Management Service (KMS) is a cloud-hosted key management service and the tenant cloud custodian can manage symmetric and asymmetric encryption keys. Google allows the tenants to create, use, rotate, and destroy AES 256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 encryption keys.
- The tenant should consider cloud accounts and access to Google cloud assets a critical and important resource. Development tools and applications will need to make API calls to access GCP resources. Managing those credentials and identity is critical to overall security posture.
- Managing firewalls and unrestricted traffic VPC firewalls within the cloud environment is also highly encouraged by Google. Several organizations attempt to follow network security best practices. However, many VPCs go unprotected because of the lack of firewall rules and port lockdowns. Having a policy to enforce network access is also highly recommended.
- Google best practice suggests that outbound access should be restricted to prevent accidental data loss. Specifically, if a public cloud environment initiates specific cloud to cloud connection, Google recommends deployment of access control lists to ensure all allowed connectivity is permitted and rest of the connection requests are denied. All these secured connections help in cloud expansion and access to resources like cloud storage. Access to cloud storage needs to have a separate policy and enforce in order to protect this critical asset.
- Setting up a log correlation and capturing tool for all syslog traffic. All activity logs should be stored for 350 days, data access syslog for 30 days. The application layer within a VPC contains valuable security login information. Application stacks also contact built in security controls that also report into the syslog file. All actions from users are also logged into syslog. Cloud platforms also offer this as a managed service.
Leverage Google documented security architectures
Google makes available on their website several documents around best practices for deployment within their projects or VPC. Several of these best practices are industry specific, including:
- Healthcare: Setting up a HIPAA-aligned project
- Retail: PCI on GKE security blueprint
- Government: FedRAMP-aligned workload blueprint
- Strengthening operational resilience for FinServ.
- Risk governance of digital transformation
Along with industry best practices, Google also publishes several documents around platform specific best practices, including:
- Security foundations deployable assets
- Secured Data Warehouse blueprint GitHub repository
- AI Platform Notebooks blueprint GitHub repository
Role of a 3rd Party pen tester in the Google Cloud Environment.
Even with the well-documented architectures and best practices from Google, tenants still need to employ an independent 3rd pen testing firm to validate Google cloud security capabilities, cloud logging, and confirm if the tenant has a cloud security incident response workflow. Even in the shared management model with Google cloud, the tenant is still 100% responsible for their data. Public cloud providers like Google, Microsoft, and AWS offer several security control solutions, along with advanced monitoring capabilities. Yet, without an independent pen test to verify these controls are working for a specific tenant, this is no recourse by the tenant if they suffer a security breach. They alone, not Google, will be accountable for the data loss. Google does not need to be notified when a tenant is performing a pen test. Most 3rd party pen testers will provide ongoing engagements to include post remediation validation and random virtual network security checks to stay ahead with the constant changes within the tenant VPC.