What is Google Cloud Platform (GCP) Security?
Google Cloud Platform (GCP), one of the leading cloud service providers in the market, offers several built-in security tools, which can be augmented with cyber threat prevention and response capabilities to help enhance the security of an organization’s GCP deployment. One advantage of the cloud is that a cloud customer can outsource the responsibility for some of its infrastructure to the cloud provider. GCP security, along with cloud security posture management services, are proven and effective for most cloud clients.
GCP and other cloud platforms publish shared responsibility models that break down the responsibility for security between the cloud provider and the cloud customer. The security architecture and the security assurance factors fall under Google’s responsibility.
Google Does Offer Several Security Services, Including:
- Infrastructure Security: network segmentation, cloud network security, and enhanced network security
- Network Security: Network perimeter, VPN access services, and layer 2 private VLAN access. Perimeter security protection, including IDS/IPS, cloud assets collection.
- Endpoint Security: endpoint malware, ransomware protection, and patching services.
- Data Security: container security, kubernetes security validation, and cloud security guardian functionality.
- Identity & Access Management: Extending corporate security policies into the cloud.
- Application Security: Applications are protected and managed with application testing, scanning, and API security features. A complete security coverage is also available.
- Security Monitoring & Operations: Client accessible cloud security command center.
However, the actual privacy, protection, and encryption falls under the VPC tenant, not Google.
Cloud providers offer many features/services, but follow the shared-responsibility model, where the cloud provider is in charge of the security of the cloud, such as security relating to hardware and backend infrastructure, and the client are in charge of the security in the cloud, such as configurations of your servers, privileges granted within your environment. Validating the VPC (virtual private cloud) tenant configuration within Google is your responsibility.
Google performs periodic application-layer vulnerability scans using commercial and proprietary tools. However, Google does not make vulnerability scan results available to customers, but customers can perform their own scans.
Strategy Behind Cloud Penetration Testing by the VPC Tenant
By leveraging a 3rd party pen testing firm, the VPC tenant may perform this activity under the “Google user acceptance policy”.
- It is the responsibility of an organization to implement and enforce security measures and access levels in sensitive data stored on the cloud.
- All critical security issues need to be coordinated if the vulnerable systems fall within the border between the VPC and the Google cloud provisioning layers.
- Internal security policy compliance, trust security policies, and protection of user data falls under the VPC tenant’s responsibility.
Even with Google’s security services enabled, how will the VPC tenant know if these services are compliance, deployed, and operational maintained? Pen testing work streams is a necessity for any Google VPC tenant.
Detecting Critical Security Risks in Your GCP Cloud With Pen Testing.
Testing all your GCP workloads – VMs, containers, and serverless, including those that are idle, stopped, or paused. The kubernetes automation platform for cloud workload security validation is also a very critical testing requirement. Hackers specifically will target any form of automation in order to cause container placements into rogue cloud platforms.
The pen testing by the VPC tenant should include the following vulnerable areas:
- 3rd Parties service providers within the tenant VPC
- A 3rd party is doing malicious things against the cloud environment
- A 3rd party you trust is compromised (Solarwinds)
- Container Security: Traditional security solutions lack the granular visibility required to monitor data flows and operations within containerized environments. Container security is essential to implementing targeted security controls for containerized applications
- Github and open source repositories. Mistakes in committing coding and publishing processes with sensitive data are common
- Hackers targeting open source libraries and security incidents.
- Continuously scanning for security misconfiguration
- Application/Server Level Vulnerabilities
- Credentials stored locally stolen. Cached server credentials and ODBC, server accounts, and SAML logins are still active
- Credentials stolen through a server’s metadata
- Attempts to shut down security perimeter controls
- Disrupt security automation (SOAR) functionality
- Password Reuse
- An old 3rd party database is compromised, your users are still using a compromised password
- Users using the same password across many accounts
- Social Engineering
- Phishing emails and impostor support calls
- Physical access to Google data center
- Internal Employees
- Employees getting compromised, then bringing that to your environment
- Employee mistakes leading to unintended consequences
Conclusion
Google recommends the VPC tenants conduct penetration testing for evaluating the security of its provisioned virtual cloud instance.
Google conducts rigorous and continuous testing of our network perimeter through various types of penetration exercises with testers internally on their infrastructure. Google makes its SOC 2/3 report and ISO 27001 certificate available to customers. Google’s security teams are committed to a strong perimeter and dedicated staff handle the safety and security of Google’s network infrastructure.
