Cloud computing is empowering people, organizations to bring their ideas live and exploit them commercially for monetary gains or for solving critical problems in business, personal, community etc. if you have a look at 2 major platforms viz. Google and iOS there is explosion of the number of apps you can browse. And this is possible by providing platform to people to play and bring ideas to life.
But as more and more people and specifically organizations are adopting and moving to Cloud by transitioning in to on-premises set up to Cloud, their biggest concern is security.
Security of their Network, People accessing it, compute, applications, data, and its storage and finally SecOps. This step cannot be traded in and should be addressed with utmost priority.
To support enterprise customers GCP has created Security Foundation assessment, which can be used to follow best practices while creating their landscape in Google Cloud Platform (GCP) and ensure no loopholes are open and the landscape with all GCP resources are vulnerable to malware, cyber-attack.
This checklist is not a tick and complete activity but challenges architects and implementation team to ensure they have addressed queries and taken adequate steps to secure landscape, resources in it, and data that resides inside it. This list broadly covers 6 important areas and inadvertently addresses all the points in the form of responses like, Implemented, Not implemented, Not applicable, Not sure. Assessment should be done before and after deployment in GCP is completed. These 6 areas are as,
- Identity & access management
- Network Security
- Compute Security
- Data/Storage Security – Encryption
- Monitoring, logging, and Alerting.
- Dev SecOps.
In this article we will cover Identity & Access management, Network Security.
Identity and Access management.
Identity and access management helps you create and manage permissions for GCP resources you create. Always follow least privilege principle and give permissions only that is required to complete a particular task. Below points can be regarded as checkpoints, queries that should be addressed.
- Ensure Super admin account is a root account and there are at least 3 super admin accounts identified in an organization.
- Secure Super admin account through hardware 2FA.
- MFA should be enforced wherever possible.
- Should have single authoritative system or provider for external and internal users.
- Federate the access.
- Use organizational node and folder structure, here you can take help of Google TOC team.
- Should not use legacy roles in IAM policies.
- Use service accounts for limiting least privilege.
- Use IAM recommender where necessary.
- Use groups for granting access and easy management.
- Follow appropriate naming conventions to name resources for billing, quick isolation.
- Restrict sensitive roles.
- Define audit of policies and their frequency.
- Ensure external keys are rotated after 90 days.
- Service accounts should not be given admin privileges.
Network Security.
Networks consist of your VPC, subnets, connection, load balancing, and securing it is very important. The following points should be considered for securing the network.
- Always use shared VPC for less management overhead.
- For production workloads never use default network.
- Use VPNs, interconnect to connect to GCP.
- Place DDoS/WAF for frontend applications.
- Make internet egress disable default.
- Use network policies for controlling communication between resources.
- Use firewall policies at folder level.
- Make use of secure tags.
- Use cloud NAT.
- Use private Google access.
- Use SSL enabled load balancer.
After you have thoroughly assessed your landscape against the checklist, you will know the areas that you need to target are the ones as,
- Implemented- No action required.
- Not implemented – Target on priority to get it implemented.
- Not applicable – Areas can be ignored.
- Not sure – Get feedback from SME and then act.
Thus, this exercise will help identify the areas you need to improve your security posture and shrink the surface area for vulnerabilities.
In next article, I will cover the remaining areas too.
