Google Cloud Platform is catching up greatly with competitors Amazon Web Services and Microsoft’s Azure Cloud. With the number of services increasing steadily its customer base has also increased. Every public Cloud follows the shared security principle that the security of the Cloud is the responsibility of the Cloud provider and within the Cloud, it’s the responsibility of the customer.
Google Cloud Security Checklist 2.
Security within the cloud is a very important aspect that cannot be traded off with other pillars of a well-architected framework. It should be given due diligence while creating your environment. In our last article, we covered the GCP security checklist and how it can be used for assessing your landscape. We covered 2 important areas, Identity & Access Management, and Network security. In continuation, we will cover Compute Security, Data/Storage Security, Monitoring, Logging and Alerting, and Dev SecOps.
Compute Security.
Kindly consider following important points while considering security of your compute resources.
- At the organizational level disable public Ips and enable only when explicitly required.
- Always use trusted images from Google’s managed boot image.
- Always use shielded VMs for GCE and GKE nodes.
- Regularly patch your GKE and GCE guest nodes.
- Scan for common OS vulnerabilities.
- Protect and secure management of secrets like API keys, credentials & certificates.
- Reduce the attack surface of your organization by isolating sensitive data in its own VPC.
- Restrict SSH/RDP access from the internet.
- Do not use default service accounts with default permissions for VMs.
Data Storage Security.
Data is the key element for any business, one can anticipate applications can be rebuild but if you a business loses data then it is doomed. And it is this reason that companies guard the data with highest security. Best practice says to ensure data is encrypted in transit as well as at rest, one can assess the same by going through following list.
- Use TLS for secure communication with the database.
- Follow the least privilege rule and provide fine-grained access to Cloud storage buckets.
- Use customer-managed keys (CMEK) for moderate to highly sensitive data.
- Use customer-managed encryption with the external key manager for highly sensitive data.
- Ensure the cloud bucket is not publicly accessed.
- Ensure database instances are not allowed to connect anyone with administrative privileges.
- If On-premises is connecting with GCP ensure it takes via VPN tunnel or partner, direct interconnect.
Monitoring, Logging and Alerting.
Monitoring, logging and alerting are necessary operational requirements after the deployment of your resources and check regularly for any threats, breaches or shutdown.
Your landscape can be assessed basis on following points,
- Ensure logs are aggregated and stored in a centralized project.
- Implement security misconfiguration and vulnerability detection for production workloads.
- Place security incident response and remediation process.
- Leverage threat detection services to identify threats.
Dev SecOps.
Dev SecOps integrate security practices into development and operations methodology.
Assess your DevOps landscape for following points.
- Enforce a trusted pipeline for a secure supply chain.
- Ensuring a secured image coming from a trusted source in CI/CD pipeline.
Thus, I have covered all the checkpoints that should be implemented for secure landscape in Google Cloud Platform. After reading the two articles you will have a ready checklist that you can ask your implementation team to assess your landing zone and focus more on the areas where the responses are Not implemented, not sure. While you can safely discard not applicable ones.
Security should not be compromised in any condition, or it can have detrimental consequences, secure your environment not just once while implementation but on a regular basis by adding your own checks and expanding list further.
