Google Cloud Platform – Security Best Practices

By albert
6 Feb 2019

Jim Morrison sang: “We want the world and we want it now!”… it sounds like the current worldwide anthem for everything and Cloud migration isn’t an exception. From a security point of view, we need to stop the rush and think about some security concepts if we don’t want to sing the well-known song “This is the end… my only friend, the end”.
In this article, we’re going to talk about some security best practices of Google Cloud Platform (GCP) to ensure that you and your team will become the best “Riders on the storm”.
To start, we need to perform some needed key tasks:

  • Define what your users are allowed to do.
  • Define what is not permitted in your organization.
  • Define what you are trying to guard against.
  • Monitor everything.
  • Ensure business continuity.

Related to this, we’ve identified the main related security dimensions:

  • Identity Access Management (IAM).
  • Organization Policy.
  • Firewalling.
  • Monitoring/Logging.
  • Backups.

Identity Access Management (IAM)

Cloud IAM lets us manage access control by defining who (identity) has what access (role) to which resource.
Service accounts
Regarding service accounts, we need to focus on the following concepts:

  • Avoid downloading production keys.
  • Implement processes to manage downloaded keys.
  • Apply least privilege policy.
  • Use Cloud KMS or any other secret manager tool.
  • Use auditing effectively.

IAM primitive roles
The use of primitive roles should be limited in case of the following scenarios:

  • There is no predefined role that includes the desired permissions.
  • When it is required to grant broader permissions for a project.
  • When it is required to allow a member to modify permissions for a project.
  • There is a small team where the team members do not need granular permissions.

Cloud Storage buckets access
Cloud Storage buckets are often used to store sensitive data, so the usage of the following identifiers should be restricted:

  • allAuthenticatedUsers” represents anyone who is authenticated with a Google account or a service account. It is important to understand that these users may not be part of your Organization or Project
  • allUsers” represents anyone who is on the internet, including authenticated and unauthenticated users.

Regularly check IAM permissions
As you can imagine, IAM permissions in GCP are a key security point because of their impact inside the platform. Therefore, we recommend to:

  • Monitor admin/owners at Organization level.
  • Monitor non-domain user access.

Organization Policy

The Organization Policy Service gives you centralized and programmatic control over your organization’s cloud resources. As the organization policy administrator, you should consider configuring the following restrictions:

  • Enforce service accounts key TTL.
  • Disallow Public IPs from services not covered by compute.vmExternalIPAccessPolicy.
  • Disallow public BigQuery datasets (All authenticated users).
  • Disallow public GCS buckets (All users/All Authenticated Users).
  • Disallow public GCS objects.

Firewalling

Firewall rules
Virtual Private Cloud (VPC) firewall rules should be configured so that access to specific network services is restricted to hosts that have a legitimate business requirement.
It is also recommended to leverage network tags, which are text attributes that can be added to instances. Tags can be used to apply firewall rules and routes to logically related instances, requiring less effort compared to working with IP addresses.
Controls Paths
As a good practice, we recommend evaluating the firewall rules regarding the path between:

  • Virtual Machine <-> Virtual Machine.
  • Virtual Machine <-> Internet.
  • Virtual Machine <-> On premise infrastructure.

Monitoring/Logging

To monitor or not to monitor? That’s NOT the question! In GCP, as usual, we need to monitor all our platform to be able to detect malicious behaviour or intruders. Taking into consideration the aforementioned, we recommend to:

  • Enable VPC Flow Logs.
  • Enable and configure Stackdriver logging and monitoring.
  • Ensure Cloud Storage buckets have logging and versioning enabled.

Backups

Last but not least, we need to ensure the business continuity of our platform, so our last recommendations are:

  • Create periodic snapshots of Compute Engine instances.
  • Create periodic backups of Cloud SQL instances.
  • Configure a High Availability platform (as needed).
  • Define a Disaster Recovery Plan.

Contact A2SECURE and discover all we can do for your company.
__
Autor: Germán Arranz

Leave a Reply