Improve the Security of Your Google Cloud

What began in 1998 as a simple search engine has grown into one of the highest-revenue and most valuable companies in the world. Today, Google offers Android -- the most widely used smartphone operating system -- leads the way in navigation with Google Maps, and provides the Google Cloud as a powerful solution for managing the ever-growing volume of data in the age of digitalization and the smart factory. But how secure is the Google Cloud Platform, especially given the company's reputation for extensive data collection? And what can you do to strengthen the security of your Google Cloud environment?

Like Amazon and Microsoft, Google offers its own cloud computing platform (GCP) with comprehensive built-in security. However, securing your own applications is always partly your responsibility as well. The following measures can help you take an active role. A best practice guide from Google is also recommended.

Secure Your Credentials

Lost or stolen credentials are among the leading causes of security incidents -- for cloud systems just as much as for any other digital application. Strong password policies and multi-factor authentication (MFA) provide effective protection by combining two or more independent credentials. Typical MFA scenarios include entering a password along with a security question, or downloading a valid certificate combined with access through a VPN client.

Even the best technical measures, however, are only as effective as the human element allows. Ensure that employees never share their credentials with third parties or store them in freely accessible locations.

Avoid Excessive Permissions

If an identity has excessive rights, it can promote itself -- directly or indirectly -- to the owner level of a bucket (a container where data is stored as objects). At this permission level, it can make administrative decisions that jeopardize the security of GCP and potentially the entire organization. For example, such an identity could delete all data or even the entire bucket. Knowing the effective (end-to-end) permissions of all GCP identities -- whether human or machine -- is essential to ensuring the integrity of your data.

Minimize API Risk Factors

Exchanging data with external systems -- such as those of suppliers -- is essential in today's business environment. To keep processes streamlined, new systems are frequently integrated into existing software landscapes. Cloud-based web services therefore often provide interfaces for data exchange with third-party providers. However, these APIs can serve as entry points for external attacks. Google consequently does its utmost to provide secure APIs and minimize this attack surface.

You can also contribute to security on your end: in GCP, API keys are a form of authentication and authorization used when calling specific API endpoints. Since API keys are tied directly to GCP projects, they are considered less secure than OAuth 2.0 client credentials or user-managed service account keys. Monitor all assets and resources whenever they are created, updated, or deleted.

Enable Logging and Monitoring

Make sure that logging and monitoring functions are activated -- insufficient logging is one of the most common security shortcomings. The logs and telemetry data provided by GCP can be individually activated, configured, and monitored on an ongoing basis. Ideally, designate a dedicated point of contact in your organization who is responsible for evaluating and flagging security-relevant events.

Monitor Admin Activity Logs

To protect their data effectively, organizations need a comprehensive overview of user activity. This is key to uncovering account compromises and other risks early. With the right tools, you can track user profiles effectively. GCP records API and other admin activities in Stackdriver Admin Activity Logs and captures additional data access activities in Data Access Logs. Monitor these logs regularly to stay informed about what is happening with your GCP resources. The platform retains these logs for over a year; if you need to keep them longer for regulatory or legal purposes, export them on a regular basis.

Manage Virtual Machine Lifecycles

Create custom images that have been patched or approved from a security and compliance perspective, and deny access to unapproved images using a resource manager constraint. This approach is especially important because traditional network vulnerability scanners, while effective for on-premises environments, often miss critical vulnerabilities in cloud networks. Additionally, remove outdated images to ensure that only the most current VM image is in use. This also keeps your application lean and performant.

These measures demonstrate that you can -- and should -- actively contribute to the security of your Google Cloud environment. GCP meets high security standards out of the box, but security remains a shared responsibility that every stakeholder should take seriously.