Improve the Security of your Google Cloud

What started back then, in 1998, as a simple search engine, is now one of the strongest-selling and most valuable companies in the world. Today, Google offers Android, the most widespread smartphone operating system in the world, is the leader in navigation thanks to Google Maps, and also offers its own solution with the Google Cloud to cope with the rising flood of data in times of digitalization and the smart factory. But how secure is the Google Cloud platform, precisely because the company has a reputation as a data octopus? What can you do yourself to ensure the security of the Google Cloud?

Similar to Amazon or Microsoft, Google also offers its own cloud computing platform (GCP). Like these two, GCP also offers security - very comprehensive. However, the security of one's own applications is also always up to the user to a certain extent. Users have the following options, among others. A best practice guide from Google itself is also recommended.

Secure Your Own Access Data

Lost or stolen credentials are one of the main causes of security problems. This is true for cloud systems as for all other digital applications. Strong password policies and multi-factor authentication (MFA) can prevent this. This combines two or more independent credentials. Typical MFA scenarios include entering a password and an additional security question, or downloading a valid certificate and accessing it via a VPN client. However, the best measures are only as good as the human element allows them to be. This means that employees should ensure that they do not pass on their own access data to third parties or store them in a freely accessible location.

Avoid Excessive Permissions

If an identity has excessive rights, it can promote itself directly or indirectly to the owner level of a bucket (=container in which data is stored in the form of objects). With this permission level, it has the ability to make administrative decisions that can compromise the security of the GCP, if not the entire organization. For example, the identity is able to delete all data and even the whole bucket. Knowing the effective permissions (=end-to-end permissions) of all GCP identities, whether human or non-human, is essential to ensure the integrity of one's data.

Minimize API Risk Factorn

The exchange with other systems, e.g. from suppliers, is essential today. To keep the associated processes simple and clear, new systems are often integrated into existing software landscapes. Cloud-based web services therefore often have interfaces for data exchange with third-party providers. However, these APIs repeatedly serve as a gateway and are therefore vulnerable to external attacks. GCP Security therefore does its utmost to provide customers with secure APIs in order to exclude attacks of this type as far as possible. However, users can also contribute to security here themselves: in GCP, API keys are a form of authentication and authorization that can be used when calling specific API endpoints in the cloud. API keys are tied directly to GCP projects and are therefore considered less secure than OAuth 2.0 client credentials or user-managed keys for service accounts. All assets and resources should be monitored when they are created, updated, or deleted.

Enable Logging and Monitoring

Those responsible should definitely ensure that they activate the logging and monitoring functions. After all, this is one of the most common shortcomings when it comes to security. The logs and telemetry data provided by the GCP can be individually activated, configured and monitored later on. Ideally, there is a fixed contact person in the company whose responsibility is to flag security-relevant events.

Monitor Admin Activity Logs

With the security of their own data in mind, organizations need an overview of user activity. This helps uncover account compromises and other risks. Fortunately, with the use of the right technologies, organizations can effectively track user profiles. The GCP records API and other admin activities in Stackdriver Admin Activity Logs and captures other data access activities in Data Access Logs. Therefore, monitoring admin activity logs is recommended to know what is going on with your GCP resources. These logs are stored by the platform for over a year, so those who want to keep them longer for regulatory or legal purposes should export them regularly.

Manage Virtual Machine Lifecycles

Users can create a custom image that has either been patched or signed off from a security or compliance perspective, and deny access to non-custom images using a resource manager restriction. This makes sense, as traditional network vulnerability scanners are very effective for on-premises networks, but often miss critical vulnerabilities when used to test cloud networks. Additionally, it makes sense to remove outdated images to ensure that the latest and greatest VM image is actually being used. Apart from that, the application remains lean and performant.

These starting points show that everyone can (if not must) make their own contribution to ensuring their own Google Cloud security. The security of GCP naturally meets high requirements, but security is also a shared responsibility that everyone should be aware of.