* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Products and Services](https://www2.paloaltonetworks.com/blog/category/products-and-services/)
* 8 Google Cloud Security B...

# 8 Google Cloud Security Best Practices

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F04%2F8-google-cloud-security-best-practices%2F)  
[](https://twitter.com/share?text=8+Google+Cloud+Security+Best+Practices&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F04%2F8-google-cloud-security-best-practices%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F04%2F8-google-cloud-security-best-practices%2F&title=8+Google+Cloud+Security+Best+Practices&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/04/8-google-cloud-security-best-practices/&ts=markdown)  
\[\](mailto:?subject=8 Google Cloud Security Best Practices)  
Link copied  
By [John Martinez](https://www.paloaltonetworks.com/blog/author/john-martinez/?ts=markdown "Posts by John Martinez")  
Apr 09, 2019  
8 minutes  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[GCP Security](https://www.paloaltonetworks.com/blog/tag/gcp-security/?ts=markdown)  
[Google Cloud Platform](https://www.paloaltonetworks.com/blog/tag/google-cloud-platform/?ts=markdown)  
[RedLock](https://www.paloaltonetworks.com/blog/tag/redlock/?ts=markdown)  
[Shared Responsibility Model](https://www.paloaltonetworks.com/blog/tag/shared-responsibility-model/?ts=markdown)

*If you'll be at [Google Next](https://cloud.withgoogle.com/next/sf) this week in San Francisco, stop by booth* S1739 *and check out a demo of how we help secure public cloud environments.*

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/GCS-Post_449648-unsplash-500x333.jpg)Google has been making some great inroads with their cloud expansion. As with AWS and Azure, developers can adopt Google Cloud Platform (GCP) easily, seeking features for use in their application stacks. Also, with the wide adoption of containers and Kubernetes, Google's leadership in developing container technologies has earned them a reputation as a great cloud option to run these types of workloads. Finally, some organizations are choosing GCP to augment their multi-cloud strategy.

As stated in my previous [AWS](https://www.paloaltonetworks.com/blog/2019/02/8-aws-security-best-practices-mitigate-risk/) and [Azure](https://www.paloaltonetworks.com/blog/2019/03/8-azure-security-best-practices/) blog posts, no two clouds are alike. So, we must be mindful of what the basic security settings are for GCP. While there are significant differences in the details of how to secure GCP compared to other cloud platforms, one tenet remains the same: security is a shared responsibility. You can't assume Google will secure the cloud for you. Educating yourself is key. I recommend the following resources for in-depth information on security-centric and other cloud-focused best practices to help you get the most out of Google Cloud:

* [Google Security Whitepaper](https://cloud.google.com/security/overview/whitepaper)
* [Best Practices for Enterprise Organizations](https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations)
* [A Security Practitioners Guide to Best Practice GCP Security (Cloud Next '18)](https://www.youtube.com/watch?v=ZQHoC0cR6Qw)

With that, let's dive into the fundamentals. The following are eight challenges and best practices to help you mitigate risk in Google Cloud.

**1. Visibility**

Like other clouds, GCP resources can be ephemeral, which makes it difficult to keep track of assets. According to our research, the average lifespan of a cloud resource is two hours and seven minutes. And many companies have environments that involve multiple cloud accounts and regions. This leads to decentralized visibility, and since you can't secure what you can't see, this makes it difficult to detect risks.

**Best Practice:** Use a cloud security offering that provides visibility into the volume and types of resources (virtual machines, load balancers, virtual firewalls, users, etc.) across multiple projects and regions in a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular policies and reduce risk. While GCP's native Cloud Security Command Center works well, monitoring at scale or across clouds requires third-party visibility from platforms such as [RedLock](https://www.paloaltonetworks.com/products/secure-the-cloud/redlock) by Palo Alto Networks.

**2. R** **esource hierarchy**

One of the basic principles in GCP is the resource hierarchy. While other clouds have hierarchical resource systems, GCP's is very flexible, allowing admins to create nodes in different ways and apply permissions accordingly. This can create sprawl very quickly and confusion when it comes to determining at which level in the hierarchy a permission was applied. To demonstrate, GCP allows the creation of Folders, Teams, Projects and Resources under an Organization.

\*\*Best Practice:\*\*Create a hierarchy that closely matches your organization's corporate structure. Or, if you currently don't have a well-defined corporate structure, create one that makes sense and take into account future growth and expansion.

**3.** **P** **rivilege and** **s** **cope**

GCP IAM allows you to control access by defining *who* has *what* access to *which* resource. The IAM resources in play are Users, Roles and Resources. Understanding how to apply policies to these resources is going to be important to implement least-privilege access in your GCP environment.

\*\*Best Practice:\*\*Instead of applying permissions directly to users, add users to well-defined Groups and assign Roles to those Groups, thereby granting permission to the appropriate resources only. Make sure to use custom roles, as built-in roles could change in scope.

**4. Identity management**

Lost or [stolen credentials are a leading cause of cloud security incidents](https://enterprise.verizon.com/resources/reports/dbir/). It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect these account compromises.

\*\*Best Practice:\*\*Strong password policies and multi-factor authentication (MFA) should always be enforced. GCP supports MFA for both Cloud Identity and corporate entities. Additionally, you can integrate Cloud Identity support with SSO for your corporate identities so that you inherit corporate MFA policies.

**5. Access**

It goes without saying that humans aren't the only users of GCP resources. Development tools and applications will need to make API calls to access GCP resources.

\*\*Best Practice:\*\*Create descriptive Service Accounts, such that you know the purpose of those accounts. Also, be sure to protect service account keys with Cloud KMS and store them encrypted in Cloud Storage or some other storage repository that doesn't have public access. Finally, ensure that you are rotating your keys on a regular basis, such as 90 days or less.

**6. Manag** **ing** **firewalls and unrestricted traffic**

VPC firewalls are stateful virtual firewalls that manage network traffic to VPC networks, VMs, and other compute resources in those networks. Unfortunately, admins often assign IP ranges to firewalls, both inbound and outbound, which are broader than necessary. Adding to the concern, [research](https://start.paloaltonetworks.com/5-key-cloud-security-trends) from Unit 42's cloud threat intelligence team found that 85% of resources associated with security groups don't restrict outbound traffic at all. Further, an increasing number of organizations are not following network security best practices, and as such had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.

\*\*Best Practice:\*\*Limit the IP ranges that you assign to each firewall to only the networks that need access to those resources. GCP's advanced VPC features allow you to get very granular with traffic by assigning targets by tag and Service Accounts. This allows you to express traffic flows logically in a way that you can identify later, such as allowing a front-end service to communicate to VMs in a back-end service's Service Account.

**7. Setup and review of activity logs**

Organizations need oversight into user activities to reveal account compromises, insider threats and other risks. Virtualization -- the backbone of cloud networks -- and the ability to use the infrastructure of a very large and experienced third-party vendor affords agility as privileged users can make changes to the environment as needed. The downside is the potential for insufficient security oversight. To avoid this risk, user activities must be tracked to identify account compromises and insider threats as well as to assure that a malicious outsider hasn't hijacked an account. Fortunately, businesses can effectively monitor users when the right technologies are deployed. GCP records API and other admin activity in Stackdriver Admin Activity Logs as well as captures other data access activity in Data Access Logs.

**Best Practice:** Monitoring Admin Activity Logs is key to understanding what's going on with your GCP resources. Admin Activity Logs are stored for 400 days, Data Access Logs for 30 days; so make sure to export logs if you'd like to keep them around longer for regulatory or legal purposes. RedLock ingests alerts based on activity log issues.

**8. Manag** **ing** **VM image lifecycles**

It is your responsibility to ensure the latest security patches have been applied to hosts within your environment. The latest [research](https://start.paloaltonetworks.com/5-key-cloud-security-trends) from Unit 42 provides insight into a related problem: traditional network vulnerability scanners are most effective for on-premises networks but miss crucial vulnerabilities when they're used to test cloud networks. In GCP, however, patching running VMs may not be the ideal approach.

\*\*Best Practice:\*\*Use the power of automation to manage your VM image lifecycles. Create a custom image that's either been patched or blessed from a security or compliance perspective, and then deny access to non-custom (trusted) images using a Resource Manager Constraint. Additionally, you can remove obsolete, older images to ensure that you are using the latest and greatest VM image.

In conclusion, no matter which cloud you choose, security remains a shared responsibility. It is important to have a fundamental understanding of best practices to manage your part of this responsibility. It may be unrealistic, however, to expect every person in your organization to know all best practices and follow them consistently. This becomes especially difficult when you have more than a handful of people with hands in your cloud environment.

But there is good news. RedLock can help monitor these best practices across your organization, across all clouds, and suggest best practices for remediation. If you'll be at Google Next, stop by our booth S 1739 and check out a demo. Or, if you're interested to try it for yourself, you can sign up [here](https://start.paloaltonetworks.com/redlock-14-day-free-trial.html).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Six Essentials for Your Cloud Security Program](https://www2.paloaltonetworks.com/blog/2019/04/six-essentials-cloud-security-program/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### It's Time to Bring Together Cloud Compliance and Security Analytics](https://www2.paloaltonetworks.com/blog/2018/10/time-bring-together-cloud-compliance-security-analytics/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Palo Alto Networks Receives Google Cloud Innovative Solution in Security Award](https://www2.paloaltonetworks.com/blog/2018/07/palo-alto-networks-receives-google-cloud-innovative-solution-security-award/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Attending Google Cloud Next '18? Come See Us to Learn More about Safely Deploying Apps and Data to Google Cloud](https://www2.paloaltonetworks.com/blog/2018/07/attending-google-cloud-next-18-come-see-us-learn-safely-deploying-apps-data-google-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Four Cloud Security Concerns (and How to Address Them)](https://www2.paloaltonetworks.com/blog/2019/05/cloud-security-concerns-address/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 8 Azure Security Best Practices](https://www2.paloaltonetworks.com/blog/2019/03/8-azure-security-best-practices/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language