{"id":97945,"date":"2019-04-09T06:00:59","date_gmt":"2019-04-09T13:00:59","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=97945"},"modified":"2019-05-06T15:26:53","modified_gmt":"2019-05-06T22:26:53","slug":"8-google-cloud-security-best-practices","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/04\/8-google-cloud-security-best-practices\/","title":{"rendered":"8 Google Cloud Security Best Practices"},"content":{"rendered":"<p><em>If you\u2019ll be at <a href=\"https:\/\/cloud.withgoogle.com\/next\/sf\" rel=\"nofollow,noopener\" >Google Next<\/a> this week in San Francisco, stop by booth <\/em>S1739 <em>and check out a demo of how we help secure public cloud environments. <\/em><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-97946 alignright lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-500x333.jpg\" alt=\"\" width=\"296\" height=\"197\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-500x333.jpg 500w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-230x153.jpg 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-768x512.jpg 768w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-450x300.jpg 450w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/04\/GCS-Post_449648-unsplash-60x40.jpg 60w\" sizes=\"auto, (max-width: 296px) 100vw, 296px\" \/>Google has been making some great inroads with their cloud expansion. As with AWS and Azure, developers can adopt Google Cloud Platform (GCP) easily, seeking features for use in their application stacks. Also, with the wide adoption of containers and Kubernetes, Google\u2019s leadership in developing container technologies has earned them a reputation as a great cloud option to run these types of workloads. Finally, some organizations are choosing GCP to augment their multi-cloud strategy.<\/p>\n<p>As stated in my previous <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/02\/8-aws-security-best-practices-mitigate-risk\/\">AWS<\/a> and <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/03\/8-azure-security-best-practices\/\">Azure<\/a> blog posts, no two clouds are alike. So, we must be mindful of what the basic security settings are for GCP. While there are significant differences in the details of how to secure GCP compared to other cloud platforms, one tenet remains the same: security is a shared responsibility. You can\u2019t assume Google will secure the cloud for you. Educating yourself is key. I recommend the following resources for in-depth information on security-centric and other cloud-focused best practices to help you get the most out of Google Cloud:<\/p>\n<ul>\n<li><a href=\"https:\/\/cloud.google.com\/security\/overview\/whitepaper\" rel=\"nofollow,noopener\" >Google Security Whitepaper<\/a><\/li>\n<li><a href=\"https:\/\/cloud.google.com\/docs\/enterprise\/best-practices-for-enterprise-organizations\" rel=\"nofollow,noopener\" >Best Practices for Enterprise Organizations<\/a><\/li>\n<li><a href=\"https:\/\/www.youtube.com\/watch?v=ZQHoC0cR6Qw\" rel=\"nofollow,noopener\" >A Security Practitioners Guide to Best Practice GCP Security (Cloud Next \u201918)<\/a><\/li>\n<\/ul>\n<p>With that, let\u2019s dive into the fundamentals. The following are eight challenges and best practices to help you mitigate risk in Google Cloud.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>1. Visibility<\/strong><\/p>\n<p>Like other clouds, GCP resources can be ephemeral, which makes it difficult to keep track of assets. According to our research, the average lifespan of a cloud resource is two hours and seven minutes. And many companies have environments that involve multiple cloud accounts and regions. This leads to decentralized visibility, and since you can\u2019t secure what you can\u2019t see, this makes it difficult to detect risks.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Use a cloud security offering that provides visibility into the volume and types of resources (virtual machines, load balancers, virtual firewalls, users, etc.) across multiple projects and regions in a single pane of glass. Having visibility and an understanding of your environment enables you to implement more granular policies and reduce risk. While GCP\u2019s native Cloud Security Command Center works well, monitoring at scale or across clouds requires third-party visibility from platforms such as <a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-cloud\/redlock\">RedLock<\/a> by Palo Alto Networks.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>2. R<\/strong><strong>esource hierarchy<\/strong><\/p>\n<p>One of the basic principles in GCP is the resource hierarchy. While other clouds have hierarchical resource systems, GCP\u2019s is very flexible, allowing admins to create nodes in different ways and apply permissions accordingly. This can create sprawl very quickly and confusion when it comes to determining at which level in the hierarchy a permission was applied. To demonstrate, GCP allows the creation of Folders, Teams, Projects and Resources under an Organization.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Create a hierarchy that closely matches your organization\u2019s corporate structure. Or, if you currently don\u2019t have a well-defined corporate structure, create one that makes sense and take into account future growth and expansion.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>3.<\/strong> <strong>P<\/strong><strong>rivilege and <\/strong><strong>s<\/strong><strong>cope<\/strong><\/p>\n<p>GCP IAM allows you to control access by defining <em>who<\/em> has <em>what<\/em> access to <em>which<\/em> resource. The IAM resources in play are Users, Roles and Resources. Understanding how to apply policies to these resources is going to be important to implement least-privilege access in your GCP environment.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Instead of applying permissions directly to users, add users to well-defined Groups and assign Roles to those Groups, thereby granting permission to the appropriate resources only. Make sure to use custom roles, as built-in roles could change in scope.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>4. Identity management<\/strong><\/p>\n<p>Lost or <a href=\"https:\/\/enterprise.verizon.com\/resources\/reports\/dbir\/\" rel=\"nofollow,noopener\" >stolen credentials are a leading cause of cloud security incidents<\/a>. It is not uncommon to find access credentials to public cloud environments exposed on the internet. Organizations need a way to detect these account compromises.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Strong password policies and multi-factor authentication (MFA) should always be enforced. GCP supports MFA for both Cloud Identity and corporate entities. Additionally, you can integrate Cloud Identity support with SSO for your corporate identities so that you inherit corporate MFA policies.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>5. Access<\/strong><\/p>\n<p>It goes without saying that humans aren\u2019t the only users of GCP resources. Development tools and applications will need to make API calls to access GCP resources.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Create descriptive Service Accounts, such that you know the purpose of those accounts. Also, be sure to protect service account keys with Cloud KMS and store them encrypted in Cloud Storage or some other storage repository that doesn\u2019t have public access. Finally, ensure that you are rotating your keys on a regular basis, such as 90 days or less.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>6. Manag<\/strong><strong>ing <\/strong><strong>firewalls and unrestricted traffic<\/strong><\/p>\n<p>VPC firewalls are stateful virtual firewalls that manage network traffic to VPC networks, VMs, and other compute resources in those networks. Unfortunately, admins often assign IP ranges to firewalls, both inbound and outbound, which are broader than necessary. Adding to the concern, <a href=\"https:\/\/start.paloaltonetworks.com\/5-key-cloud-security-trends\">research<\/a> from Unit 42\u2019s cloud threat intelligence team found that 85% of resources associated with security groups don\u2019t restrict outbound traffic at all. Further, an increasing number of organizations are not following network security best practices, and as such had misconfigurations or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Limit the IP ranges that you assign to each firewall to only the networks that need access to those resources. GCP\u2019s advanced VPC features allow you to get very granular with traffic by assigning targets by tag and Service Accounts. This allows you to express traffic flows logically in a way that you can identify later, such as allowing a front-end service to communicate to VMs in a back-end service\u2019s Service Account.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>7. Setup and review of activity logs<\/strong><\/p>\n<p>Organizations need oversight into user activities to reveal account compromises, insider threats and other risks. Virtualization \u2013 the backbone of cloud networks \u2013 and the ability to use the infrastructure of a very large and experienced third-party vendor affords agility as privileged users can make changes to the environment as needed. The downside is the potential for insufficient security oversight. To avoid this risk, user activities must be tracked to identify account compromises and insider threats as well as to assure that a malicious outsider hasn\u2019t hijacked an account. Fortunately, businesses can effectively monitor users when the right technologies are deployed. GCP records API and other admin activity in Stackdriver Admin Activity Logs as well as captures other data access activity in Data Access Logs.<\/p>\n<p><strong>Best Practice:<\/strong>\u00a0Monitoring Admin Activity Logs is key to understanding what\u2019s going on with your GCP resources. Admin Activity Logs are stored for 400 days, Data Access Logs for 30 days; so make sure to export logs if you\u2019d like to keep them around longer for regulatory or legal purposes. RedLock ingests alerts based on activity log issues.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>8. Manag<\/strong><strong>ing<\/strong><strong> VM image lifecycles<\/strong><\/p>\n<p>It is your responsibility to ensure the latest security patches have been applied to hosts within your environment. The latest <a href=\"https:\/\/start.paloaltonetworks.com\/5-key-cloud-security-trends\">research<\/a> from Unit 42 provides insight into a related problem: traditional network vulnerability scanners are most effective for on-premises networks but miss crucial vulnerabilities when they\u2019re used to test cloud networks. In GCP, however, patching running VMs may not be the ideal approach.<\/p>\n<p><strong>Best Practice:\u00a0<\/strong>Use the power of automation to manage your VM image lifecycles. Create a custom image that\u2019s either been patched or blessed from a security or compliance perspective, and then deny access to non-custom (trusted) images using a Resource Manager Constraint. Additionally, you can remove obsolete, older images to ensure that you are using the latest and greatest VM image.<\/p>\n<p>&nbsp;<\/p>\n<p>In conclusion, no matter which cloud you choose, security remains a shared responsibility. It is important to have a fundamental understanding of best practices to manage your part of this responsibility. It may be unrealistic, however, to expect every person in your organization to know all best practices and follow them consistently. This becomes especially difficult when you have more than a handful of people with hands in your cloud environment.<\/p>\n<p>But there is good news. RedLock can help monitor these best practices across your organization, across all clouds, and suggest best practices for remediation. If you\u2019ll be at Google Next, stop by our booth S 1739 and check out a demo. Or, if you\u2019re interested to try it for yourself, you can sign up <a href=\"https:\/\/start.paloaltonetworks.com\/redlock-14-day-free-trial.html\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>No matter which cloud you choose, security remains a shared responsibility.<\/p>\n","protected":false},"author":629,"featured_media":96978,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6717,6768],"tags":[1166,6753,3444,6597,6754],"coauthors":[6726],"class_list":["post-97945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products-and-services","category-secure-the-cloud","tag-cloud-security","tag-gcp-security","tag-google-cloud-platform","tag-redlock","tag-shared-responsibility-model"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/02\/corp-blog-cloud-600x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/629"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=97945"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97945\/revisions"}],"predecessor-version":[{"id":97961,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/97945\/revisions\/97961"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/96978"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=97945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=97945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=97945"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=97945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}