GCP Security best practice: Access to networks and network services

This Google Cloud Platform security best practice is part of the Identity and Access Management security domain.

Personnel, contractors and 3rd party personnel shall only be provided with access to the network and network services that they have been specifically authorized to use.

Cloud IAM lets you control who can access your projects. You can grant and scope permissions to specific GCP resources in your projects. Cloud IAM roles can be granted to a specific Google user account, service account, or group, or to everyone in a domain. You can also set Cloud IAM roles at the organizational level, folder level, or project level to allow projects and resources to inherit the Cloud IAM permissions.

Data and asset owners shall review users’ (personnel, contractors and 3rd party personnel) access rights at regular intervals. Review cycles shall be scheduled either Monthly, Quarterly and Yearly, depending on use and criticality.

Forseti IAM Explain can help with the auditing IAM permissions and custom tools can integrate using our IAM APIs to do audits. You can further enforce domain restricted sharing using domain restricted sharing org policy.

GCP Security best practice: Security and BC/DR

This Google Cloud Platform security best practice is part of the Business Continuity & Disaster Recovery security domain.

The local and remote site recovery of the security infrastructure and functionality is a required component of business continuity and disaster recovery planning and documentation.

If customer’s production environment is on-premises or on another cloud provider, Google Cloud Platform can be useful as a target for backups and archives. Using Carrier Interconnect, Direct Peering, and/or Compute Engine VPN, you can easily adapt the disaster recovery strategies to your own situation.

Means of standardization across virtual infrastructure for systems, supported OS types and patch levels logically segregated by tiers shall be implemented. An exception review process will be instituted to justify and allow any non-standard virtual deployments.

A Business Impact Analysis shall be developed to address cloud components and operations and their overall criticality and recovery requirements in maintaining business function.

Audit of all third party hosted systems to ensure that those assets are included in CMDB shall be conducted.

GCP Security best practice: Network Security Management

This Google Cloud Platform security best practice is part of the Network & Infrastructure Security security domain.

The capability shall configure its IT systems to:

  • monitor and control communications at the external boundary and at key internal boundaries within the system;
  • have limited number of access points to allow for more comprehensive monitoring of inbound and outbound communications and network traffic; and
  • connect to external networks or IT systems only through managed interfaces consisting of boundary protection devices

The capability shall implement a dedicated and isolated computing environment for sensitive systems. For shared networks, especially those extending across Client’s boundaries, the capability of users to connect to the network shall be restricted, in line with the Client’s access control policy and requirements of the business applications.

Customer should apply the right firewall rules to the right VMs in an environment is a way to provide least privilege access (network access).

One cannot mix and match service accounts and network tags in any firewall rule definition. This restriction impacts ingress firewall rules in the following way: If you use a service account for the source filter or the target, then neither the target nor the source filter can be a network tag.
GCP uses a connection tracking table to support stateful firewall filtering. The maximum number of connections in the table depends on the instance type:

Firewall rules are applied to your VPC network on which your GCE instances reside. Firewall rules apply to both inbound (ingress) and outbound (egress) traffic. They can also be applied between instances in your network. Firewall rules can be set to allow or deny traffic based on protocol, ports, and IP addresses. Firewall rules have the following settings:

  • One should keep your firewall rules in line with the model of least privilege. To allow traffic through, the user needs to create firewall rules to explicitly allow traffic necessary for your applications to communicate.
  • Assign the Compute Security Admin role to your security or networking team so that they can configure and modify the firewall rules on your network.

GCP Security best practice: Incident Reporting

This Google Cloud Platform security best practice is part of the Incident Response Management security domain.

Incident-related data shall be collected and report metrics shall be reported.

All incidents for root cause to generate recommendations for improvement for consideration by Client shall be analysed.

Procedures shall exist to track and document information system security incidents and related solutions in accordance with incident management work instructions.

Customer-initiated incident response include a Gold or Platinum contract that entitles the customer to 24/7 support with under-an-hour SLA and phone support. If customer staff is in multiple time zones, it is beneficial to give details about when each should be contacted.
Customers should monitor the relevant email address (the project owner email address) regularly so that you know as soon as your project is warned.

GCP Security best practice: Scalable Architecture for Logging and Monitoring

This Google Cloud Platform security best practice is part of the Logging and Monitoring security domain.

The solution shall support scaling of the ingest, index, and search layer based on data ingest and usage profiles. The scalability model shall be refined enough to add capacity in hours.

1 – GCP has some native search/filter capabilities in Stackdriver – per project. Stackdriver Logging is a fully managed service in GCP that can ingest application and system log data from VMs, and analyze log data in real time.
Customers can collect data via Stackdriver agents that can scale as needed:

  • Admin console logs – Admin console audit logs, user audit logs, Separate API and UI logs
  • GCP console audit logs – Admin activity logs
    (always enabled); Data access logs (disabled by default)
  • VMs running Stackdriver agent – common third-party applications, system software
  • Network logs – VPC Flow logs, Cloud CDN logs

2 – You can export to BigQuery for additional analysis

3- Or PubSub and use connectors that integrate with elastic search

GCP Security best practice: Integration with Risk Management

This Google Cloud Platform security best practice is part of the Vulnerability and Threat Management security domain.

Vulnerabilities for their impact on identified risks shall be analyzed. Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls. Customer to integrate with their risk management solution.

Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted.

As customers plan to evaluate the security of their GCP infrastructure with penetration testing, they are not required to contact Google to begin testing.
Customers will have to abide by the Cloud Platform Acceptable Use Policy and the Terms of Service and ensure that tests only affect their projects (and not other customers’ applications). If a vulnerability is found, Customers can report it via the Vulnerability Reward Program.

GCP Security best practice: Data Protection and Monitoring Handling Procedures

This Google Cloud Platform security best practice is part of the Data Protection security domain.

Procedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

Areas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented.

Customers can use Cloud DLP API to better understand and manage sensitive data. It provides fast, scalable classification and redaction for sensitive data elements, like credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials. VPC service controls and org note policies can be used too.

GCP Security best practice: Data Ownership & Inventory

This Google Cloud Platform security best practice is part of the Data Protection security domain.

Appropriate ownership to data and establish procedures to classify, monitor, and update data in accordance with its classification policies. Policies and procedures shall be in place to inventory, document, and maintain data flows to ascertain any regulatory, statutory impact, and to address any other business risks associated with the data.

This is a customer responsibility. The Cloud Data Loss Prevention (DLP) API can help scan PII (credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials) data and classify sensitive data within text content.

GCP Security best practice: Security-related alerts and error conditions for all released applications

This Google Cloud Platform security best practice is part of the DevSecOps and CI/CD security domain.

Customers can create and manage alerting policies with Stackdriver Monitoring (using the console or the Stackdriver Monitoring API). Also export logs to SIEMs and detect any threats or anomalies.

Automated code analysis tools with specific components for monitoring for security issues shall be used.

Customer can integrate with GCP → Security Command Center, Google App Engine → Cloud Security Scanner and Google Kubernetes Engine → Container Registry Scanning.

Container Registry scans for vulnerabilities and identifies package vulnerabilities for your container images. This page describes how you can view the vulnerabilities using Google Cloud Platform Console, the gcloud command-line tool, and Container Analysis API.

Cloud Security Command Center integrates with Google Cloud Platform security tools like Cloud Security Scanner, the Cloud Data Loss Prevention (DLP) API, and third-party security solutions from Cloudflare, CrowdStrike, Dome9, Palo Alto Networks, Qualys, and RedLock.

GCP Security best practice: Software Engineering shall use automated tools to evaluate operational environment and application-specific health

This Google Cloud Platform security best practice is part of the DevSecOps and CI/CD security domain.

Customers can use Cloud Security Command Center, which is designed to enable users to monitor the inventory of their cloud assets, scan storage systems for sensitive data, detect common vulnerabilities, and review access rights to critical resources.

Customers can also use Stackdriver Monitoring to provide visibility into the performance, uptime, and overall health of applications in GCP