Auditing the security of your GCP environment

There are plenty of tools out there that can perform a security audit for your environment, but none of them are using Google’s security best practices.

We are trying to change that by providing a simple, customizable approach to performing a security audit for all the projects that your organization has.

From the customer side, all you need to do is to provide us with an export of your cloud inventory assets and then we will apply all the Google’s security best practices as documented under the Cloud Foundation Toolkit project. The end result will be a very comprehensive security report which will identify the security areas that need your attention.

The topics covered under this security audit:

  1. Resource management
    • GCP org hierarchy
    • Environments & resource isolation
    • Resource provisioning
    • Organization policies
  2. Identity, Authentication, and Authorization
    • User & group management
    • Administrative roles
    • Authentication
    • Assigning IAM roles
    • Service Accounts
  3. Network security
    • VPC architecture
    • Firewall rules
    • Network logging
    • VPC Service Controls
    • DDoS and WAF
    • Identity Aware Proxy
  4. VM security
    • VM identities
    • Remote access
    • Image management
  5. GKE security
    • GKE cluster provisioning
    • Secure cluster default configurations
  6. Data security
    • Encryption key management
    • Cloud Storage security
    • BigQuery security
    • CloudSQL security
    • Data Loss Prevention
  1. Security Operations
    • Logging
    • Monitoring
    • Policy scanning

Here is a sample of the summary of those recommendations :

Recommendations organized by Priority
SectionHighMedLowTotal
Cloud Resource Management2005
Identity, Authentication, and Authorization4509
Network Security310014
Virtual Machine Security3205
GKE Security25313
Data Security92011
Security Operations0202

Part of our security report will include specific security recommendations for the areas that are marked as High Priority for you.

Here is an example of such specific security recommendations:

Use an organizational structure that is based on your business structure that is usually grouped by Cloud IAM permissions and Organization policy inheritance
Use folders to apply Cloud IAM permissions and organization policies will be applied. For example, folder structure can reflect environments such as development and production, where more restrictive policies and limited Cloud IAM access is granted to the production environments.

Avoid extensive use of folder level IAM permissions, but instead, apply permissions at a project or resource level.

If you are interested to learn more, book your FREE Google Cloud Platform (GCP) security consultation with us, today!