Managed GCP Security FAQ

GCP Security Services FAQ

Q: What are the costs related with the implementation of the GCP Security Policies?

A: Our GCP Security costs are based on the following paid services:

  • Initial audit, deployment and configuration of your custom security policies – This is the effort associated with the initial creation of the security framework that you want to be compliant with: not all the security policies available in GCP by default would make sense for your particular environment as some of them could impede your normal management operations, for example. Creation of all the alerts for policy violations and other health alerts for your critical services. Creating and implementing the remediation plan for any policy violations. Novaquantum provides support for the full development life-cycle of security policies and remediation tasks involved in securing your environment.
  • On-going management – This is the effort required for daily support of the GCP Security service, monitoring of log sources, policy violations and on-going alerts tune-up and is covered by monthly management fee charged by managed GCP providers like us.  

Q: I don’t need or understand what the security standards(CIS, NIST, etc) are, so why should I care about them?

A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your GCP environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like GCP, to use the CIS security standard as a baseline for securing their environment.

Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?

A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your GCP environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.

Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in GCP?

A: Not at this time, but we are always adding new services to our portfolio!

Q: Our environment is a hybrid environment with resources located on-premise and in GCP, would you be able to audit and propose a remediation plan for all the resources?

A: Short answer: No, we cannot. Long answer: enabling non-GCP resources for security auditing using GCP services, requires the installation of local agents on those resources and the use of third party software.

Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?

A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.

Q: Could tell me more about the actual security checks that you will perform for my environment?

A: We are focusing our GCP security analysis on the following security domains:

  • Resource Management
    • GCP org hierarchy
    • Environments & resource isolation
    • Project creation
    • Resource provisioning
    • Organization policies
  • Identity, Authentication & Authorization
    • User & group management
    • Administrative roles
    • Authentication
    • Assigning IAM roles
  • Network Security
    • VPC architecture
    • Firewall rules
    • Network logging
    • VPC service controls
    • DDoS and WAF
    • Identity Aware Proxy
  • VM Security
    • VM identities
    • Remote access
  • Data security
    • Encryption key management
    • Cloud Storage security
    • BigQuery security
    • Cloud SQL security
    • Data Loss Prevention
  • Security operations
    • Logging
    • Monitoring
    • Policy scanning
    • Incident Response
  • Kubernetes security
    • GKE cluster provisioning
    • Secure cluster default configurations
    • Cluster IAM/RBAC
    • Container image building
    • Container lifecycle management
    • Container runtime security
    • Workload hardening and isolation