Managed GCP Security FAQ

GCP Security Compliance FAQ

Q: What are the costs related with the implementation of the GCP Security Compliance Policies?

A: GCP Security Compliance costs are based on the following paid services:

  • Initial deployment and configuration of your custom security policies – This is the effort associated with the initial creation of the security framework that you want to be compliant with: not all the security policies available in GCP by default would make sense for your particular environment as some of them could impede your normal management operations, for example. Creation of all the alerts for policy violations and other health alerts for your critical services. Creating and implementing the remediation plan for any policy violations. Novaquantum provides support for the full development life-cycle of security policies and remediation tasks involved in securing your environment.
  • On-going management – This is the effort required for daily support of the GCP Security Compliance service, monitoring of log sources, policy violations and on-going alerts tune-up and is covered by monthly management fee charged by managed GCP providers like us.  

Q: Can you guarantee 100% compliance with the above mentioned standards?

A: We will enable and remediate (if agreed by the customer) all the security controls available in GCP for the compliance framework(s) that you choose. Most of the security compliance frameworks have not only technical components, but business processes and procedures that need to be compliant as well, for which the customer alone is responsible. One notable exception is the GCP CIS that has only technical controls which we can control 100%.

Each security control is associated with one or more GCP feature/service. These features/services may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more platform feature. As such, Compliant in GCP refers only to the policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any GCP platform features at this time. Therefore, compliance in GCP is only a partial view of your overall compliance status.

Q: I don’t need or understand what those security standards are, so why should I care about them?

A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your Azure environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like GCP, to use the CIS security standard as a baseline for securing their environment.

Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?

A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your GCP environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.

Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in GCP?

A: Not at this time, but we are always adding new services to our portfolio!

Q: Our environment is a hybrid environment with resources located on-premise and in GCP, would you be able to audit and propose a remediation plan for all the resources?

A: Short answer: No, we cannot. Long answer: enabling non-GCP resources for security auditing using GCP services, requires the installation of local agents on those resources and the use of third party software. We can assist and provide guidance in this situations, but the installation and distribution of the agents is your responsibility entirely.

Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?

A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.

Q: Could tell me more about the actual security checks that you will perform for my environment?

A: We are focusing our GCP security analysis on the following security domains:

  • Resource Management
    • GCP org hierarchy
    • Environments & resource isolation
    • Project creation
    • Resource provisioning
    • Organization policies
  • Identity, Authentication & Authorization
    • User & group management
    • Administrative roles
    • Authentication
    • Assigning IAM roles
  • Network Security
    • VPC architecture
    • Firewall rules
    • Network logging
    • VPC service controls
    • DDoS and WAF
    • Identity Aware Proxy
  • VM Security
    • VM identities
    • Remote access
  • Data security
    • Encryption key management
    • Cloud Storage security
    • BigQuery security
    • Cloud SQL security
    • Data Loss Prevention
  • Security operations
    • Logging
    • Monitoring
    • Policy scanning
    • Incident Response
  • Kubernetes security
    • GKE cluster provisioning
    • Secure cluster default configurations
    • Cluster IAM/RBAC
    • Container image building
    • Container lifecycle management
    • Container runtime security
    • Workload hardening and isolation