GCP Security Auditing Services FAQ
Q: What are the costs related with the GCP security audit services provided by you?
A: You can see our transparent pricing on this page.
Q: We have very strict security rules that prohibit us from giving access to our GCP environment to any external entity. What are your particular access requirements in order to perform the security audit?
A: We don’t need ANY access to your environment. All we need is an export of your current cloud inventory assets as provided by CAI. This export consists of 6 files that can be shared securely with us. The information contained in those files will be stored securely on your GCP infrastructure, so no actual transfer of the data is required.
Q: Would you provide specific details or a script that we can run to collect this data?
A: Absolutely! We will share with you a very simple script that runs some basic gcloud export commands, which can be run from the GCP console by someone with Organization Admin rights. If your scope is only to look at certain projects and not at all the organization assets, we can customize this script.
Q: We would like to see all the IAM permissions required to run this script and exports, so can you share those details?
A: Of course!
|Suggested Role||IAM Permissions Used||IAM Member||Target Resource||Remarks|
|roles/serviceusage.serviceUsageAdmin||serviceusage.services.enable||User or SA who enables the Cloud Asset API||Project to run Cloud Asset API||Our script will check for this permission and then enable the API|
|roles/storage.admin||storage.buckets.create||The same user as above||Project to host GCS bucket||Our script will create this bucket in the same project as above|
|roles/cloudasset.viewer||cloudasset.assets.exportResourcecloudasset.assets.exportIamPolicy||The same user as above||Organization||Our script will check for this permission and perform the exports|
|roles/serviceusage.serviceUsageConsumer||serviceusage.services.use||The same user as above||Project to run Cloud Asset API||Our script will check for this permission|
|firstname.lastname@example.org||GCS bucket created by the script||Our script will check for this permission|
Q: I don’t need or understand what the security standards(CIS, NIST, etc) are, so why should I care about them?
A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your GCP environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like GCP, to use the CIS security standard as a baseline for securing their environment.
Q: I am interested in the initial assessment of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?
A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your GCP environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we audited will become obsolete very fast. Of course the choice is yours.
Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in GCP?
A: Not at this time, but we are always adding new services to our portfolio!
Q: Our environment is a hybrid environment with resources located on-premise and in GCP, would you be able to audit and propose a remediation plan for all the resources?
A: Short answer: No, we cannot. Long answer: enabling non-GCP resources for security auditing using GCP services, requires the installation of local agents on those resources and the use of a third party software that requires a substantial investment.
Q: Could tell me more about the actual security checks that you will perform for my environment?
A: We are focusing our GCP security analysis on the following security domains:
- Resource Management
- GCP org hierarchy
- Environments & resource isolation
- Resource provisioning
- Organization policies
- Identity, Authentication & Authorization
- User & group management
- Administrative roles
- Assigning IAM roles
- Network Security
- VPC architecture
- Firewall rules
- Network logging
- VPC service controls
- Identity Aware Proxy
- VM Security
- VM identities
- Remote access
- Data security
- Encryption key management
- Cloud Storage security
- BigQuery security
- Cloud SQL security
- Security operations
- Policy scanning
- Kubernetes security
- GKE cluster provisioning
- Secure cluster default configurations
- Cluster IAM/RBAC
- Container image building
- Container lifecycle management
- Container runtime security
- Workload hardening and isolation
- There are in total over 60 security controls that are being audited and reported upon.
Q: What is NOT included in your Security Posture review?
A: The following tasks are not included:
- Design and implementation of security software, hardware, or appliances
- Auditing of policies, objectives, controls and solutions solely related to applications, workloads, or hardware not deployed on Google Cloud Platform
- Creation of Security Operating Processes and Procedures
- Security assessments of commercial or custom application software
- Configuration or modification of your environment
- Testing and troubleshooting in your environment.
- Building any custom scripts or applications
- Review your application architecture or design.
- Review against any compliance frameworks (HIPPA, PCI etc.)
Q: Can you tell me a bit more about the 170 slide presentation that is included in the service?
A: The GCP Security Best Practices presentation walks you through all the sections of the Cloud Audit Security report in way more detail that we can accomplish otherwise. It will give you general guidance about how to design your GCP environment from security perspective. Hundreds of man-hours have been spent in creating this presentation, based on Google’s professional services guidance given to their partners like NovaQuantum.