Managed GCP Security FAQ

GCP Security Services FAQ

Q: What are the costs related with the GCP security audit services provided by you?

A: Please book a quick 30 min meeting with us and we can explain our simple cost model.

Q: We have very strict security rules that prohibit us from giving access to our GCP environment to any external entity. What are your particular access requirements in order to perform the security audit?

A: We don’t need ANY access to your environment. All we need is an export of your current cloud inventory assets as provided by CAI. This export consists of 2 files that can be shared securely with us. The information contained in those files will be stored securely on GCP infrastructure, so no actual transfer of the data is required.

Q: I don’t need or understand what the security standards(CIS, NIST, etc) are, so why should I care about them?

A: Many small and medium businesses don’t need to be compliant with any of the mentioned standards, but the compliance will enable your GCP environment to be very secure and protected. The enablement and continuous monitoring of those security controls will give you confidence that your data is secure in the Cloud! As a best practice, we recommend to anyone having any workloads running in a public cloud like GCP, to use the CIS security standard as a baseline for securing their environment.

Q: I am interested in the initial assessment and enablement of those security controls, but I am not interested in the ongoing maintenance of the compliance: can you offer me only this service?

A: Short answer: Yes, but…without ongoing maintenance of your security compliance, your GCP environment will be very fast exposed to a lot of security risks. Cloud environments are very dynamic with resources and services/features being added, removed and modified quite often, so without keeping pace with all those changes, your initial security controls that we enabled will not be very effective.

Q: Could you perform a security assessment and remediation of any security flaws for the applications that we have running in GCP?

A: Not at this time, but we are always adding new services to our portfolio!

Q: Our environment is a hybrid environment with resources located on-premise and in GCP, would you be able to audit and propose a remediation plan for all the resources?

A: Short answer: No, we cannot. Long answer: enabling non-GCP resources for security auditing using GCP services, requires the installation of local agents on those resources and the use of third party software.

Q: All the remediation tasks that are required to enable the security controls for any given standard, might disrupt our normal business or operational procedures that we have in place: how can we avoid any downtime and disruption of those procedures?

A: Our experienced security consultants will advise you if any of the changes required will require an outage or not. You will always have the final say as to when or if those changes are acceptable to the business. You can choose as well to perform the changes yourself. Our proposal for remediation of the non-compliant resources will include a priority list and a risk score, so you will always know where you should focus your technical resources.

Q: Could tell me more about the actual security checks that you will perform for my environment?

A: We are focusing our GCP security analysis on the following security domains:

  • Resource Management
    • GCP org hierarchy
    • Environments & resource isolation
    • Project creation
    • Resource provisioning
    • Organization policies
  • Identity, Authentication & Authorization
    • User & group management
    • Administrative roles
    • Authentication
    • Assigning IAM roles
  • Network Security
    • VPC architecture
    • Firewall rules
    • Network logging
    • VPC service controls
    • DDoS and WAF
    • Identity Aware Proxy
  • VM Security
    • VM identities
    • Remote access
  • Data security
    • Encryption key management
    • Cloud Storage security
    • BigQuery security
    • Cloud SQL security
    • Data Loss Prevention
  • Security operations
    • Logging
    • Monitoring
    • Policy scanning
    • Incident Response
  • Kubernetes security
    • GKE cluster provisioning
    • Secure cluster default configurations
    • Cluster IAM/RBAC
    • Container image building
    • Container lifecycle management
    • Container runtime security
    • Workload hardening and isolation

Q: What is NOT included in your Security Posture review?

A: The following tasks are not included:

  • Design and implementation of security software, hardware, or appliances
  • Policies, objectives, controls and solutions solely related to applications, workloads, or hardware not deployed on Google Cloud Platform
  • Creation of Security Operating Processes and Procedures
  • Security assessments of commercial or custom application software
  • Configuration or modification of your environment
  • Testing and troubleshooting in your environment.
  • Building any custom scripts or applications
  • Review your application architecture or design.
  • Review against any compliance frameworks (HIPPA, PCI etc.)