As organizations increasingly migrate away from on-premises environments and adopt cloud technologies, they are faced with new security challenges. The shared responsibility model of cloud security requires companies to take ownership of securing their data, applications, and access management. When you neglect these responsibilities, you run the risk of data breaches, reputational damage, and financial loss.
Securing Google Cloud environments requires understanding potential pitfalls and best practices. Organizations often expose themselves to risks by overlooking fundamental configuration choices needed to build strong, foundational security.
This article will explore these common security missteps in detail and provide actionable recommendations to help organizations strengthen their GCP environments. By proactively addressing these issues and adopting best practices, you can significantly reduce your attack surface and ensure the integrity of your cloud infrastructure.
Google Cloud Security Foundations for Dummies
Everything you need to know about Google Cloud Security
Download Guide
Using default network settings
One of the most common missteps when starting out with Google Cloud Platform is failing to properly configure Virtual Private Cloud (VPC) networks and firewall rules.
To avoid potential attacks, it is crucial to ensure stringent firewall rules and create a logical network architecture that prevents easy passage between public and private resources. These steps will also limit the impact if an attack succeeds in compromising any part of your infrastructure.
Organizations should leverage GCP's VPC networking components to create a secure and segmented network architecture:
Use policy controls to disable the creation of a default network when new projects are created.
Review and update the firewall rules for any existing VPCs; the default network firewall rules are overly permissive and permit several known attack vectors.
Implement hierarchical firewall policies to centralize control of VPC firewall rules.
Use private subnets and network address translation (NAT) to avoid flat, easily traversed networks; most application infrastructure resources do not need direct internet access.
Utilize VPC Service Controls to create perimeters around GCP resources and services, preventing unauthorized access and data exfiltration.
Google Cloud Security Best Practices [Cheat Sheet]
Drawing from a wealth of expert knowledge and extensive research, our cheat sheet simplifies the complex world of Google Cloud security, presenting insights that are both accessible and actionable.
Download now
Overpermissioning identity and access management (IAM)
Getting identity and access management (IAM) right is critical in any cloud environment. Too often, engineering teams will set overly broad permissions to get their applications working in a cloud environment; then after the application goes live, they never make time to review and limit those permissions.
Overpermissioned roles and users represent a significant risk; if an attacker manages to compromise one of these identities, they will have significant access to damage or destroy infrastructure, as well as exfiltrate sensitive data.
The foundational principle of IAM infrastructure should be that of least privilege, as detailed in NIST 800-53. GCP provides several ways to implement this:
Avoid using basic roles whenever possible, as these are overly permissive; Google documentation even advises against their use in production environments when an alternative is available.
Implement service accounts with ephemeral credentials for applications and services, including third-party.
Use a combination of custom roles and IAM conditions to ensure that permissions are granular and tailored only to a specific use case.
Leverage the OSS JIT tool to enable time-restricted approval workflows for privilege escalation; any requested elevated access is reviewed and limited to a specified time interval.
The Big IAM Challenge: Test Your Cloud Security Skills
Put yourself to the test with our unique CTF challenge and boost your AWS IAM knowledge. Do you have what it takes to win The Big IAM Challenge?
Read more
Resolve monitoring and visibility gaps
Having good visibility into a cloud environment is a major pillar of a good security posture. Without being able to see and understand the baseline behavior of application infrastructure, it’s incredibly difficult to identify anomalous behavior that could indicate the presence of an attack or compromise.
Organizations often fail to properly configure their cloud monitoring and logging due to not properly understanding the available tools and best practices; this leads to poor visibility into their cloud environments and potential security vulnerabilities.
To address these visibility gaps in GCP, organizations should:
Ensure all applications and services are configured to emit logs, preferably as JSON, and send them to Cloud Logging.
Enable Cloud Audit Logs to monitor administrative activity and access.
Use log sinks to aggregate logs across multiple projects and organizations into a single destination.
Use log-based alerts to identify and send notifications about anomalous behavior.
Enable VPC Flow Logs and stream them to Cloud Logging to identify unusual network patterns and potential threats.
Integrate GCP logs with third-party security solutions (SIEM or SOAR) to take advantage of more advanced, security-focused analytics.
Wiz launches support for Google Workspace, helping organizations secure Google Cloud identities
Protect your Google Cloud identities with Wiz's new Google Workspace identity modeling and identify suspicious activity in Google Workspace with new threat detection rules
Read more
Neglecting data encryption
Encryption plays a pivotal role in the implementation of a zero-trust security model within cloud environments by ensuring that data, both at rest and in transit, remains inaccessible to unauthorized users. However, many organizations neglect to ensure that encryption settings are actually being applied and continually enforced.
Storing unencrypted sensitive data, such as PII, credentials, and intellectual property, can have severe consequences, including data breaches, compliance violations, financial losses, and reputational damage. To mitigate these risks in GCP, organizations should take the following actions:
Utilize Cloud Key Management; if your compliance requirements do not permit shared encryption keys, supply your own keys, since Cloud Storage automatically enforces encryption at rest.
Enable disk encryption with the Cloud Key Management Service (KMS) or customer-supplied encryption keys (CSEKs).
Implement HTTPS for all frontend traffic via a proxy or load balancer.
Utilize customer-managed keys, or for more granular control, individual value encryption in database services like BigQuery.
Pay close attention to network transit paths and system architecture; GCP generally enforces encryption in transit by default, but service calls that have to cross networks outside of GCP’s boundaries may not be encrypted.
Google Cloud Security Best Practices
10 essential best practices to securing your Google Cloud environments
Read more
Not remediating vulnerabilities
Misconfigurations and vulnerabilities in cloud environments like GCP can easily go unnoticed as organizations scale; if more and more resources are being deployed without any automation or controls in place, vulnerabilities may go unnoticed.
Attackers continuously scan for misconfigurations and known vulnerabilities in cloud infrastructures, so it’s critical organizations are proactive in identification and rapid remediation:
Leverage the Security Command Center (SCC) to continuously scan for vulnerabilities, misconfigurations, and compliance shortfalls.
Have a process in place that involves regular reviews of SCC findings; focus on high-severity issues and promptly address them by assigning security champions, i.e., engineers responsible for the response and remediation process.
Take advantage of SQL queries for Cloud Audit Log events to identify significant privilege escalation events or data access. Alerting can also be set up for critical events or principal API access.
Regularly perform penetration tests and vulnerability scans to uncover potential security gaps in your GCP environment that could be exploited by attackers; prioritize which parts of the architecture require critical security fixes.
Wiz and Google Cloud’s Security Command Center: Modern threat detection and response rooted in risk prioritization
Fully understand the impact and architecture behind any threat to streamline and speed effective response with a first-of-its-kind integration combining the Wiz Security Graph’s deep cloud and multi-cloud risk context with Google Cloud’s Security Command Center’s advanced threat detection.
Read more
Conclusion
Securing GCP environments is an ongoing process that demands continuous effort and a proactive approach. As organizations migrate their workloads to the cloud, it's crucial to recognize that many default configurations may not align with security best practices.
Relying solely on native controls can leave gaps in an organization's security posture, making it essential to consider supplementing these with third-party tools for in-depth defense.
How Wiz can help
Wiz offers a cloud native application protection platform (CNAPP) that empowers organizations to secure their GCP environments. It provides comprehensive visibility, risk assessment, and remediation capabilities. Wiz seamlessly integrates with GCP services, allowing organizations to continuously monitor their environment, detect potential threats in real time, and prioritize remediation efforts based on risk severity.
As organizations continue to expand their presence in the cloud, partnering with a trusted CNAPP solution like Wiz becomes increasingly important. By combining the native security controls of GCP with the advanced capabilities of Wiz, organizations can establish a strong cloud security posture.
To learn more about how Wiz can help secure your GCP environment and experience the benefits of a comprehensive CNAPP solution, schedule a demo today. Take proactive steps to protect your valuable assets in the cloud with Wiz.
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
