Back to resources
Fundamental GCP Security Best Practices to Reduce Your Attack Surface
October 2022 / 6 min. read /
With Google’s reputation for industry-leading security, it can be tempting for Google Cloud Platform (GCP) users to assume that the platform is plug-and-play when it comes to security. But while GCP is committed to providing robust security features to protect the platform, it still requires its users to take responsibility for implementing best practices and taking the proper measures to protect their data and digital assets. In this post, we’ll cover essential GCP security best practices and next-level strategies to ensure your cloud-based digital equity is protected.
Who’s Responsible for Security in GCP?
Google operates on a shared responsibility or shared fate model. They take responsibility for building and operating a secure cloud platform that enables you to deploy your workloads. You are responsible for configuring the platform to protect your data and other digital resources that reside there. Depending on the industry you operate in, you may also have a specific set of security standards you must conform to, including regulatory compliance obligations. Additionally, your organization likely has internal security standards and a risk management plan that your GCP security configuration must align with. And there are also the security requirements of customers and vendors to consider. In short, Google offers a suite of customizable security settings, but dangerous blind spots can persist even when these security features are configured.
Foundational GCP Security Best Practices
When a cloud network is breached, it can unleash a cascade of negative consequences, threatening a business’s reputation and disrupting critical operations. GCP security best practices are necessary to protect your digital assets from becoming compromised. Here are five action items to shrink your attack surface.
Unify visibility
The challenge of tracking cloud resources is compounded for organizations using GCP as part of a multi-cloud environment. To address this issue, GCP users should implement a cloud security solution that provides a unified view of all resources, including users, virtual machines, load balancers, and other cloud-based assets helps security teams actively inventory all resources. With a unified cross-cloud security solution, security teams will find detecting and resolving risks much simpler.
Maintain a disciplined resource hierarchy
GCP's flexible resource hierarchy makes it easy for admins to create nodes and apply corresponding permissions. For this reason, it’s easy for things to get out of hand. Without a disciplined hierarchy in place, individual admins can quickly create a disorganized structure that makes it difficult to determine at which level a permission is applied. Creating a highly structured hierarchy that mirrors your organizational structure will help maintain a tidy, easy-to-manage resource hierarchy.
Implement multiple layers of identity management safeguards
Compromised identities are a critical threat to cloud security. Using several identity management practices in tandem can provide maximum protection. You’ll want to include techniques such as multi-factor authentication and employee training on security best practices.
Restrict outbound traffic
Failure to place limits on traffic exiting a system exposes organizations to both accidental data loss and data exfiltration that occurs during a data breach. Security teams can resolve this by restricting outbound traffic to prevent unauthorized data from leaving the network.
Actively scan for insider threats and compromised accounts
Activity logs can be analyzed to detect a range of security risks, including suspicious insider activity, compromised accounts, and data that’s been improperly accessed. GCP’s Admin Activity Logs and Data Access Logs are valuable sources of information organizations should routinely monitor.
Beyond the Basics: Tightening the Security of Your Google Cloud
While foundational best practices are valuable, they’re insufficient for many organizations. Level up your security stance with these essential access control strategies.
Dynamic permissioning
Standing permissions pose a significant security threat in GCP. When users aren’t actively engaged in tasks requiring elevated permissions, static access makes these accounts a high-value target for hackers seeking to compromise the system. Dynamic permissioning involves granting permissions for the minimum duration required to complete a task. This process is applied both to human users as well as synthetic users like applications and scripts. Dynamic permissioning substantially reduces the size of an organization’s attack surface.
Least privilege enforcement
When users have more permissions or access to more resources than those required to complete their work, they pose an unnecessary security risk. If the user’s credentials are compromised, hackers can accomplish more than they would be able to if their permissions were right-sized. In the event that a user represents an insider threat, least privilege enforcement ensures that their ability to do damage is limited. Especially for organizations with large numbers of users, least privilege enforcement is difficult using GCP’s native security tools. For this reason, you’ll need a security solution that enables least privilege.
Proactive monitoring / UEBA and SIEM integration
Low visibility into user behaviors creates risk for GCP users. With a proactive monitoring program in place, security teams can quickly identify risky behaviors and spot security threats such as malicious insiders and compromised user accounts. A security solution with robust tracking capabilities enables in-depth analysis of access changes and policy drift. Detailed tracking also streamlines post-incident investigations involving identity-based incidents. Fed into an organization’s UEBA or SIEM technologies, this data provides a holistic view into cloud privileges and activity.
Secrets governance
By default, the API keys that GCP manages are encrypted. But when organizations choose to make objects in buckets readable to the public, the keys are decrypted, making them an easy target. In addition, keys associated with projects in GCP aren’t programmatically monitored, and there’s no way to automatically track when they’re created, used, or deleted. By using a cloud security solution that actively inventories API keys, IT security teams can track when keys are created, used, and deleted. Cloud environments can be further secured by automating the process of granting the dynamic secrets required for human and machine processes. Granting and revoking access to secrets on an as-needed basis ensures secrets are only made available to authorized users, when and where they’re needed, and on a time-limited basis.
Implement a Security Solution with Streamlined Access Management
Whether your organization uses GCP exclusively or as part of a multi-cloud strategy, properly securing your data and digital assets is essential. Over-reliance on Google’s native cloud security leaves businesses vulnerable to hackers and insider threats. To adequately address security concerns, businesses should implement a security solution with robust access management capabilities in addition to following GCP best practices. Streamlined access management will enhance visibility, strengthen access controls, right-size user permissions, and provide the ability to monitor user behavior.
Download “Data-Driven GCP Security Strategies for Multi-Cloud Landscapes” to learn more security strategies GCP users can implement to reduce their attack surface.