When creating virtual machines (VMs) on Google Cloud, users are provided with a variety of public images by default. These images can be assessed for vulnerabilities at the operating system (OS) level according to the Center for Internet Security (CIS) benchmarks. This blog aims to guide users through the fundamental concepts and processes involved in creating trusted images and automating their creation and assessment.
Get Started with Secure VM Deployments
By leveraging trusted images that conform to CIS benchmarks, organizations can significantly reduce the attack surface and fortify their cloud infrastructure against potential threats. Businesses need practical insights and steps when implementing security measures through OS vulnerability assessment and remediation.
Now, let’s delve into the foundations of OS security assessment and remediation, and explore the key components for maintaining a secure and compliant virtual environment.
Foundations – Components of Building an OS Security Strategy on Google Cloud
Understanding the foundational elements of OS security assessment and remediation is crucial for maintaining a secure and compliant virtual environment. This involves not only selecting the right images but also implementing robust practices to mitigate vulnerabilities and ensure ongoing security. Below are the key components that form the backbone of a comprehensive OS security strategy on Google Cloud.
Public Images
Google Cloud offers public images for all supported operating systems. These images are the starting point for any VM creation. They include a range of Linux distributions and Windows Server versions, providing users with the flexibility to choose the OS that best fits their needs.
Trusted Images
A trusted image is a custom image created by users that meets the CIS benchmarks for security. These images are tailored to the specific security requirements of an organization and are used to ensure that VMs are secure from the outset.
Remediation
Remediation involves updating the OS with the latest patches and configuring it according to security best practices outlined in the CIS benchmarks. This step is crucial to mitigate vulnerabilities and ensure the OS is secure.
Assessment
The assessment phase involves evaluating the remediated OS to ensure there are no remaining vulnerabilities. Tools like Nessus or SCC (System Center Configuration Manager) premium can be used to perform these assessments. The results provide a detailed level of the current security posture and the steps required for any further remediation.
Solution
Converting a public image into a secured, trusted image involves several steps. This process is crucial for establishing a secure baseline for virtual machines and ensuring compliance with security best practices. Below, we outline the entire process, emphasizing the importance of consistent security measures and the benefits of automating these tasks to enhance efficiency and reduce potential risks.
Image Creation
There are two main approaches to image creation: manual and automated. Each method has its own set of advantages and challenges, which will be detailed below.
Manual Image Creation
Creating a trusted image manually can be tedious and time-consuming. It involves remediating various OS parameters, applying patches, and configuring security settings as per CIS benchmarks. While this method allows for a high level of customization, it is prone to human error and is not scalable.
Automated Image Creation
To streamline the process, many organizations create scripts, such as bash or Ansible scripts, that can be run against a VM image. These scripts automate the remediation of the OS, applying patches, and configuring settings to meet CIS benchmarks consistently. This method is not only faster but also reduces the risk of errors.
Assessment of the Image
Once the image is created, it must be assessed to ensure it is free from vulnerabilities. Assessment tools like Nessus or SCC premium are used to scan the image for security issues. These tools provide detailed reports on the security posture of the image and highlight any areas that require further remediation.
Promoting to Trusted Image
After passing the assessment, the image is promoted to a trusted image. This image is then made available to users within the organization, ensuring that all new VMs created from this image start from a secure baseline.
Automation with Packer
To further enhance the automation of image creation and remediation, tools like Packer can be used. Packer automates the creation of images and can integrate with scripts to apply security configurations. This ensures that every image created is consistent and meets the required security standards.
CICD Pipeline for Automating Building Hardened Images
Packer or Ansible scripts can be integrated into the CICD pipeline to ensure the trusted/hardened images are updated automatically.
Marketplace Deployment
Google Cloud Marketplace offers CIS benchmarked images that are pre-configured to meet security standards. These images come with an additional cost but provide a convenient option for organizations looking to leverage ready-made remediated OS images. This option is particularly useful for organizations that do not have the resources to create and maintain their own trusted images.
Versioning and Retiring Old Images
It’s important to version the images and have proper naming conventions. It should be retired once a new trusted image is created.
Trusted image project and IAM access
Trusted images should be shared from a central project and should be whitelisted on org policy for trusted image projects . Correct trusted image family and IAM access should be provided to users to access the trusted image.
Conclusion
Creating and maintaining secure operating system images is essential for any organization using Google Cloud. By understanding the process of converting public images to trusted images, applying security best practices, and automating the creation and assessment processes, organizations can ensure their OS layers are secure.We have outlined the foundational concepts and detailed steps involved in this process, providing a comprehensive guide to OS vulnerability assessment and remediation.
In summary, leveraging trusted images that meet CIS benchmarks helps organizations maintain a secure operating environment. Whether using automated scripts, tools like Packer, or pre-configured marketplace images, the goal is to start with a secure baseline and maintain it through consistent assessment and remediation. This proactive approach to OS security is essential in today’s threat landscape, where vulnerabilities are constantly evolving.
At Niveus solutions, we work with clients to build hardened images and build the automation pipeline so that the process is automated and helps meet security requirements.
