While security is crucial, it often comes with a significant price tag. Introducing robust security measures in the Google Cloud Platform can be challenging for startups and those beginning their journey on a budget. However, GCP prioritizes security as a core principle, and several open-source tools are available to help you get started with sufficient security controls. As your business grows and your demands for security in the Google Cloud Platform increase, you can then transition to enterprise-level tools with dedicated security operations (SecOps) teams.
Explore GCP Security Solutions with Niveus
Google Cloud Platform (GCP) employs a shared fate model for security, which is a step beyond the traditional shared responsibility model. In the shared responsibility model, the responsibilities are clearly divided between the cloud provider and the customer based on the type of service being used, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), or Function as a Service (FaaS). However, GCP’s shared fate model enhances this by actively guiding and partnering with clients to ensure security is maintained across all levels of service, creating a more integrated and cooperative approach to cloud security.
Reference: GCP Shared Responsibility and Shared Fate Model
Here, we explore how starting with compliances and security controls for different components is facilitated on GCP.
Compliances
Google Cloud assists in meeting compliance requirements by providing the following:
- Reference Architecture and Controls: While building in Google Cloud, reference architectures and controls with tooling are available.
- Local Compliance: Google manages the infrastructure to ensure it meets local compliance requirements.
- Tooling: Tools like Assured Workloads offer a free tier, while Security Command Center (SCC) Basic provides free tier support for CIS compliance. Premium tiers come with additional costs for enhanced regulation reporting.
Logging and Audit
Logging provides valuable insights into activities occurring on the cloud, offering a great starting point for visibility:
- Google Cloud Logging: By default, all resource logs are available. However, audit logs for data access come with additional costs.
- VPC Flow Logs: Once enabled, these should be monitored, although they may incur additional costs.
Security Information and Event Management (SIEM)
A log sink can be enabled to send data to open-source tools like ELK (Elasticsearch, Logstash, Kibana).
Identity Onboarding
In GCP, users can be onboarded via Microsoft Entra or an on-premises Active Directory (AD) or provider, with authentication facilitated by SAML integration. This maintains a single source of truth with no additional cost for SAML integration.
Setting up two-step verification (2SV) is included in GCP Cloud Identity free tier and is recommended for superadmin users.
Identity and Access Management (IAM)
With Google Groups, individual users, or service accounts, combined with resource hierarchy and conditional access, GCP offers robust access management solutions. Other solutions include:
- GKE Workload Identity
- Workload Identity Federation
These help reduce the attack surface and adhere to the least privilege model with a single identity. GCP’s Privileged Access Management (PAM), currently in public preview, will offer conditional access with approval.
Organizational Policy
Organizational policies in Google Cloud Platform (GCP) are essential for protecting resources and ensuring consistent governance. These policies allow you to define rules and constraints that align with your organization’s security and compliance standards. By implementing robust organizational policies, you can effectively manage access and maintain a secure cloud environment. Tools like Terraform Validator help validate resources against these policies, ensuring compliance and best practices across your cloud infrastructure. This approach simplifies policy enforcement and enhances security and operational consistency.
IaaS
Clients are responsible for ensuring controls are set in place, while Google manages physical hypervisor and storage controls. Tools available to help include:
Infrastructure as Code (IaC)
Google, as a Terraform provider, offers resources deployable via Terraform, with CIS-compliant modules available.
- Infrastructure Pipeline: Security checks for CIS compliance can be conducted with tools like Checkov or TFSec, followed by validation with the Terraform Validator.
Cloud Security Posture Management (CSPM)
Security Command Center Standard offers Cloud Security Posture Management(CSPM) capabilities. Open-source tools like Power Pipe can assist, and tools like TFSec and Checkov help find vulnerabilities against CIS compliance.
Network Design and Built-in Firewall
- Shared VPC Model: Access is only provided to the network team.
- VPC Level Firewall: Layer 4 inspection is provided for allowing only necessary traffic, with default settings blocking all ingress and allowing all egress traffic. Additional layer 7 capabilities are available with Firewall Plus at an extra cost.
- Load Balancer: Provides standard DDoS attack protection.
- Cloud Armor: As a Web Application Firewall (WAF), Cloud Armor offers good security protection under the standard tier, with partner solutions available for portable licenses.
- Service Mesh with Istio: For containers running on GKE. Anthos Service Mesh is available but incurs additional costs.
- VPC Service Control: Acts as a firewall for Google APIs, creating a secure perimeter around services and projects without additional costs.
Secret Management
Google Secret Manager is available at nominal rates, with the option to use HashiCorp Vault Community Edition.
Trusted Image and VAPT
While marketplace images come with associated costs, Google public images are available for all OS. Tools like Nessus or OpenVAS can be used for vulnerability assessment and penetration testing (VAPT) to create trusted images.
Identity-Aware Proxy (IAP)
IAP allows identity-based access to private VM SSH/RDP and other resources.
OS patching can be done with VM Manager for up to 100 VMs for free.
Disk Encryption
Google provides encryption by default for disks.
Certificate Management
Google Cloud Load Balancer offers the capability to manage certificates.
Google Managed Solutions
Solutions like Cloud SQL and GKE Autopilot handle infrastructure-level security controls, with Google taking responsibility.
PaaS
For Platform as a Service (PaaS) with GKE or App Engine, clients must use the platform’s security features.
App CICD
- Cloud Source Code and Cloud Build: Nominally priced and integrates well with open-source tools like Checkov for IaC and Trivy for images.
- Artifact Repository: Performs vulnerability scanning at a nominal price, with open-source options available for free scans.
- GKE Security Posture: Provides vulnerability scanning and threat analysis.
- Application CI: Can integrate with SonarQube for SAST and OWASP ZAP for DAST post-deployment.
DaaS
In this section, we explore Database as a Service (DaaS) offerings in Google Cloud Platform (GCP), which provide managed database solutions like Cloud SQL, AlloyDB, and BigQuery. These services enable you to handle diverse data workloads without the complexity of database maintenance, allowing you to focus on developing applications. DaaS in GCP offers robust data security, automated backups, and seamless scalability, making it easier to manage and analyze large datasets efficiently. By leveraging GCP’s DaaS solutions, organizations can achieve high performance and reliability for their data storage and processing needs.
Data Security
Google provides built-in guardrails for services, including:
- Encryption at Rest
- IAM for Access Management
- Audit for Data in Storage Buckets or Managed Databases
Additional services like Data Loss Prevention (DLP) can be leveraged later, though they come with additional costs.
FaaS
Function as a Service (FaaS) in Google Cloud Platform (GCP) offers a serverless approach to deploying code, eliminating the need to manage infrastructure. GCP’s serverless services, such as Cloud Functions and Cloud Run, come with built-in security features like automatic scaling, integrated IAM, and network security controls. These services simplify application security by providing automatic updates and fine-grained permissions, enabling secure and efficient deployment of event-driven applications.
Serverless
Serverless solutions provide network security for ingress and egress traffic, with options to restrict URLs to private access. The Serverless VPC Connector helps connect Cloud Functions and Cloud Run with VPC. Integrated with IAM, these services offer robust authorization and benefit from other security products.
Conclusion
This article provides a foundational guide to implementing security measures in Google Cloud Platform (GCP) on a budget. From leveraging GCP’s built-in security features to utilizing open-source tools, startups and small businesses can establish a robust security posture without incurring significant costs. As your organization grows and security requirements become more complex, you can seamlessly transition to more advanced, enterprise-level solutions with greater ease. By understanding and utilizing these budget-friendly options, you ensure a secure and scalable environment for your cloud operations from the outset. The journey to cloud security is a continuous process, and starting with these strategies positions you well for future growth and challenges.
