Google recently released the new Cloud Security Foundations Guide. We’re going to take apart Google’s guide and show you what’s worth looking into. First, an introduction.
“This comprehensive guide helps you build security into your Google Cloud deployments.” - Google
What’s going on: Google Cloud Services are out there, being deployed in the wild, untamed. This guide is Google’s self-proclaimed “opinionated” view on keeping them safe.
Is this guide new? No, but this is the updated version as of April 2021. The original was published back in August 2020.
What changed? More guidance on networking and key management and new guidance on secured CICD (Continuous Integration and Continuous Deployment)
How does this work? Google has partnered with Delloitte's cyber practice to realize all security solutions recommended in this guide.
Who should use it? Anyone deploying Google Cloud solutions and wanting to do so securely. We’ll go more into depth on this.
The Big Picture: The main scope of this guide is to present Google’s recommended security posture for Google Cloud deployment. It comes with full blueprint examples of a sample company implementing all recommended solutions, which can be found in their Terraform repository for easy follow-along. Ultimately, this guide manifests the first of three tenants in Google’s new shared fate model; deployment, operations and risk transfer.
Let’s dig in.
What Can You Expect to Find in this Guide?
The guide is organized into the following topics:
- Foundation security model
- Foundation design
- Google’s example for the “opinionated organization structure”
- Resource deployment
- Authorization and authentication
- Secret management
- Detective Controls
- Creating and deploying secured applications
- General security guidance
Along with some specific updates from version #1:
- More on the foundation, infrastructure and application deployment pipelines
- More network security guidance
- Optional hub-and-spoke network architecture with hierarchical firewalls
- New guidance on key and secret management
- New creation and deployment process for secured applications
And options for a cool compliance dashboard:
Once you’ve deployed your landing zone using this guide and its blueprints, you can run a compliance diagnostic and get a Dashboard view of where you stand in relation to the CIS 1.0, PCI-DSS 3.2.1, NIST-800-53 and ISO/IEC 27001 frameworks. This is an option through Security Command Center Premium.
What Are Google Cloud’s Underlying Security Mantras?
Google Cloud’s core security strategy is three-pronged, and transparent.
Defense in depth, at scale, by default
Google’s guiding principle states there should never be just one line of defense securing - anything. Add to this the belief that all security should be scalable and automated (“enabled by default”).
They state that their guide runs and operates on these principles:
“Data is protected by default through multiple layered defenses using policy and controls that are configured across networking, encryption, IAM, detection, logging, and monitoring services.”
In a phrase: let’s segment, realize there is no perimeter and build our security commands based on making sheisty lateral network moves nearly impossible (or very difficult) to achieve.
The BeyondProd (2019) approach is a development of the BeyondCorp (2014) approach that basically acknowledged the absence of any practical perimeter and changed security accordingly. BeyondProd did “for workloads and service identities what BeyondCorp did for workstations and users.” It uses a zero-trust model and segments large applications into microservices to isolate, provide scalability and build efficiency; making “free roam” on the inside of a “perimeter” a Black Hat dream of the past.
Shared fate approach
Instead of saying “we all share responsibility” and delineating where Google’s ends and yours begins, Google is now saying “all for one, and one for all”. As part of it’s shared fate approach, it is stepping out proactively to provide the tools and resources (i.e. this guide) to get out ahead of security issues and make it a sink or swim situation for both parties.
This includes “providing holistic capabilities throughout your Day 0 to Day N journey” during:
- Build time - Provide security foundations and blueprints with default best practices encoded
- Deploy time - Assured workloads and policies will have “guard rails” to make sure your security controls are followed
- Run time - Proactive features like visibility, monitoring, alerting and corrective-action will be available through Security Command Center Premium
Who In Your Organization Will Use This, and How?
It depends on who you are, but the guide and Terraform blueprints can be utilized by the following roles:
- Risk and Compliance Officer
Automatically deploy the controls available on Google Cloud, and understand what they are. Also gives visibility into control drift and red zone areas in regulatory compliance.
- Business Leader
Identify the skills your teams are going to need to mitigate risk on Google Cloud. Share Google’s security reference documentations with your compliance and risk teams.
- Security Engineer
Find out how to operate and integrate multiple security controls
- Security Practitioner
Get detailed instructions on implementing the security best practices around configuring, deploying and running a security-centered landing zone for Google Cloud offerings
- Security Leader
Understand Google's guiding security principles and how to best implement them to secure deployment
The Bottom Line
Google Cloud’s Security Foundations Guide is their sponsored option for securing Google Cloud service offerings. It can be taken as-is or customized based on enterprise distinctions, but out of the box, it is a workable solution for companies migrating to Google Cloud services. How you use it will depend on who you are, the needs of your specific enterprise and your company’s ultimate security interests and stake in the Google Cloud platform.
As most of the businesses operate on multi-cloud environments, they should opt for cloud security solutions that can help them protect their apps and data across all cloud platforms in a simplified manner. Tripwire’s Configuration Manager offers this level of simplicity and allows you to automate policy enforcement and fix your highest-risks first using prioritized risk scoring for all unresolved misconfigurations. The Configuration Manager removes all fog and friction since it gives you the ability to view the configuration and compliance status of all your assets in a single reporting environment.
You may learn more by downloading the Configuration Manager datasheet.
About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Dobieski is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.