Unsafe Practices on GCP and recommendations
(Also read, AWS Security Audits )
Google Cloud is leading the way in terms of several PaaS offerings. GCP's App Engine, GKE and BigQuery are among the leaders in the cloud space. As you leverage some of these public facing PaaS services, as well as the traditional compute (IaaS) services, there are several items that need to be part of your security checklist. For example:
Google Cloud Security Unsafe Practice: Public IP addresses on Compute Engine Instances
Solution:
Stay away from public IPs on your instances wherever possible, to avoid inadvertently exposing your instances via misconfigured firewall rules.
Only expose services via public hardened gateways, firewalls, load balancers, Web Application Firewalls (WAFs) or Content Delivery Networks (CDNs) that can log and restrict access where needed.
Google Cloud Security Unsafe Practice - Unmonitored APIs:
Hackers love to use your services or at least attempt to send tons of requests using your enabled APIs. You could stuck with a huge bill.
Solution:
Monitor all APIs – Only Whitelist / Enable APIs as needed
Google Cloud Security Potentially Unsafe Practice - Relying on default GCP KMS Encryption:
Relying on DEFAULT Encryption - GCP provides a Key Management Service (KMS) that allows customers to provision their own keys for encrypt /decrypt operations, called customer managed encryption keys (CMEKs).
Solution:
While GCP provides encryption by default (at rest data), it is recommended to leverage CMEKs.
Summary
This is a partial list of the 60 plus checks that Anuj Varma and team perform as part of their GCP Security Audit. Is your GCP Deployment Secure? Start the conversation sooner rather than later. Security cannot be an afterthought (™)
Next Steps?
Need help with your cloud migration? Or securing your cloud assets? Try GoogleCloudArchitect.us
Leave a Reply