Cloud security constructs are always aligned with the concept of shared responsibility. GCP emulates this principle with its own shared responsibility model, wherein customers, alongside the cloud service provider, have a major role to play in identifying and configuring the right security controls.
An end-to-end cloud security strategy requires a combination of cloud-native security tools augmented by third-party tools to implement the right security controls. More often than not, you can find loads of information on such tools for AWS and Azure, but not so much for GCP—perhaps because it is a relatively new player. Nevertheless, GCP still packs a punch when it comes to ensuring the security of hosted workloads.
In this blog, we’ll explore some of the tools and services that are essential to secure your applications in GCP.
Cloud Armor acts as a layer of protection against common cloud-based attacks at the network, transport, and application layers. This includes enterprise-level DDoS protection, the same as what’s used to protect applications like Google Search, Gmail, and YouTube. You can also implement Cloud Armor to protect applications hosted behind load balancers from attacks like SQL injections, XSS, remote code executions, and remote file injections.
Cloud Armor comes with predefined rules for out-of-the-box protection to mitigate the OWASP Top 10 vulnerabilities. You can also configure advanced protection through capabilities like rules based on third-party IP address lists to allow/deny traffic, curated rule sets, and adaptive protection.
Security Command Center
Security Command Center is GCP’s native cloud security posture management solution, which gives you a holistic view of the security status of applications deployed in GCP. The onboarding is hassle-free, with auto-discovery and monitoring of cloud assets. Security Command Center also monitors your cloud environments for any possible asset misconfiguration or compliance violations, and all such findings are flagged with appropriate remediation recommendations.
Security Command Center helps with threat prevention by identifying application vulnerabilities like cross-site scripting and legacy attack-prone libraries. Additionally, it helps with threat detection by monitoring logs and identifying common attack patterns, e.g., reverse shell and suspicious binaries/libraries in containers.
Despite Security Command Center’s robust array of capabilities to detect and prevent attacks, there have been reports of advanced threat vectors targeting GCP. Hence, it is important to augment these native tools with third-party solutions like Intezer Protect, which specializes in detecting runtime attacks and vulnerabilities in cloud-hosted applications.
Web Security Scanner
Customers can use Web Security Scanner to protect their web applications hosted in GKE, Compute Engine, and App Engine. It scans your apps and provides insights into a wide range of vulnerabilities—accessible SVN/git repositories, flash injection, mixed content, plain-text password transmission, to name just a few. Web Security Scanner can perform automated managed scans or custom scans on demand. Managed scans are available only with the Security Center Premium tier, while custom scans are available with Security Command Center Premium and with limited functionality in the Standard tier.
This tool helps you identify vulnerabilities that could have gotten into the solution during development or deployment, or even due to an insufficiently patched hosting environment. The vulnerabilities found are published in the Security Command Center through native integration. You might also need to consider an enhanced Cloud Workload Protection Platform (CWPP) like Intezer for its enhanced security features that are not natively available, like detecting in-memory attacks that run malicious code by exploiting vulnerabilities.
To ensure the security of your containerized workloads in GCP, you have the Container Analysis service. This scans container images in artifact and container registries and flags any vulnerabilities. Customers can opt for either manual or automated scanning; the latter scans all newly uploaded images and follows up with additional scans whenever the content of the image is updated.
The service continuously monitors and analyzes the image metadata for additional vulnerabilities after the initial scan, with the baseline for analysis constantly updated with information from various vulnerability sources. Customers can also interact with the service by making REST API calls using supported client libraries or cURL commands. The process of pre-runtime scanning, followed by the continuous scanning of images, ensures constant vulnerability monitoring. It also integrates well with the open-source tool Kritis Signer for attesting images used in CI/CD pipelines.
Binary Authorization for Containers
GCP supports binary authorizations for containers, making sure that only images signed by a trusted authority can be deployed in Google Kubernetes Engine (GKE). A runtime security control recommended for containerized workloads, Binary Authorization provides stringent security control over the container lifecycle, as only verified images get integrated into the build/release process.
The service can be integrated with the GKE/Cloud Run control plane, Cloud Build, and container-registry vulnerability scanning, thereby enabling a robust security framework for container workloads in GCP. However, you should also consider protection from advanced threat vectors, like the injection of malicious code during runtime into containerized workloads. For this, you should implement tools like Intezer Protect, which provides runtime visibility, threat detection, and response.
GCP provides enterprise-scale SIEM capabilities through its newly announced integration with Chronicle Detect. This gives you an advanced threat detection solution that leverages Google’s infrastructure and helps you identify threat patterns at scale—and at an unprecedented speed.
Customers can send security telemetry data from various sources to Chronicle and apply powerful detection rules to a unified data set consolidated from all of these sources. Chronicle Detect uses the well-known detection language YARA as the foundation of its rules engine and can handle petabytes of data; it also leverages VirusTotal for automated threat analysis and intelligence.
Event Threat Detection
You can access this capability in the Premium tier of Google’s Security Command Center, which offers continuous monitoring of GCP’s log stream for near real-time threat detection. This includes log data for API calls, updates to existing resources, deployment of new resources, etc. The service analyzes status and event information to detect threat patterns.
Event Threat Detection uses methods such as Tripwire indicator matching, advanced profiling, Windowed profiles, and machine learning to name a few. There are also built-in rules available for detecting a wide range of threats, like perimeter violation, malware, cryptomining, SSH brute-force, suspicious logins, etc. All findings are consolidated in the Security Command Center for easy analysis.
GCP implements the same trusted security solutions it uses to secure the entire portfolio of Google products. Although new to the market as an offering through GCP, these solutions have been proving their mettle for years, protecting services like Gmail and YouTube. There is a great commitment and ongoing investment by GCP to build and deliver new security solutions for the ever-evolving threat landscape in the cloud. You can refer to our GCP workload security blog for detailed information on how to leverage these tools and develop a well-rounded GCP security strategy.
There are additional security guardrails you need to implement to enhance the security posture of your workloads. These include capabilities—like in-memory threat protection—that are crucial to protect you from post-vulnerability exploitation and Living off the Land attacks. If you look at the evolving attack patterns on cloud workloads, runtime visibility is more relevant than ever, while yet another trend is the increasing number of attacks targeting Linux servers.
Intezer is custom-built for the cloud and is specialized to protect Linux servers and containers at runtime. Intezer Protect shifts the focus to where it really matters, i.e., code and applications, to make sure there is no unauthorized code running in your entire infrastructure.
If you have a multi-cloud environment with workloads deployed across AWS, Azure, and GCP, check out our whitepaper for a thorough comparison of these platform’s security features. And sign up to give Intezer Protect a try. Protect 10 hosts for free today