Cloud Workload Security: Part 4 - Explaining the Security Features of GCP
Written by Intezer
When it comes to securing your workloads in the cloud, having a well-defined security strategy with the right controls means that the battle is only half won. This series explains the important security controls and categories that can help you build a strong cloud security strategy and how you can implement them in your cloud platform.
Reducing the attack surface, detecting breaches, and responding in a timely manner to attacks are the three main pillars on which your security strategy will rest. It’s important to get visibility into your applications or code in the cloud through monitoring and logging. Born In The Cloud holistic security for VMs, Kubernetes, CaaS, and FaaS solutions—along with integrated Linux threat detection—should also be taken into account while designing your cloud security strategy. In the first part of this series, we explored the controls and categories that align with these key focus areas and discussed them in detail.
In other posts in this series, we covered how to implement the controls using AWS and Azure services and tools. In this post, we’ll explore the built-in security services for GCP and how they integrate with your cloud security strategy.
GCP Cloud Security Controls
Like AWS and Azure, GCP provides multiple built-in services that customers can leverage to implement a cloud security strategy. Where a service is not readily available to implement security control, you can address the gap by using third-party solutions when appropriate.
Private deployments using VPC: In GCP, virtual private clouds (VPCs) provide the first level of segmentation by enabling secure private deployments for workloads. You can configure additional microsegmentation within VPC using firewall rules that allow you to control traffic based on ports, protocols, source, and destination. For containerized workloads in Google Kubernetes Engine (GKE) clusters, you can use network policies to implement defense in depth.
Since traffic between pods and services is controlled by pod-level firewall rules, if an attack occurs, it is limited to the compromised container. Istio-based microsegmentation for GKE workloads provides an additional layer of security through mutual TLS authentication, Istio authorization, and network access logging.
Cloud Armor: Google Cloud Armor is designed as a web application firewall (WAF) to protect workloads behind HTTP(s) load balancers from unauthorized access and attacks. It does this through security rules that restrict or allow traffic based on layer 3.4 and 7 attributes. The services come preconfigured with rules that protect your workloads from common types of attacks, such as cross-site scripting (XSS), SQL injection, remote file injection, and remote code execution.
Services deployed behind HTTP(s), SSL proxy, or TCP proxy load balancers are automatically protected from DDoS attacks. The load balancer acts as the first line of defense, offering protection from common DDoS attacks, like SYN floods, IP fragment floods, and port exhaustion.
Cloud Security Posture Management
GCP offers comprehensive cloud security posture management (CSPM) through the Security Command Center, a native GCP service that gives you visibility and control over your deployment with a bird’s-eye view of the state of cloud asset security. Comprehensive threat prevention capabilities are built in to uncover weak points, like legacy application libraries, reverse shells, or suspicious binaries.
Cloud assets are auto-discovered and onboarded to the Security Command Center for continuous monitoring. Any misconfigurations and cloud compliance violations are flagged with actionable recommendations to initiate remediation. GCP Security Health Analytics provides vulnerability assessment scanning for various services, including container runtime attack detection. It detects vulnerabilities in the cloud console, however, it is recommended to leverage third-party services to detect runtime vulnerabilities at app/resource level.
Patch deployment: OS patch management service from GCP helps keep your Windows and Linux VMs updated with the latest patches. You can review the patch status for your VMs from a centralized location through compliance reporting, and you can use the automated patch deployment option to deploy the missing patches in the systems during the designated maintenance window.
Web application vulnerability scanning: The cloud security scanner service scans your web applications deployed across Compute Engine, GKE, and App Engine to identify security loopholes and vulnerabilities. The service can identify and alert you about common vulnerabilities, like Flash injection, mixed content detection, cross-site scripting, or unsecured password transmissions. Cloud Security scanner is integrated with the Security Command Center and the outcomes are displayed in a centralized dashboard.
Cloud Workload Protection Platform
Shielded VMs hardened by security controls: Hardening your VMs with standard security best practices helps to protect them from multiple known vulnerabilities and attacks. Shielded VMs in GCP are hardened to protect from rootkit and bootkit threats. This advanced protection is enabled through a secure boot process, virtual trusted platform module (vTPM)-enabled Measured Boot, UEFI firmware, and integrity monitoring.
vTPM protects your keys and certificates that are used to authenticate system access. The secure boot process of Shielded VMs validates boot signatures to ensure that only trusted software is allowed to run. Thus, it offers protection against advanced threats like malicious insider attacks, guest firmware, as well as kernel or user-mode vulnerabilities.
It should be noted that hardening of VMs is not sufficient to protect from all runtime vulnerabilities. Your cloud ecosystem will probably consist of solutions like K8s, CaaS, FaaS, etc., in addition to VMs. Hence a third-party solution—like Intezer Protect which enables holistic protection for all of these services—can be incorporated to strengthen the security posture.
Note: Workload-centric adaptive application control and in-memory protection capabilities allow only trusted code and applications to run in your cloud environment. GCP does not have a native service capable of enabling this. Cloud Workload Protection Platforms (CWPP) like Intezer Protect provide advanced visibility into your workload security status with application control and in-memory protection features. You can leverage this to augment cloud asset security and implement an approach in GCP that helps to protect from unauthorized code or commands.
Vulnerability scanning for containers: GCP’s Container Analysis service scans any new container images uploaded to the Container Registry for security vulnerabilities. It also does a continuous analysis of scanned container metadata against evolving threats, based on updated information received from vulnerability databases.
This pre-runtime image scanning, along with continuous analysis, helps to ensure the end-to-end lifecycle security of workloads in containers. You can also integrate container CI/CD pipelines with Kristis Signer to create attestations based on container analysis vulnerability scanning results.
Trusted image deployment: You can use deploy-time security control based on Binary Authorization to ensure that only trusted and verified images are deployed. When integrated with the DevOps build and release process, this ensures that only verified containers will be deployed in your cloud environment and protects against potential threats from malicious code running in containers.
Binary Authorization helps with proactive Container Security Posture Management and helps to standardize container release practices. Since it is natively integrated with the GKE control panel for defining deployment policies, this makes the adoption process much simpler.
Tools for security information and event management (SIEM) help aggregate logs from multiple sources and derive threat and vulnerability intelligence through advanced analysis. GCP users can send security telemetry data to Chronicle and can leverage the features of newly announced Chronicle Detect for advanced threat detection. You can also choose to send information from the Security Command Center to their existing security systems using REST API integration. You can export the data from the Security Command Center using SIEM tools, like Splunk, for additional analysis.
Threat Detection and Security Analytics
The Event Threat Detection feature in the Security Command Center’s premium tier monitors logs collected from the Cloud Logging stream and detects common threats based on preconfigured threat rules. The event threat detection feature identifies brute force attacks, phishing, and more. You can also create custom detection rules by storing log data in BigQuery and executing SQL queries based on your threat model.
The success of security operations and threat detection depends on the intelligence received from security telemetry data. The security telemetry analytics service powered by Chronicle helps analyze petabytes of telemetry data and correlate the information against known threat data. The service also leverages VirusTotal, the leading file and URL analysis service, to derive insights from the telemetry data. The intelligent identification process used by the service correlates user and machine identities to efficiently track the attack vector. However, the threat detection engines in VirusTotal rely on signature or anomaly-based detection, which is not as effective in detecting Linux threats. It is recommended to leverage third-party tools with proven capabilities for detecting Linux threats, like Intezer Protect.
Log and Security Monitoring in GCP
It’s essential to monitor admin and data access activities for suspicious events in order to protect your cloud assets from rogue users. GCP provides a strong audit trail of all admin activities, data access, and system events in the platform in near-real time, with log data stored in highly protected, immutable, and encrypted storage to ensure integrity.
Access Transparency implemented by this process covers logs “beyond the reach” of internal audit logs, for example, for targeted access required by support or engineering. This, when combined with security threat analytics that uses YARA-L detection to define critical indicators of compromise (IOCs) and perform advanced Hunting-style searches, ensures comprehensive security monitoring of your cloud asset usage in GCP.
GCP uses the same security services used to protect Google products like Gmail and G Suite. This means that it’s not only innovative, but also tried and tested. Google has made heavy investments to enhance GCP’s security and privacy features to protect workloads from evolving security threats.
Though the GCP services discussed in this blog are relatively mature, cloud administrators may find configuration fairly complex. The learning curve for on-premises administrators, as well as experts familiar with other cloud platforms, could be steep. There are a few controls, like App Control and in-memory protection, that are not covered by native services, and thus would need to be integrated with third-party solutions to augment security.
To understand how other cloud service providers, like AWS and Azure, support these security controls, refer to the other parts of this blog series. Stay tuned for the final part of this series, part 5, where we will provide a comparison of security controls from the Big 3 cloud providers
Join Intezer's Linux Threat Feed
Every month we find approximately 100 undetected Linux threats, and every week we send subscribers hashes for the latest low and undetected Linux threats. Join our Linux threat feed to learn more: https://hubs.li/H0FftK70