Google Cloud Security Best Practices Google has made big breakthroughs with its expansion into the cloud. As with AWS and Azure, developers can easily adopt Google Cloud Platform (GCP), looking for features to use in their application stacks. The following are eight challenges and best practices to assist you mitigate risk in Google Cloud..
1. Visibility: Like other clouds, GCP resources can be ephemeral, making it difficult to track assets. According to research, the average lifespan of a cloud resource is two hours and seven minutes. And many companies have environments that involve multiple cloud regions and accounts. This leads to decentralized visibility, and since you cannot secure what you cannot see, it makes it difficult to detect risks. Best Practice: Use a cloud security offering that gives visibility into the quantity and kinds of resources (virtual machines, load balancers, virtual firewalls, users, etc.) across multiple projects and regions in a single window. The visibility and understanding of your environment allows you to implement more granular policies and reduce risks.
2. Resource hierarchy: One of the basic principles of GCP is the hierarchy of resources. While other clouds have hierarchical resource systems, GCP is very flexible, allowing administrators to create nodes in different ways and apply for permissions accordingly. This can create sprawl and confusion very quickly when determining where in the hierarchy the authorization has been applied. To demonstrate, GCP allows the creation of files, teams, projects, and resources under an organization. Best Practice: Create a hierarchy that closely matches the corporate structure of your organization. Or, if you don't currently have a well-defined business structure, create one that makes sense and takes into account future growth and expansion.
3. Privilege and scope: GCP IAM allows you to control access by defining who has which access to which resource. The IAM resources involved are users, roles, and resources. It will be important to understand how to apply policies to these resources to implement least privilege access in your GCP environment. Best Practice: Instead of applying permissions directly to users, add users to well-defined groups and assign roles to those groups, granting permission to only appropriate resources. Be sure to use custom roles, as the built-in roles can change scope.
4. Identity management: One of the main causes of cloud security incidents is lost or stolen credentials. It is not uncommon to find credentials for accessing public cloud environments exposed on the Internet. Organizations should detect these account compromises. Best Practice: Strong password policies and multi-factor authentication (MFA) should always be applied. GCP supports MFA for Cloud Identity and companies. Additionally, you can integrate Cloud Identity support with single sign-on for your corporate identities to inherit corporate MFA policies.
5. Access: It goes without saying that humans are not the only users of GCP resources. Development tools and applications will need to make API calls to access GCP resources.