Wiz
AcademyGoogle Cloud security best practices

Google Cloud security best practices

While you may understand cloud security best practices that you should adhere to across multi-cloud environments, your security posture on Google Cloud Platform (GCP) relies on also addressing security challenges specific to the platform. You need to understand the Google shared responsibility model, distinctions between securing GCP and other clouds, and take advantage of the many tools available to secure your workloads hosted on the platform.

Wiz Experts Team

Follow Google Cloud security blueprints

One basic step toward maximizing the security of your Google Cloud environment is to take advantage of the cloud security blueprints that Google provides, which can be accessed for free on the Google Cloud website. Google offers guides devoted to securing a variety of specific types of services and resources, such as data warehouses hosted on BigQuery or hybrid cloud environments created using Anthos.

While there isn’t a security blueprint for every type of Google Cloud service, be sure to use the guides available to enhance the security of your workload where applicable. Keep in mind that the Google Cloud security blueprints are designed to be generic. They are a useful starting point, but you’ll need to adapt or extend their guidance to fit the specific needs of your unique workloads.

Understand Google Cloud shared security responsibility

Like all major public clouds, Google Cloud has a shared responsibility model that defines which security responsibilities fall to customers to manage, and which are handled by Google. In Google’s shared responsibility matrix, customers secure what they can access and control, and Google protects resources like physical servers that customers can’t manage.

Since Google Cloud has invested heavily in hybrid products based on Anthos and its Distributed Cloud portfolio, you need to pay extra attention to the details in Google’s shared responsibility matrix. For example, if you use Anthos to manage Kubernetes clusters hosted on servers that you own, you’ll be responsible for securing those servers, even though Google is managing them.

In this regard, shared security responsibility in Google Cloud can be more complex than in cloud environments where the line separating customer-managed assets from vendor-managed assets is clear.

Leverage Google Cloud audit logs for security visibility

One of the most important sources of security visibility into Google Cloud is audit logs. Audit logs record administrative activities within your cloud environment, making it possible to determine responsibility in the event that you need to investigate a security incident or identify risk patterns.

Be sure to determine whether audit logs are available for each of the Google Cloud services you run. While Google says that it will ultimately enable audit logging for all of its cloud services, the feature is currently available only for certain services.

Enforce least privilege with Google Cloud IAM

Like all major clouds, Google Cloud provides an Identity and Access Management (IAM) framework that you can use to define access controls for resources in your cloud environment. IAM is one of the pillars of constructing a secure cloud. To make the most of Google Cloud IAM, create rules that enforce least privilege. Least privilege means that each user can access only the specific services or resources required for their role. Avoid assigning broad sets of access rights, and grant rights to individual users rather than groups wherever possible.

You should also validate your Google Cloud IAM configurations with Cloud Security Posture Management (CSPM) tools that can detect configuration oversights or errors that may expose your cloud environment to attack.

Understand service-specific security risks

Since Google Cloud is an array of dozens of different solutions that cater to application deployment, data analytics and warehousing, IoT network management, and more, it is subject to security risks, such as DDoS attacks or unauthorized access. You can create layers of protection against these risks using strong access control policies and meeting your security responsibilities under Google’s shared responsibility model.

Certain Google Cloud services pose special security risks that you’ll need to address with specific tools and processes. For example, If you host containerized applications using Google Kubernetes Engine, you’ll need to address the unique risks associated with container images, and manage Kubernetes access control policies and Kubernetes-specific security tooling.

In many cases, deploying generic Google Cloud security tools isn’t enough to protect your workloads. You’ll also need to understand the special security risks associated with the Google Cloud services you use and take steps to mitigate them.‍

Next steps for Google Cloud security

Although you should strive to establish a strong security posture when you first create your Google Cloud environment, you should also continuously audit and monitor your cloud configurations over time. Always take opportunities to make your cloud more secure. Solutions like Wiz can help by providing holistic visibility into your cloud environment and helping you identify risks, even as your configurations constantly change and new types of threats emerge.

Continue Reading

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

Azure security tools your organization should consider

While Microsoft Azure can provide growth and flexibility, moving to the cloud can expose your organization to cyber security threats. Keeping Azure workloads secure requires deploying the right security tools. Azure is subject to a variety of risks, so you need multiple tools to keep your environment secure. Although no one tool provides end-to-end security on its own, each does its part to help you maintain a strong security posture for Azure-based workloads.

What is SOC 2 compliance?

Whether you offer Software-as-a-Service (SaaS) apps to customers, use SaaS apps yourself, or both, you need to be familiar with SOC 2 compliance. SOC 2 compliance rules provide a foundation for ensuring that sensitive data is managed in a secure way within the context of SaaS and other cloud-based services.

What is Cloud Security Posture Management (CSPM)?

In modern cloud environments, security monitoring and periodic audits won’t suffice for detecting threats before they turn into breaches. Instead, to achieve an environment that is as secure as possible, you need Cloud Security Posture Management, or CSPM. CSPM lays the foundation for minimizing the number of risks that exist within your clouds. CSPM tools help to automate cloud security, keeping cloud environments secure even as they grow larger and more complex.

What are cloud services?

Whether you’ve gone fully cloud-native in your application design or you’re running monolithic applications in the cloud, cloud services form the foundation for most application deployment strategies today. Understanding how cloud services work, and how to keep them secure, is essential for virtually every modern organization.