Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • A Google Cloud Platform Primer with Security Fundamentals
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

A Google Cloud Platform Primer with Security Fundamentals

5 years ago Ben Layer
A Google Cloud Platform Primer with Security Fundamentals

We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services but, this time, we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) is growing at an impressive 83 percent year over year but generally receives less focus than AWS and Azure.

We can use some of our best practice cloud security knowledge to outline some fundamental steps for keeping Google Cloud Platform secure.

1. Identity and Access Management

A general rule of thumb is to use managed corporate credentials for your Google Cloud Platform accounts instead of personal Gmail accounts. This helps ensure complete visibility and control of the account, as well as continuity of service in the event of personnel changes.

Additionally, as always, your GCP credentials should have multi-factor authentication enabled to combat the threat of breached or weak credentials.

Google allows for multiple projects within GCP with separate access control and billing accountability. Using multiple separate projects can help segment your resources, so that the compromise of one machine or account does not put resources in another project in jeopardy.

2. Network Security

A first priority should be the removal of the “default” Virtual Private Cloud (VPC) network. Creating your own network will give greater awareness of just what exactly you are allowing in and out of your VPC network. The default network allows access to some internal GCP networks, as well as global SSH and RDP access.

It is critical to limit your exposure to brute force attacks. Limit attack surface area by removing global SSH and RDP access. When you define your own VPC network, take care to not allow access to port 22 or 3389 from the open internet (0.0.0.0).

It is always wise to use traditional network security best practices in your deployments in order to prevent and detect attacks or breaches. Perform frequent vulnerability audits on your cloud network and assets with a vulnerability management product.

3. Logging

It is important to create a comprehensive logging policy within your cloud platform to help with auditing and compliance.

Access logging should be enabled on storage buckets so that you have an easily accessible log of object access. Administrator audit logs are created by default, but you should enable Data Access logs for Data Writes in all services.

The Stackdriver logging mechanism only stores logs for a limited time. You should create a log export sink with no filter in order to archive all logs for an extended period.

More information on logging configuration can be found here.

4. Database

Google Cloud Platform provides the ability to create managed MySQL and PostgreSQL database instances in which Google takes care of security patches; however, there are still configuration options which should be set if you are using the database feature.

By default, SSL is not required. All databases should be configured to require SSL connections to foil snooping and man-in-the-middle attacks.

When starting a new MySQL database, it is possible to create it without a root (admin) password. You absolutely must enable a root password for all MySQL databases.

As in the networking section, again you should not allow ingress to your databases from the global internet. Do not allow 0.0.0.0 or /0 when creating authorized networks for your databases. Similarly, MySQL should not allow root users to connect from 0.0.0.0.

5. Storage

We would be remiss not to mention paying attention to storage bucket access after so many news reports of online storage data dumps. The Google Cloud Platform Console does not present obvious warnings when buckets have anonymous or public access, so it is important to monitor these settings. Ensure neither allUsers nor allAuthenticatedUsers has access on buckets or objects where it is not needed. In this case, “allAuthenticatedUsers” means anyone with a Google account, which is equivalent to everyone.  Tripwire Configuration Manager can be used to audit public access of storage buckets and even enforce privacy settings automatically.

You may also consider enabling object versioning to protect yourself from unintended overwrites.

6. Virtual Machines

One unique Google Cloud Platform function is the interactive serial port capability, but unfortunately, the interactive serial console does not support IP-based access restriction and allows connections from any IP address. This function should remain disabled, as it allows for brute force login attacks.

Securing virtual machines in the cloud requires many of the same controls as in your local environment. Run network security scans, anti-malware apps, and keep track of changes with file integrity monitoring and change management.

7. Google App Engine

Google Cloud Platform provides the Cloud Security Scanner which provides detection of common vulnerabilities such as cross site scripting (XSS), flash injection, and insecure library usage. These free scans of your App engine websites can be run both before and after you enter production, so it is an easy win on your road to increasing security in your DevOps process.

Are you working with Google Cloud Platform?

These fundamentals apply to any project implemented within Google Cloud Platform and can be expanded on and tailored to individual installations.  More information can be found in the Center for Internet Security Google Cloud Platform Foundation Benchmark.  The CIS benchmark provides guidance on best practice configurations for your Google Cloud Platform environment.

Tripwire’s Configuration Manager can help you determine the security state of your Microsoft Azure, Amazon Web Services, and Google Cloud Platform deployments by collecting and analyzing cloud account configuration data. Configuration Manager allows you to monitor your Azure Resource Manager, AWS and Google Cloud consoles for configuration changes, as we well as perform automatic remediation of many security risks.

To learn more about Tripwire’s Configuration Manager, click here.

The post ” A Google Cloud Platform Primer with Security Fundamentals” appeared first on TripWire

Source:TripWire – Ben Layer

Tags: Cloud, Critical Severity, Encryption, Google, Microsoft, Privacy, TripWire

Continue Reading

Previous Telemed Poll Uncovers Biggest Risks and Best Practices
Next Hacker Dumps Crypto Wallet Customer Data; Active Attacks Follow

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

15 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

19 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

19 hours ago [email protected] (The Hacker News)

Recent Posts

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT