We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services, but this time we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) has grasped 5 percent of the cloud market and is growing at an impressive 76 percent year over year, but it is somewhat less discussed than AWS and Azure. We can use some of our best practice cloud security knowledge to outline some fundamental steps for keeping Google Cloud Platform secure.

1. Identity and Access Management

A general rule of thumb is to use managed corporate credentials for your Google Cloud Platform accounts instead of personal Gmail accounts. This helps ensure complete visibility and control of the account as well as continuity of service in the event of personnel changes.

Additionally, as always, your GCP credentials should have multi-factor authentication enabled to combat the threat of breached or weak credentials.

Google allows for multiple projects within GCP with separate access control and billing accountability.  Using multiple separate projects can help segment your resources so that the compromise of one machine or account does not put resources in another project in jeopardy.

2. Network Security

A first priority should be the removal of the “default” Virtual Private Cloud (VPC) network. Creating your own network will give greater awareness of just what exactly you are allowing in and out of your VPC network. The default network allows access to some internal GCP networks as well as global SSH and RDP access.

It is critical to limit your exposure to brute force attacks. Limit attack surface area by removing global SSH and RDP access. When you define your own VPC network, take care to not allow access to port 22 or 3389 from the open internet (0.0.0. (Read more...)