We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services, but this time we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) is growing at an impressive 83 percent year over year, but generally receives less focus than AWS and Azure.
We can use some of our best practice cloud security knowledge to outline some fundamental steps for keeping Google Cloud Platform secure.
Identity and Access Management
A general rule of thumb is to use managed corporate credentials for your Google Cloud Platform accounts instead of personal Gmail accounts. This helps ensure complete visibility and control of the account as well as continuity of service in the event of personnel changes.
Additionally, as always, your GCP credentials should have multi-factor authentication enabled to combat the threat of breached or weak credentials.
Google allows for multiple projects within GCP with separate access control and billing accountability. Using multiple separate projects can help segment your resources so that the compromise of one machine or account does not put resources in another project in jeopardy.
A first priority should be the removal of the “default” Virtual Private Cloud (VPC) network. Creating your own network will give greater awareness of just what exactly you are allowing in and out of your VPC network. The default network allows access to some internal GCP networks as well as global SSH and RDP access.
It is critical to limit your exposure to brute force attacks. Limit attack surface area by removing global SSH and RDP access. When you define your own VPC network, take care to not allow access to port 22 or 3389 from the open internet (0.0.0.0).
It is always wise to use traditional network security best practices (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ben Layer. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cloud/google-cloud-platform/