The second article in our series on Google Cloud Platform (GCP) security is about GCP security best practices. If you haven't already read it, see Part 1 of this series, Securing Apps on Google Cloud Platform, Part 1: Finding Your Missing Pieces, for greater context into Part 2.
In the previous essay, we identified the missing pieces to securing your apps in GCP and how we might address these gaps. Do we need a big, heavy framework like we had in the data center? Do we need more developers? Do we need lots of security people to look at lots of disparate event streams? In Part 2, we're going to cover some of the approaches available to enterprises to secure their apps running in GCP.
To start off, we're going to use a guiding quote from Part 1: "The lack of a single security policy, management plane, or architecture means that fundamental capabilities like visibility and inspecting for malicious flows are casualties and must be augmented by yet even more discrete tools." Our job here is to fix this by helping you establish best practices in comprehensive visibility and control, features and functions, and compliance for your GCP environment.
Regardless of cloud environment, it's important to know what apps you have, how they are connected, and the level of visibility you are provided given the placement of controls. While these may have similar themes, they are not to be confused with posture management when describing placement of controls.
The focus here is on actual control and actual protection, and not just misconfigurations. Visibility gives you the ability to accurately place controls, whereas awareness only lets you know it needs to be patched to achieve control. We have described it as visibility for control's sake.
There are a couple of ways to do this in the cloud: agents that sit in the compute infrastructure or network-based implementation. Architecturally, agents have some advantages in that they can control the compute environment the app is running on, but that specificity comes at a cost: You need a specific agent for each kind of app environment, and the agent architecture doesn't work for serverless or cloud-managed platform as a service (PaaS).
We like the network implementation option for three reasons:
A word on encryption: everything is encrypted in the cloud Transport Layer Security (TLS). And a security architecture must accommodate that at a system level. Otherwise, potentially each app or security function’s decrypt/encrypt might have to be managed independently, which does not scale from an operations perspective, a non-starter for many organizations.
In terms of the features and functions required for a comprehensive approach, we see cloud firewalling as the basis. In cloud firewalling, segmentation is a foundational requirement; it determines which workloads can be accessed from the outside (ingress) by other workloads (east-west) and can make connections to outside services (egress) is the starting point.
Segmentation does not have to be about access control alone but also can be combined with inspection policies based on workload context and security requirements. Beyond that, we see organizations placing a lot of emphasis on intrusion detection system/intrusion protection switching (IDS/IPS ) in the post-Log4Shell era, especially to prevent lateral movement of attacks. Compliance teams also are putting web application firewall (WAF) and data loss prevention (DLP) on the agenda.
In summary, the requirements for GCP security look like this:
In the data center days, this would point to a big rack of appliances. In GCP, appliances are an awkward fit at best, like other public cloud platforms. Cloud-native services for security, like everything else in GCP, are the gold standard. A single control plane, using a single policy per app—across all of these security functions—is even better.
I mentioned compliance earlier, but it's worth bringing up again as a final point. Most organizations are touched in some way by the need to comply with various regulations. Most standards for compliance have specific requirements for network-based controls that are easier to manage than app-based controls at enterprise scale. And when you have a comprehensive security approach that includes segmentation, IDS/IPS, and cloud WAF, the time invested and cost to meet compliance are greatly reduced.
Multicloud Defense customers on GCP can take advantage of a strong architectural foundation, enterprise security capabilities, cloud native operations, and meet compliance with ease. All are integrated both with modern DevOps frameworks and GCP infrastructure. Getting started with Cisco Multicloud Defense on GCP is easy. Here are a few ways to begin:
Read Securing Apps on Google Cloud Platform, Part 3: Gaining Comprehensive Protection in GCP with Multicloud Defense