Learn about the importance of strong GCP cloud security.
Rapid7 Cloud Risk CompleteGoogle Cloud Platform (GCP)安全性是指实现流程的实践, technologies and standards to secure applications, resources and data running on Google’s cloud infrastructure service.
What is GCP? 它是一种云计算服务,通过物理和虚拟资源分布在世界各地,并托管在谷歌数据中心. The various services available to GCP users include data management, hybrid and multi-cloud architecture, and AI and Machine Learning (ML).
Known as the shared responsibility model, there are two ways to look at cloud security 当使用任何云平台时:云提供商将致力于保护云环境及其边界, 而客户将努力确保在该云环境中运行的操作的安全.
根据定义,像GCP这样的公共云服务是通过公共互联网提供的. 这意味着您的敏感和关键任务应用程序和数据可以被授权用户和/或威胁行为者访问-如果没有采取适当的措施来阻止他们.
This is obviously easier said than done, 并且可能由于配置错误的资源或组织安全状况的漏洞/弱点而导致大量数据泄露. To help address this, there are a wide variety of best practices and standards that have been developed, including those provided by Google.
GCP的安全性很重要,因为它提供的各种服务(由全球分布的软件和硬件支持)被用于复杂的用户操作,而这些操作可能很难确保安全. These operations include:
To that last point, 互联网安全中心(CIS)最近发布了他们的GCP基础基准的更新版本. These benchmarks typically take the form of regulatory recommendations, 在此实例中,涵盖了从资源隔离到计算和存储的配置和策略. 这些不是需求,但它们可以在很大程度上缓解未来的安全问题.
Database or container misconfigurations is another reason GCP security is important. Unfortunately, these flaws are all too common, and can leave a storage container vulnerable and exposed. Preventing, detecting, 修复配置不正确的云数据服务是在GCP上运行操作的安全过程的关键部分. 检测和响应解决方案可以通过收集用户进入事件来帮助减轻潜在的风险, administrative activity, and log data generated by GCP to monitor running instances and account activity.
What does it mean to leverage a shared responsibility model (SRM) on GCP? As referenced above, 云提供商负责保护运行用户工作负载的基础设施, but the user is responsible for securing their confidential workloads, resources, and data within that cloud infrastructure.
Learn more with our Practical Guide to Gartner's Cloud Security Archetypes
Google states:
“在决定如何最好地保护谷歌云上的数据和工作负载时,理解共同责任模型非常重要. 共享责任模型描述了您在云中的安全性方面所面临的任务,以及这些任务对于云提供商来说是如何不同的.”
To know what type of shared responsibility model they’re opting into, a user must first define the type of workloads they’ll need to run. Based on this information, 然后,他们将能够确定他们需要购买的云服务的类型. On GCP, these can include:
混合或多云环境的关键是教育DevOps人才了解云提供商的共享责任模型(read about the AWS version). By knowing who is responsible for what type of security, there will be less errors that lead to fewer vulnerabilities.
我们现在知道,云提供商有责任保护其平台的基础设施. 让我们看一下GCP的一些总体安全工具,以帮助客户并实现他们的SRM.
该指挥中心有助于资产发现和盘点、威胁预防和威胁检测. 它使您能够了解在给定时间部署了哪些资源,并帮助识别错误配置和遵从性违反.
Identity and Access Management (IAM) 允许用户管理员成为谁可以访问特定云操作中的某些资源的看门人. Auditing capabilities provide visibility and culling at an organizational level.
A Key Management Service (KMS) puts encryption control in the hands of the user. Google的KMS功能支持在中央云服务中进行加密密钥管理,并提供由用户控制的使用对称或非对称密钥加密数据的灵活性.
Cloud monitoring and logging are essential security tools within GCP. Accessed from a centralized suite, logging is a managed service that ingests application data, log data, and data from other services inside and outside of Google Cloud. Monitoring imparts visibility into the health of applications running on GCP, including metrics, events, and metadata.
GCP’s Web Security Scanner checks for vulnerabilities in a user’s App Engine, Kubernetes, and Compute Engine web applications. It crawls an application to scan as many user inputs and event handlers as possible. 它旨在作为补充用户现有漏洞扫描操作的附加服务.
Often, however, native tooling doesn’t extend to securing everything and can be hard to manage, thus the need for standalone cloud-security providers.
采用一些最佳实践方法是一个好主意,不仅可以确保降低漏洞风险, but also that compliance is in continuous good standing and DevSecOps organizations are running from a solid knowledge base. Google recommends:
Build a layered security approach
通过应用纵深防御方法,在应用程序和基础设施的每个级别实现安全性. 使用每个产品中的特性来限制访问并在适当的地方配置加密.
Design for secured decoupled systems
Simplify system design to accommodate flexibility where possible, and document security requirements for each component. Incorporate a robust secured mechanism to account for resiliency and recovery.
Automate deployment of sensitive tasks
Take humans out of the workstream by automating deployment and other admin tasks.
Automate security monitoring
Use automated tools to monitor your application and infrastructure. To scan your infrastructure for vulnerabilities and detect security incidents, 在持续集成和持续部署(CI/CD)管道中使用自动扫描.
Meet the compliance requirements for your regions
请注意,您可能需要混淆或编辑个人可识别信息(PII)以满足法规要求. Where possible, automate your compliance efforts.
Comply with data residency and sovereignty requirements
您可能有内部(或外部)需求,要求您控制数据存储和处理的位置. These requirements vary based on systems design objectives, industry regulatory concerns, national law, tax implications, and culture. Data residency describes where your data is stored.
Shift security left
DevOps和部署自动化可以让您的组织提高交付产品的速度. To help ensure that your products remain secure, incorporate security processes from the start of the development process.