Over the last two years, I have had the opportunity to work with hundreds of customers to understand their key compliance and security requirements in public cloud environments. The consistent theme among these customers has been around the lack of visibility and governance in the cloud. Customers are also interested in putting in place security guardrails and auto-remediate configuration drifts to prevent security breaches. Towards that, CIS (Center for Internet Security) has done a commendable job over the years in creating a framework that is purpose-built for cloud environments for CISOs to benchmark their cloud environments against. CIS released the benchmark for AWS 3 years ago, released the benchmark for Azure earlier in the year and very recently released CIS benchmark for Google Cloud.
At RedLock, our mission has been to help organizations mitigate cloud security and compliance risks that threaten their ability to drive digital business. Towards that, we have always strived to provide best-in-class security and compliance for public cloud services. Today, we are pleased to announce support for CIS compliance reporting for Google Cloud Platform (GCP). Customers can sign up for the RedLock service, onboard Google projects or the entire organization, and instantly gain security visibility in their GCP environment through the lens of the CIS benchmark. We have been working with the CIS committee for months to provide our perspective on the benchmark and are glad to be first in the industry to have the compliance reporting for GCP against the CIS benchmark.
Similar to the CIS benchmarks for AWS and Azure, the one for GCP casts a wide net across various IaaS and PaaS services in Google Cloud. The CIS benchmark includes the usual sections across the Identity and Access Management, Logging and Monitoring, Networking, Storage, Databases and Virtual Machines. The difference, however, is the introduction of an entirely new section around Google Kubernetes Engine (GKE). Given the popularity of Kubernetes we are glad that Google’s fully managed Kubernetes solution (GKE) was included in the CIS benchmark.
Here’s the breakdown of relevant sections in the CIS benchmark that the customers should address in their GCP environment and how RedLock helps customers achieve various guidelines across these sections.
Securing cloud and on-prem environments starts with having locked down IAM controls. Based on the principle of least privilege, organizations have to ensure users and service accounts only have access to services that they are authorized to use. Customers must also have strong authentication controls in place to prevent account compromise. The CIS benchmark includes some important guidelines in this area such as ensuring that all cloud users have multi-factor authentication (MFA) enabled, access keys used for API access have restricted access, and that they are rotated periodically.
RedLock supports a majority of the IAM related security controls but it also goes a step further. RedLock can also detect privileged and unusual activities and alert the security team in the event of a user or service account compromise as well as potential insider threats.
This section covers enabling logging across various Google Cloud services such as VPC, Cloud Storage, SQL instances and more. GCP makes it easy for customers to enable logging and monitoring but I am always surprised by how many customers still fail to do this. Enabling audit logs across services allows customers not only to meet compliance requirements but also makes it easy for security operations and incident response teams to investigate an incident in the event of a breach.
RedLock ingests all the audit activities in Google Cloud environment through Stackdriver Logging. Customers can query any activity in GCP using the easy-to-use and highly extensible RedLock Query Language (RQL). Furthermore, customers can create policies around privileged activities that they can monitor on a continuous basis.
Maintaining proper network security hygiene is arguably the most important aspect of securing your cloud environment. The CIS benchmark, among other things, includes ensuring that the default firewall rules aren’t used and also to make sure that firewall rules don’t allow all internet traffic on privileged ports.
In addition to supporting these firewall configuration policies, RedLock also plans to provide real-time visibility into network traffic for workloads that are using these overly permissive firewall rules. This gives customers visibility into not just “what could go wrong” but also “what is wrong” by providing real-time network forensics. Customers can now gain insights not just into configuration drifts but can also detect advanced network threats such as cryptojacking, host compromises, and data exfiltration attempts.
Virtual machines (VM) represent the bulk of cloud workloads in most customer environments. It is important to ensure that appropriate VM security hygiene is put in place. CIS benchmark includes several critical guidelines such as making sure that disk encryption is turned on, or that instances are not configured using service accounts with broad cloud API access.
RedLock supports several important sections in this category. Customers can also craft custom rules against virtual machines using the RedLock Query Language. For example, they can look for disk encryption on instances that have specific labels (for example, PCI) and are in “running” state.
Over the last 12 months, we have seen more breaches on storage accounts than I can count. Given the wide adoption of storage buckets for storing data, hosting websites, and other information, they are prone to public exposure. The CIS benchmark contains the usual checks against publicly accessible storage accounts. We recommend that customers lock down the storage buckets unless they are hosting public-facing content. More importantly, customers should continuously monitor and auto-remediate storage buckets across their GCP projects.
Google Cloud provides a fully managed database service through Cloud SQL. Since customers store sensitive data in most databases, it is important that the Cloud SQL instances have appropriate security configurations in place. For example, customers should make sure that the database instances only allow incoming SSL connections and also that they are not open to the public.
In addition to providing basic security hygiene for Cloud SQL database instances, RedLock also leverages advanced analytics to detect databases running in non-managed compute environments. This helps customers easily identify and provide security guardrails across both managed and unmanaged databases in their GCP environment.
Over the last several years, there has been a big paradigm shift in application development and deployments. Rather than writing a large monolithic application, developers are leveraging containers to write modular application services and continuously deploy these services in the cloud. Kubernetes, which started as a Google project, leads the pack as the most popular container orchestration system. Google also provides a fully managed Kubernetes service through Google Kubernetes Engine (GKE) which has gained a lot of popularity amongst DevOps teams. The CIS benchmark includes several important security controls including authentication, network security controls, and Pod Security Policies amongst other things.
The RedLock security research team played a pivotal role in influencing the CIS committee to include GKE in the benchmark. RedLock supports a majority of the GKE related security benchmark, and is first in the industry to provide a security benchmark against a fully managed kubernetes service in the cloud.
RedLock enables effective threat defense across Google Cloud Platform (GCP), Amazon Web Services, and Microsoft Azure environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security datasets including network traffic, user activities, risky configurations, and threat intelligence, to provide a unified view of risks across fragmented cloud environments.
Get a demo to see how RedLock can help you with:
If you’d like to learn more about our support for GCP CIS, please contact us for more information.