How to get the most out of Google Cloud Platform’s Security At The Network Level?

Tune in to this episode of CloudUp, where we talk about policy as code and how it relates to network security.

Meet the Speakers

Han Kim

Han Kim

Principal Architect

Jeremy Pries

Jeremy Pries

Director of Cloud Infrastructure

Transcript

– It seems like that if that’s the case, then once again we’re going back to this idea of maybe using a set of policies that can dictate what a person can or cannot request, or can or cannot use. So that we begin with something that’s intrinsically secure from the very get go without allowing that human error to become present.

– Hi today we’re going to talk about policy as code and how it relates to network security.

– So I think that one of the big things that we see all the time with clients is, how Google’s network policies and network security can be bypassed pretty easily by simple erroneous things, especially when you’re clicking around in the console; like opening up firewall rules and access to VM’s without anything in between monitoring, and or any policies in place.

– Yeah I think uh, you know customers who don’t have great policies get the dreaded email from Google security department that says “you’re mining bit coin and “that’s against terms of service”. “Shut it down or we’re shut you down”. Right? And no one wants that and it’s pretty easy in the cloud to turn on an IP address, and maybe have a need of a problem you’re working on and open up a firewall port. And next thing you know you’re machine’s hung off the internet. So um, you know obviously that’s not a great design unless you really intend for that to happen and you’ve got what processes in place to secure it. So I think the load balancer is the first thing to bring up from an external access perspective. That’s the first spot to put something in between your VM instances or containers or whatever other products behind the load balancers. So that load balancer is the thing that’s on the internet.

– I see, so instead of going directly to the compute resource like a virtual machine or directly to a cluster, there’s something in between that helps to mitigate further intrusion. And a load balancer is one of those things.

– Yeah Google’s kinda newish product to the market is called “Cloud Armor”, and that bolts on to the load balancer. And it sort of, then it is a framework that we can use to add different security policies to the inbound traffic. So that the easy thing to picture is the SQL injection.

– Right? We don’t want to allow SQL injection queries to ever hit our back end server if we can prevent it.

– I see what you’re saying so in terms of like, the ease of setting up something that helps to mitigate network intrusion I know for a fact that often times because Google gives you a default network it’s easy just to climb onto that and use what’s available without going any further and not thinking any further. Is there any way we can kind of mitigate the inbound security issues of just sitting down, using what’s presented to us and thereby causing security breaches?

– Yeah for sure, I think in everybody’s best practices guide to turn off the default network. And it’s not so hard to secure that. But in the end you wanna get all those default policies cleaned up, right? And so I think the most frightening example of a default network is the fact that east-west traffic is wide open. So say one VM’s compromised because an accidental firewall was put into place. Now an intruder on that VM can run around that VPC and try to access the other systems as well without any kind of firewall concerns whatsoever. So the suggested approach is to turn off that east-west rule or in the end to make sure you’re secure just provision brand new PC’s from the beginning and not use the default.

– It seems like that if that’s the case, then once again we’re going back to this idea of maybe using a set of policies that can dictate what a person can or cannot request, or can or cannot use. So that we begin with something that’s intrinsically secure from the very get go without allowing that human error to become present.

– Yeah sure, so if we’re the security operations group, we wouldn’t want to allow any of our users to open up east-west rules that say allow any any, right? We would want it to put a policy in place rather than push buttons for them of course, right? And put the policy in place that denies that change from ever happening. Or potentially find it after the fact, with a policy scanning application.

– I see so, like I think that you’re saying that both before we even provision the networking, and then after it’s even provisioned, we should be constantly monitoring and making sure that the things that we don’t want to have happen are not present within our network.

– Yeah for sure. I mean a continual scanning strategy is good, is probably required. Even better would be to scan for those changes before they take place.

– I agree, I think that that is the only way to ensure that both ends of the requirements are met. In that, if your policy to network has changed the things that are already out there can be scanned and notify you that these no longer comply with this changed policy. Whereas that changed policy also then blocks new requests coming in that don’t comply to the policy that was set.

– Yeah for sure so it’s a, definitely you need the ability to add policies as you go, right? The CIS benchmarks are something that I think everyone in the security industry is familiar with. And when they scan their cloud implementations typically things turn up red. So a board of red is not a great status until we have time to clean it up. So maybe we put it in a place in the system to grow, right? And to to start with the really simple ones, and then add policies as we go.

– Right, so it’s more of a interim approach then a one and done kind of mentality.

– Yeah I don’t, it doesn’t seem realistic to go in and say “we’re going to comply” with every benchmark from the beginning if we have a system that was developed, a system that was built out before the policies were developed. For sure, creating a board of a bunch of warnings that no one has time to deal with right now is not a great recipe for success. It shouldn’t be the norm that everything’s red.

– Well it seems to me that like, in all these security concerns that we’ve been talking about, that the core of it all is the policy. The policy’s code and how we implement it. Probably some sort of automation. And then also a strategic look at the entire operations from the beginning to the end, without going in tactically just to do things because it’s easy or fast. I think that’s what gets us in trouble the most. Thanks for watching. Let us know what security issues are important to you.