Protecting IaaS Workloads - A quick look at GCP’s Security Command Center

Google’s Cloud Security Command Center provides a centralized overview of vulnerabilities and threats within a customer’s GCP cloud estate (Figure 1).

In the Infrastructure-as-a-Service (IaaS) world, Google’s VM Manager is an essential GCP service for managing Windows and Linux VMs at scale. Acting as a Security Health Analytics detector, the?VM Manager also identifies OS-related vulnerabilities from these VMs – including Common Vulnerabilities and Exposures (CVEs) – and pushes findings to the Security Center.

Besides identifying vulnerabilities, GCP also provides a Web Security Scanner service. It checks all VMs weekly by scanning their public HTTP and HTTPS endpoints on ports 80 and 443 for (most) OWASP Top 10 risks. This feature provides application and security teams with insights into potential vulnerabilities without having to run and maintain dedicated infrastructure.

However, security architects and CISOs must understand the limitations. First, the Security Command Center does not offer a comprehensive code scan to identify insecure coding practices. Also, it does not scan URLs or websites that require authentication. Thus, these GCP features and tools do not replace periodic (white-box) penetration testing, nor do they substitute static code analysis – two widespread security best practices. Despite these limitations, however, the VM Manager, together with the Web Security Scanner, successfully reduces the attack surface, especially for common, easy-to-automate cyberattacks.

For real-time attack and threat detection, GCP includes threat detection capabilities for VMs, which scan memory and disks for malware, crypto mining, and other suspicious behavior. Again, security specialists have to understand the limitations:

• The service covers Linux and Windows VMs, though the coverage of Windows VMs is (up to today) less comprehensive.
• Confidential VMs aim to prevent external components and services from accessing sensitive information; thus, GCP cannot monitor any behavior on them.
• Disks encrypted with customer-managed (or customer-provided) keys are not covered.

However, Google’s threat detection has a superior architectural approach. It operates on the hypervisor level, eliminating the need to install agents on all VMs. This approach minimizes operational challenges by removing the need to install, monitor, and maintain agents on 100% of the VMs, otherwise a typical burden.

When looking from a cloud customer perspective, relevant security architecture tasks in this context include:

• Clarify the roles of GCP and non-GCP tools, an essential topic for an organization’s Secure Software Development Lifecycle (SDLC).
• Assign responsibilities to configure the tools and manage the findings, especially?where tool capabilities overlap.
• Set up the GCP Security Center (correctly) to contain the expected vulnerabilities and threats. No alerts might indicate that the setup needs attention.

.

?

?

?

?

?