Google Cloud security is regarded to be among the best in the industry. However, the majority of cloud security issues aren’t attributable to cloud service providers, but rather how cloud services are used—with up to 95% of data breaches due to user error and a misunderstanding of the shared responsibility model.
Google prides itself on its cloud security. The company has built a strong security structure with over fifteen years of experience keeping customers safe on apps such as Gmail and G Suite, and it has used the same security model for the Google Cloud Platform. Recently, the company’s efforts to secure its cloud were recognized by Forrester, who rated Google Cloud security as a leader in its Public Cloud Platform Native Security Wave.
So, is Google Cloud security better than any other cloud? That’s difficult to say for certain. Google and AWS were both rated highly by Forrester, but there were few differences (and even fewer security shortcomings) amongst the industry’s leading cloud service providers. Indeed, had it not been for some tricky administration issues, Microsoft Azure might have been awarded the top spot in Forrester’s Wave. Additionally, is cloud service provider security a big issue anyway when the majority of security breaches are attributable to user error?
Who is responsible for cloud security issues?
In March 2018, Gartner’s Kasey Panetta predicted that “through 2022, at least 95% of cloud security failures will be the customer’s fault”. Panetta attributed the high failure rate to businesses not using security controls provided by cloud service providers effectively, and said businesses shouldn’t be asking themselves “is the cloud secure?” but rather “is my team using the cloud securely?”
The problem is that many businesses don’t fully understand their responsibilities under the shared responsibility model—which looks at the distribution of responsibility for security in the cloud between cloud service provider and the business.
To be fair, shared responsibility models aren’t always that easy to understand. The distribution of responsibilities can change according to the services being used and any industry regulations that apply. For example, Google published a six-page guide to Google Cloud security responsibilities for HIPAA-covered entities. For businesses subject to PCI DDS regulations, the Google Cloud security guide extends to eighty-two pages.
Google Cloud security responsibilities vs. businesses’ security responsibilities
The distribution of responsibilities in the cloud also varies according to the level of abstraction (i.e. how far up the stack assets are being deployed). For example, when businesses deploy assets on Google Cloud Compute, Google is responsible for the security of its data centers, the physical servers, the virtualization layer, and the physical network. Businesses are responsible for the security of the operating system and everything above it.
However, when businesses launch assets on Google’s container services, the operating system layer is abstracted and Google inherits responsibility for its security. Businesses are responsible for the security of workloads, including the application code, docker files, container images, data, and RBAC/IAM policies, but Google provides plenty of controls to help secure containers—businesses just have to understand how to use them effectively. The image below provides more information about the distribution of Google Cloud security responsibilities vs. businesses’ security responsibilities.
How to increase your business’ security in the Google Cloud
Panetta’s solution for preventing cloud security issues was to develop strong cloud security policies and enforce them with technology. While this may sound complicated, it’s not that difficult when you’re using a cloud management platform such as CloudHealth to help you identify cloud risks, develop policies to address the risks, and then use policy-driven automation to ensure business users do not violate the policies. Here’s an example of how it works:
- Let’s say CloudHealth does a sweep of your assets and finds users have access permissions above the level required to do their jobs (the “minimum necessary rule” is always a good rule to follow).
- CloudHealth will flag these up to you so you can make the necessary changes and then monitor any new accounts to ensure the appropriate level of access is applied.
- You can also add multi-factor authentication to accounts with higher permission levels, and CloudHealth can be configured to alert you whenever multi-factor authentication is disabled and temporarily revoke access to the account.
Every business’ cloud environment is different and requires a unique approach to managing security. With CloudHealth’s help, you can effectively identify and prevent security issues before they develop into high-risk vulnerabilities.