Improve Your Google Cloud Security Posture With CloudHealth Secure State

5 Min Read

Earlier this year at VMworld 2020, we announced the addition of Google Cloud in CloudHealth Secure State (CHSS). We added support for Google Cloud, one of the fastest growing and the third largest public cloud provider, to provide customers with cloud security, visibility, and control consistently across their preferred cloud providers and services.

While we introduced all the customer favorite real-time monitoring and interconnected risk assessment features the same way they work for AWS and Azure, with GCP we also brought the latest guidelines from CIS (Center for Internet Security) and simplified organization and account onboarding.

In the following sections, I’ll walk through the unique aspects of our Google Cloud security and compliance management approach that are catching customers' attention!

Read-only access, but real-time visibility into Google Cloud security risk

The CloudHealth Secure State monitoring design uses a read-only role to do micro-inventories of your multicloud footprint and tracks any resource configuration changes in your environment. Users can onboard their Google Cloud Projects with a simple Service Account (SA) key that requires read-only access to their infrastructure. The SA key can be configured to have access to the entire organization or a select group of projects.

A Cloud Logging-based Event Sink is used to stream real-time configuration change events to CHSS. By tracking configuration change events, CHSS always maintains an up-to-date view of the cloud infrastructure and misconfiguration risk, alerting customers of any security violations in seconds. This unique architecture is presented below.

google cloud and cloudhealth architecture map

Unlike a daily inventory approach commonly used by other industry tools, this monitoring model also saves costs by minimizing the API calls needed to maintain an updated view of resources. Google Cloud APIs have enforceable quotas, and large call volumes can add a considerable cost overhead. When the same APIs are often being used by existing DevOps automation, this event stream approach doesn’t add to your cloud costs.

eBook
How to Build Long-Term Success in GCP

Understand multicloud security in a consistent way

For greater context regarding the risk of a misconfiguration, customers rely on our interconnected cloud security model to understand the potential impact of a security finding. Our rules evaluate the connected set of configurations that together, cause a misconfiguration.

By bringing the same power to Google Cloud, we’re able to showcase the potential impact of a finding on your broader infrastructure, clearly identifying this with a risk score. What’s more, is that all the GCP resources, rules, and findings are available through the same APIs that work for other cloud providers.

Leveraging our underlying graph model, customers can also author custom rules and create ad-hoc queries for incident investigations. For instance, in case of a Service Account leak, cloud security teams can quickly find all the compute resources that would be impacted by running a short Explore query displayed below. Gathering this critical information (that would typically take several follow up emails with the Service Account owners) is readily available at the cloud security team’s fingertips in the CloudHealth Secure State platform.

google cloud compute instance example

Latest CIS Compliance framework, controls, and rules

To provide customers the latest cloud security best practices for Google Cloud, we added support for the complete CIS GCP Foundations Benchmark v1.1.0 framework with 48 rules and mapping for over 48 controls. CHSS models numerous Google Cloud services across Identity and Access Management, Logging and Monitoring, Networking, Virtual Machines, Storage, Cloud SQL, MySQL, SQL Server, and BigQuery. The CIS GCP v1.1.0 framework, released in March 2020, is supported for real-time compliance assessments, and in the future, we plan to add GCP support for various other frameworks such as SOC-2, GDPR, NIST, etc. that are already available for AWS and Azure today.

google cloud security cloudhealth cis benchmarks

As a leading multicloud security product, we even brought our learnings from managing cloud security for other cloud providers to go beyond CIS. We introduced rules that are available in AWS and Azure and are applicable to equivalent services in Google Cloud to drive consistency across clouds. In the same way, we added support for custom rules through both a DSL with typeahead support for those who prefer a visual user interface and a programmable approach to express rules as code.

Our rules were also created to understand the hierarchy inherent to your cloud infrastructure, supporting Google Cloud’s Organization, Folder, and Project constructs. For example, rules that detect missing logging for IAM permission changes, VPC network changes, configuration auditing, etc. take into account that logging may be configured at different layers of your account hierarchy. For instance, when Information Security teams are centrally monitoring for logs while the individual Project Owners may not be, our rules can understand such a setup.

Simple bulk onboarding and new cloud account APIs

To make onboarding quick and easy, we added new bulk onboarding flows where customers can simply pick and choose which Projects to protect. By using a common read-only Service Account key, which can be at the Organization, Folder, or Project level, Secure State can automatically discover all available accounts, but still provide customers the flexibility to select the ones to onboard. Any Project accessible through the Service Account can be enabled for monitoring through a simple checkbox in the UI, and the Service Account can either have complete Organization access or limited access to a few Projects, depending on the customer’s use case.

google cloud security api onboarding options

In support of automation for account management, we even added new Cloud Account APIs with account querying, onboarding, and discovery capabilities. This allows integrations with account provisioning and deployment scripts tools to enforce baseline Google Cloud standards by onboarding them to CHSS. The same APIs are available across all cloud providers except for onboarding APIs, which are limited to Google Cloud today. Customer’s security engineering team’s scripts can be used to verify the health of their accounts in CHSS and that any new accounts are automatically onboarded for monitoring.

cloud accounts service api google cloud security

With the addition of Google Cloud support in CloudHealth Secure State, we reinforce our multicloud security and compliance vision. This introduction comes with the support for CIS v1.1.0 benchmark, simplified bulk account onboarding, and new Cloud Account APIs, along with all other enterprise-grade dashboarding, resource exploration, and Project-based RBAC features.

Most recently, when a customer onboarded over 100 GCP Projects in under 30 seconds using our bulk onboarding script, their reaction was “That’s it? This is pretty cool!”

Start protecting your Google Cloud infrastructure today! Our experts are ready to connect—feel free to reach out to us here

And for more information on how to build a successful cloud security and compliance practice, see our in-depth whitepaper: Building a Successful Cloud Infrastructure Security and Compliance Practice

Image
Headshot Bhanu Agarwal
Bhanu Agarwal, Technical Product Manager, Cloud Security

Bhanu Agarwal is the Product Manager for CloudHealth Secure State, a multi-cloud security SaaS solution by CloudHealth. He helps drive the design and development of the platform, and contributes to the strategy. He works closely with customers to help them protect their public cloud resources. He frequently writes about new product capabilities and best practices in the industry. Previously, he worked at Microsoft, where he held software engineering roles building enterprise mobility and security solutions for the Azure cloud.

We Think You Might Like These: