Earlier this year at VMworld 2020, we announced the addition of Google Cloud in CloudHealth Secure State (CHSS). We added support for Google Cloud, one of the fastest growing and the third largest public cloud provider, to provide customers with cloud security, visibility, and control consistently across their preferred cloud providers and services.
While we introduced all the customer favorite real-time monitoring and interconnected risk assessment features the same way they work for AWS and Azure, with GCP we also brought the latest guidelines from CIS (Center for Internet Security) and simplified organization and account onboarding.
In the following sections, I’ll walk through the unique aspects of our Google Cloud security and compliance management approach that are catching customers' attention!
Read-only access, but real-time visibility into Google Cloud security risk
The CloudHealth Secure State monitoring design uses a read-only role to do micro-inventories of your multicloud footprint and tracks any resource configuration changes in your environment. Users can onboard their Google Cloud Projects with a simple Service Account (SA) key that requires read-only access to their infrastructure. The SA key can be configured to have access to the entire organization or a select group of projects.
A Cloud Logging-based Event Sink is used to stream real-time configuration change events to CHSS. By tracking configuration change events, CHSS always maintains an up-to-date view of the cloud infrastructure and misconfiguration risk, alerting customers of any security violations in seconds. This unique architecture is presented below.
Unlike a daily inventory approach commonly used by other industry tools, this monitoring model also saves costs by minimizing the API calls needed to maintain an updated view of resources. Google Cloud APIs have enforceable quotas, and large call volumes can add a considerable cost overhead. When the same APIs are often being used by existing DevOps automation, this event stream approach doesn’t add to your cloud costs.
Understand multicloud security in a consistent way
For greater context regarding the risk of a misconfiguration, customers rely on our interconnected cloud security model to understand the potential impact of a security finding. Our rules evaluate the connected set of configurations that together, cause a misconfiguration.
By bringing the same power to Google Cloud, we’re able to showcase the potential impact of a finding on your broader infrastructure, clearly identifying this with a risk score. What’s more, is that all the GCP resources, rules, and findings are available through the same APIs that work for other cloud providers.
Leveraging our underlying graph model, customers can also author custom rules and create ad-hoc queries for incident investigations. For instance, in case of a Service Account leak, cloud security teams can quickly find all the compute resources that would be impacted by running a short Explore query displayed below. Gathering this critical information (that would typically take several follow up emails with the Service Account owners) is readily available at the cloud security team’s fingertips in the CloudHealth Secure State platform.
Latest CIS Compliance framework, controls, and rules
To provide customers the latest cloud security best practices for Google Cloud, we added support for the complete CIS GCP Foundations Benchmark v1.1.0 framework with 48 rules and mapping for over 48 controls. CHSS models numerous Google Cloud services across Identity and Access Management, Logging and Monitoring, Networking, Virtual Machines, Storage, Cloud SQL, MySQL, SQL Server, and BigQuery. The CIS GCP v1.1.0 framework, released in March 2020, is supported for real-time compliance assessments, and in the future, we plan to add GCP support for various other frameworks such as SOC-2, GDPR, NIST, etc. that are already available for AWS and Azure today.
As a leading multicloud security product, we even brought our learnings from managing cloud security for other cloud providers to go beyond CIS. We introduced rules that are available in AWS and Azure and are applicable to equivalent services in Google Cloud to drive consistency across clouds. In the same way, we added support for custom rules through both a DSL with typeahead support for those who prefer a visual user interface and a programmable approach to express rules as code.
Our rules were also created to understand the hierarchy inherent to your cloud infrastructure, supporting Google Cloud’s Organization, Folder, and Project constructs. For example, rules that detect missing logging for IAM permission changes, VPC network changes, configuration auditing, etc. take into account that logging may be configured at different layers of your account hierarchy. For instance, when Information Security teams are centrally monitoring for logs while the individual Project Owners may not be, our rules can understand such a setup.
Simple bulk onboarding and new cloud account APIs
To make onboarding quick and easy, we added new bulk onboarding flows where customers can simply pick and choose which Projects to protect. By using a common read-only Service Account key, which can be at the Organization, Folder, or Project level, Secure State can automatically discover all available accounts, but still provide customers the flexibility to select the ones to onboard. Any Project accessible through the Service Account can be enabled for monitoring through a simple checkbox in the UI, and the Service Account can either have complete Organization access or limited access to a few Projects, depending on the customer’s use case.
In support of automation for account management, we even added new Cloud Account APIs with account querying, onboarding, and discovery capabilities. This allows integrations with account provisioning and deployment scripts tools to enforce baseline Google Cloud standards by onboarding them to CHSS. The same APIs are available across all cloud providers except for onboarding APIs, which are limited to Google Cloud today. Customer’s security engineering team’s scripts can be used to verify the health of their accounts in CHSS and that any new accounts are automatically onboarded for monitoring.
With the addition of Google Cloud support in CloudHealth Secure State, we reinforce our multicloud security and compliance vision. This introduction comes with the support for CIS v1.1.0 benchmark, simplified bulk account onboarding, and new Cloud Account APIs, along with all other enterprise-grade dashboarding, resource exploration, and Project-based RBAC features.
Most recently, when a customer onboarded over 100 GCP Projects in under 30 seconds using our bulk onboarding script, their reaction was “That’s it? This is pretty cool!”
Start protecting your Google Cloud infrastructure today! Our experts are ready to connect—feel free to reach out to us here.
And for more information on how to build a successful cloud security and compliance practice, see our in-depth whitepaper: Building a Successful Cloud Infrastructure Security and Compliance Practice