Proactive vs. Reactive Google Cloud Visibility

CloudHealth Tech Staff
Dec. 23, 2019
5 minute read

Google has recently released a variety of security tools to enhance Google Cloud visibility. However, inasmuch as these tools are good for detecting and responding to threats, they work retrospectively. In an ideal world, visibility tools would have capabilities that could prevent security issues before they occur.

Last year’s release of Google’s Cloud Security Command Center has been followed up this year by further Google Cloud visibility and security tools to help businesses gain further visibility into their cloud environments and address security issues. Although many of the tools are still in alpha or beta release—and available for some services only—the feedback from users has been very good.

Now, from the Cloud Security Command Center, businesses can more easily identify malware and cryptomining software in their environments, detect vulnerabilities such as cross-site-scripting, the use of clear-text passwords, and outdated libraries in applications, and receive notifications of suspicious activity, configuration issues, and deactivated security logging.

In addition to the enhancements to the Cloud Security Command Center, other Google Cloud visibility and security tools flag up when the business’s data has been accessed by Google (“Access Transparency”), automatically detect and mask sensitive data (“Data Loss Prevention”), and provide added protection to containers using untrusted code (“GKE Sandbox”).

All good tools, but all reactive tools

Each one of these tools can help businesses gain better visibility into their Google Cloud environments in order to detect and react to security issues. However, wouldn’t it be better if there was a way to proactively prevent issues such as publicly-accessible storage volumes, open firewall ports, and stale encryption keys? Of course, it would. For this reason, many businesses take advantage of cloud management platforms with policy-driven automation capabilities.

With policy-driven automation, system administrators configure the cloud management platform with the policy they want to apply and the course of action the platform should take if the policy is violated. For example, if a user attempts to launch a virtual machine instance on Google Cloud with an unauthorized open port, the platform will block the launch until the issue has been remedied or initiate a workflow for the policy to be overridden at the administrator level.

Other examples of how policy-driven automation can enhance Google Cloud visibility and security include:

  • Only allowing users to log into the business’s account from pre-approved IP addresses.
  • Preventing misconfigured storage volumes and restricting access by default.
  • Ensuring encryption keys are rotated or revoked when they’re not being used.
  • Initiating a Google Cloud Function to enable logging on any deactivated service.
  • Blocking user access when multi-factor authentication is disabled.

Other benefits of policy-driven automation

Cloud management platforms with policy-driven automation capabilities not only give better Google Cloud visibility to prevent security issues, they can also be used to apply cost controls and prevent performance inefficiencies. They do this by collating data from every service used in the Google Cloud so businesses can visualize and analyze data through a single pane dashboard. 

With total visibility, businesses get the information they need about how resources are being used and how budgets are being spent to plan, budget, and innovate with confidence. However, rather than configuring the platform to prevent events from occurring, administrators can configure the platform to alert them to when certain events may occur in the future. For example, the platform can alert administrators to:

  • Departmental spend that’s projected to exceed budget based on month-to-date spend.
  • Underutilized committed use discounts and opportunities to purchase more discounts.
  • Underutilized virtual machine instances suitable for downgrading.
  • Over-utilized virtual machine instances suitable for upgrading.
  • Unutilized assets suitable for reallocation or termination.

With regards to cost allocation, policy-driven automation can be applied to tagging policies so that every resource is launched with a tag (or else the launch is blocked until the resource is tagged), or so that misspelled tags are automatically corrected. This is a particularly useful function to have available, not only to provide total Google Cloud visibility into costs but also to standardize a global tagging policy when the business operates in a multicloud or hybrid cloud environment.

Find out more about proactive Google Cloud visibility

If you’d like to know more about how your business can increase Google Cloud visibility and proactively address cost, security, and performance issues, don’t hesitate to get in touch. Our team of cloud experts will be happy to explain more about the CloudHealth cloud management platform and organize a demo of the platform’s policy-driven automation capabilities in action.