Service accounts(SAs) are a special type of Google account that grants permissions to GCP resources instead of end users. Service accounts are primarily used to ensure safe, managed connections to APIs and Google Cloud services. Granting access to trusted connections and rejecting malicious ones is a must-have security feature for any Google Cloud project.
In order to understand the threats to SAs companies must start with broad Org level IAM audits to gauge where these powerful IAM accounts stand in the present. Overly Permissive SAs at different levels of the GCP heirarchy are weaknesses that can cause havoc in GCP and should be reviewed regularly to maintain a consistent secure IAM posture.
At the Application level, specific SAs should not have access to both GCP Folder production and non-production environments. This process of cross pollinating SA accounts should never be recommended as a best practice for domain folders such as Production and Non-Production. This practice lowers the SA account security posture as a least privilege model within a Zero Trust Architecture. The result? In a worst case scenario an SA granted full access to non-production could theoretically use those permissions in a production environment to destroy everything and anything in its way. A total nightmare for enterprises! An even bigger nightmare is if a basic role (Owner, Editor) tied to SA has been set at the GCP org level in the hierarchy. If this were to occur the potential of homeland destruction increases 10-fold. This SA, if compromised by a bad actor, can now roam freely at will throughout the entire GCP environment.
So what happens when an application fails or any other emergency situation presents itself in a GCP environment? Where is the Bat-phone located? Who can reach the hammer to crack the glass enclosure? If the hammer is used, then what? These are questions to be addressed within a standard Break Glass process. IT companies have struggled to properly identify and implement a rapid reactionary method of protecting the homeland. In the GCP world a Break Glass solution can utilize “Service Account Impersonation.” This is a sophisticated approach that allows users to assume an SA permission set while abandoning their own. Access is granted ahead of time to a small trusted set of subject matter experts (SMEs) who are approved by management and security. When an agreed upon Break Glass event occurs, internal processes and workflows are kicked into high gear and the user impersonating the SA does what he/she does best, puts out fires!
LucidPoint Cloud Engineer
Today’s Cloud IT Security experts are overwhelmed in their fast-paced departments. They are the protectors against malicious activity from persistent threats and incorrectly configured cloud resources. Most have relied on stand-alone security information event management (SIEM) systems to aggregate log data from many sources for event correlation, detection, and incident response. However, these legacy SIEM solutions are unable to scale to accommodate increasing data volumes and the growing number of cloud data sources. In turn, the process of identifying, investigating and tracking these incidents have failed to keep up with the complexities of cloud computing. Companies have been experiencing a growing visibility gap and insufficient repeatable automation that prevent IT Security from achieving their goals in threat detection, response, and vulnerability management.
Enter Google’s Security Command Center (SCC), a one-stop shop for security and risk management platform for GCP with out-of-the-box detection and response capabilities for greater visibility. SCC allows you to gain centralized visibility of cloud assets, identify security configurations and detect threats using streamlined log aggregation running in GCP at scale. I must say, it is an amazing tool for stopping bad actors before attacks escalate into breaches.
A comprehensive approach to solving this problem is to automate processes and workflows from (identification) SCC into Gitlab (Tracking). In between these two endpoints are automated and human workflows that speed up the linking of the processes involved. By applying filters (Critical-High-Medium-Low) for active vulnerabilities in SCC the GCP Messaging service Pub/Sub can ingest these filter events at accelerated speeds and publish them in near real-time when alerts are generated. Server-less compute services such as Cloud Functions will quickly and logically process the input from Pub/Sub topics. The Cloud Function will also communicate rapidly with the GITLabs API and perform the following processes:
At this stage the human workflow GITLab Maintainers adhere to standard SLA Policies describing timeframes for resolving vulnerabilities. These Maintainers also analyze and decide whether the vulnerability is legitimate or not. More Importantly, Vulnerability Exceptions come into play and are an integral part of the workflow as they require a written approval from IT Security. At this stage additional mitigating risk controls can be discussed to compensate for a possible rejection of the Vulnerability Exception. Through the back and forth communications between the business unit and IT Security, a time frame and compromise will be agreed upon so that vulnerability fixes will be efficiently implemented.
A third and final workflow is executed via SCC Mute Rules which allows the IT Security staff to decide on either applying bulk or individual mute rules based on severity, validity and additional criteria being met. This essentially disables the noise within the SCC console on similar SCC findings. Finally, with the speedy click of a mouse button, IT Security can transform 100s or 1000s of reviewed SCC findings into resolved issues thereby responsibly enhancing the security posture of a company’s Google Cloud Platform.
LucidPoint Cloud Engineer
Stuck waiting on IT resources? Is your business continuing to be held back by the length of time it takes to spin up VM servers or to add network and storage capacity? Is there a new application or capacity upgrade that's needed right away? What is corporate governance and how does one improve upon it?
The barriers to building new IT services for your business have never been lower -- the latest hardware and software technology have become commoditized and delivered through many flexible consumption models. In contrast with the value of high-velocity technology innovation are the complexities of maintaining security controls, reliable deployments, network scale, and lean resource allocation. These challenges have kept many common IT practices in the slow lane for too long, waiting for human approvals and waterfall style resource planning processes.
When your IT infrastructure and user base has a need for speed, public cloud self-service elasticity can help. Whether it's simply faster resource availability or prototyping the latest high-performance CPU and storage with a new application, self-service operations grow an organization's IT staffing without adding headcount.
How can you balance the high velocity needs of your organization with the controls required to keep your data, finances, and users secure? How do you prevent greedy users from going "Maverick"? And how can corporate governance improve these processes?
Governance policy to the rescue!
If you think governance only means virtual handcuffs, slowing progress down, and endless meetings which feel like "Fighting City Hall", you've got the wrong idea. It has been well-proven that when you know how to properly implement corporate governance policy, it helps IT users move faster. This is because more users can self-service and fulfill their own requests through automation while simultaneously staying within a business compliant financial, security, and consumption model.
If we use a transportation metaphor, imagine commuting to work in your new electric car without governance like speed limits, lane keeping, or traffic lights. You wouldn't be able to get to work since the streets would be gridlocked and full of crashed vehicles. The governance of the road helps us all move faster in the same direction. It's also important that the governance rules, like speed limits, are set reasonably-- fast enough for efficiency, yet slow enough for safety.
Knowing how to implement governance policy for corporate IT services and taking advantage of the automation inherent to public cloud is critical to enable self-service operations. Users can be free to do as much or as little as an organization decides. While defining the detailed governance rules themselves can be challenging when starting from scratch, eventually the rule book becomes well known and everyone can benefit. Technology partners like LucidPoint can help you get started introducing meaningful methods of how to improve corporate governance policy to your organization and provide data points from similarly sized peers in common industry verticals.
How do we improve corporate governance? It's no secret that public cloud providers want their tenants to use as much paid resource consumption as possible. After all, these are capitalistic providers and they're revenue driven. In fact, most public cloud providers have several "unlimited" and "uncapped" utilization quotas by default. This allows you to consume as much compute, storage, or network as you ask for -- but can also lead to accidental overages. What's interesting about elastic cloud resources at hyperscale is that a low quality or misconfigured request can drain your whole IT budget in an instant. Improving corporate governance in this way contrasts to traditional on-premises IT services, which are constrained by fixed quantities of compute and storage, public clouds provide resource elasticity to accommodate huge requests. If a user sends an expensive resource request, the cloud services can allocate resources dynamically, churn through the request, return results quickly, and bill you for the utilization. When cloud users don't have governance in place, or don't understand the nuanced details of cloud resource billing, surprisingly high cloud billing charges disrupt IT budgets. These dangers can kill the success of strategic cloud adoption or reinforce the slower processes to waterfall IT requests through manual scrutiny in order to police a requestor's behavior.
How to Improve Corporate Governance for Public Cloud:
1 - Use the cloud platform's security policy constraints to set a tight default security posture for all users and workloads. Administrators can override constraints as business needs justify it while ensuring the adopted defaults are inherently appropriate for your organization.
2 - Disable unlimited default quotas where possible. Set reasonable consumption limits within expected orders of magnitude for resource utilization. This prevents accidental billing overages.
a - Google BigQuery Custom Quotas
b - AWS Service Quotas
3 - Use billing analytics and budget tools to alert on current conditions and predict future spending. Controlling costs requires effort: both measurement and continuous improvement.
4 - Treat Cloud Service consumption differently than traditional on-premises IT infrastructure. The challenges and opportunities of cloud are inherently different when using elastic resources and may not align well to your existing processes for control and monitoring.
5 - Educate your user community on the power and responsibility of self-service operations. Move faster by moving together safely and intelligently.
With a solid foundation of governance to control data security, spending, and more, opening up the self-service pathways for broader user communities becomes possible. With self-service capabilities governed to business requirements, users anywhere in the organization can experiment, deploy, and grow the technology capabilities of your business. Free IT staffing through distributed self-service? Yes, please!
Key takeaway: In the cloud era, knowing how to improve corporate governance enables speed of innovation and reinforces safety. Governance prevents a Maverick, but satisfies the ongoing NEED FOR SPEED.
LucidPoint Sr. Solutions Architect