In the last three years, the Center for Internet Security (CIS), a non-profit, community-driven organization, has created frameworks for chief information security officers (CISO) to benchmark the security of their cloud services.
During that time, CIS first released its benchmark for Amazon Web Services (AWS) cloud providers, followed by a security guideline for Microsoft Azure and now a framework for Google Cloud providers.
Fast forward to present day. RedLock, a Menlo Park, California-based provider offering a cloud threat defense platform, now supports CIS compliance reporting for the Google Cloud Platform (GCP), claiming to be the first in the industry to do so. Ironically, the company's announcement was timed to Microsoft’s Ignite conference this week in Orlando, Florida.
“We have been working with the CIS committee for months to provide our perspective on the benchmark and are glad to be first in the industry to have the compliance reporting for GCP against the CIS benchmark,” wrote Ankur Shah, VP of products for cloud security, in a RedLock blog post.
Google Cloud Platform: The Security Benchmark
The CIS benchmark for GCP spans infrastructure-as-a-service and platform-as-a-service in the Google Cloud. Focus areas include identity and access management, logging and monitoring, networking, storage, databases and virtual machines. It also features a new section around Google Kubernetes Engine (GKE). Kubernetes is a Google-designed platform -- initially released in 2014 and most recently updated less than two weeks ago -- to orchestrate containerized applications across clusters of hosts. It is now maintained by the Cloud Native Computing Foundation.
“Given the popularity of Kubernetes, we are glad that Google’s fully managed Kubernetes solution was included in the CIS benchmark,” said Shah. He offered a breakdown of relevant sections in the CIS benchmark that customers should address in their GCP environment, and, additionally, how RedLock helps customers achieve various guidelines across these sections.
- Identity and access management. RedLock supports a majority of the IAM related security controls. RedLock can also detect privileged and unusual activities and alert the security team in the event of a user or service account compromise as well as potential insider threats.
- Logging and monitoring. RedLock ingests all the audit activities in Google Cloud environment through Stackdriver Logging. Customers can query any activity in GCP using the RedLock Query Language (RQL).
- Networking. In addition to supporting firewall configuration policies, RedLock also plans to provide real-time visibility into network traffic for workloads that are using overly permissive firewall rules.
- Virtual machines. CIS benchmark includes guidelines that disk encryption is turned on or that instances are not configured using service accounts with broad cloud API access. RedLock supports several important sections in this category.
- Storage. RedLock recommends that customers lock down the storage buckets unless they are hosting public-facing content. More importantly, customers should continuously monitor and auto-remediate storage buckets across their GCP projects.
- Cloud SQL database services. In addition to providing basic security hygiene for Cloud SQL database instances, RedLock also leverages advanced analytics to detect databases running in non-managed compute environments.
- Kubernetes engine. Google provides a fully managed Kubernetes service through the GKE. RedLock’s security research team played a pivotal role in influencing the CIS committee to include GKE in the benchmark and RedLock supports a majority of the GKE related security benchmark.
Public cloud security standards and related efforts come at a critical time. Many AWS customers, for instance, have misconfigured their cloud containers -- leaving workloads wide open for probing eyes.
