Penetration Testing and Security on Google Cloud
In the previous post, we discussed how an organization can perform penetration testing on AWS-based applications. Like Amazon, Google is one of the leading cloud-based service providers and it offers more than 100 services around 12 major heads such as Computing, Storage & Database, Networking, Big Data, Data Transfer, API platform, IoT, Cloud AI, Management Tools, Developer Tools, Identity & Security, and Professional Services. Depending upon your needs, you can avail one or multiple services in the Google Cloud environment. Unlike AWS, an organization is not required to inform Google prior to a penetration test. However, you are mandatorily required to abide by the Terms of Service and the Acceptable Usage Policy of Google Cloud Platform. We will look at clauses relevant to penetration testing in both of these documents.
Security on Google Cloud Platform – Things You Should Know
Security and privacy have emerged as two of the major concerns when an organization avails services from a service provider. This, in turn, has led to the incorporation of security as well as privacy principles in the services being provided. Similarly, Google provides an organization with an array of features to maintain a good security posture in the cloud environment. They are as follows –
- Security model on the Google Cloud platform is the same as that of adopted on other Google services such as Gmail, Google Search, etc.
- An organization’s data remains encrypted when it is being transmitted as well as when it is in rest. When data is at rest, it remains encrypted using AES 256-bit algorithm while in transit, Transport Layer Security (TLS) protocol is followed for encryption.
- A secure global API gateway infrastructure is used for managing all the services offered on the platform. This infrastructure is only accessible via encrypted SSL/TSL channels and a time-limited authentication key is generated. 2FA and hardware keys are also available for adding an extra layer of authentication.
- Requests made by the platform API are logged and reviewed regularly.
- Considering the connectivity of Google with most of the ISPs, the number of hops remain limited.
- Using a managed VPN and Cloud Interconnect, an organization can also create an encrypted communication channel between its on-premise private IP environment and Google’s
- Intelligent detection controllers are implemented on data entry points along with employing smart technologies for automated responses.
- Google complies with ISO 27001, PCI DSS, GDPR, HIPAA and many other global standards and country-specific laws.
Securing your Presence – Must-do Activities
It is now an accepted fact that security is everyone’s shared responsibility. This includes an organization, its employees and clients, as well as the vendor(s) from whom various services are availed. In order to fulfil your responsibilities, an organization should –
- If you are using a Google service which is powered by virtual machines, it becomes your responsibility to ensure that the operating system and the applications are continuously updated and the patches are applied at the earliest.
- At the project management level, Google allows an organization to set access level permissions for each user. As a project manager or CISO, one must provide a team member with the least possible privilege for completing his responsibilities.
- By default, incoming traffic is blocked on VM instances. An organization has to set specific firewall exclusion rules to allow incoming traffic so that a connection is established.
- Google recommends that an organization conducts penetration testing for evaluating the security of its cloud infrastructure.
- It is the responsibility of an organization to implement and enforce security measures and access levels in the context of sensitive data stored on the cloud.
- Logging and monitoring are done by utilizing tools such as Google Cloud Monitoring and Google Cloud Logging. They can be analyzed regularly for keeping a track on the activities in your cloud infrastructure.
Penetrating Testing on Google Cloud – Dos and Don’ts
After carefully going through Google’s Cloud Platform Acceptable Usage Policy and Terms of Service, a list of activities has been created which contains dos and don’ts while conducting a penetration testing on an organization’s cloud presence. A scenario has been illustrated for a better understanding.
Let’s consider that there are two companies – XYZ and ABC. ABC is a competitor of XYZ who provides a similar set of services. Both these companies are based in the country MNO. To comply with the laws of MNO, the Board of XYZ has decided to conduct a penetration test for checking the effectiveness of its technical infrastructure as well as to fix the existing vulnerabilities. They have formed a penetration testing team which consists of 2 external security testing experts and 3 from the internal security team. Since XYZ’s services rely heavily on the Google Cloud, the CISO has shared the following instructions to the penetration testing team.
- Promoting, encouraging, and engaging in illegal activity is strictly prohibited. Let’s consider that sending phishing emails is a crime in MNO. Then, XYZ must not send targeted phishing emails to ABC’s employees containing a link to a fake website created for the purpose of acquiring their login details.
- XYZ must not violate or encourage the violation of the legal rights of other users. For example, it must not attempt to conduct a penetration test on ABC’s cloud presence.
- XYZ must not indulge in any activity which is unlawful, infringing, defamatory, invasive or for a fraudulent
- XYZ must not be involved intentionally in activities where viruses, trojan horses, ransomware, etc. are being distributed.
- XYZ must prevent sending of emails which are considered as spam.
- XYZ must not attempt to violative the Terms of Service in any manner whatsoever.
- Interference with the use of services, or the equipment supporting them is strictly prohibited.
- XYZ must not disable or interfere or circumvent the services available on Google Cloud Platform.
Penetration Testing for SaaS Companies25 Apr, 2019
Penetration Testing at DevSecOps Speed15 Apr, 2019