Why GCP for Security?
January 9th, 2020 | Tech
By Rob Blanzy
With teams moving at rocketship velocity, taking time to thoroughly consider and apply security measures becomes an increasing challenge. I’ve seen this many times since I started working in the cloud space in the “early days” of cloud over a decade ago. I’ve worked with customers on security and architecture issues involving cloud-native workloads, and those which were migrated from a data center.
While AWS and Azure do provide services that enable security tools, I have found that Google Cloud Platform’s (GCP’s) approach is easier.
A Few Reasons Why GCP is Easy
1. Google has always been a data company.
Google has amassed tremendous volumes of data and provided ways for customers to interact with that data. The result is a deep understanding of security requirements.
2. As a result, some security measures are a given.
With all this history of working with vast amounts of data, security and GRC requirements, some security measures are included automatically. For example, when you are on Google’s network, they encrypt data in transit. They take care of that by default.
3. Google adopted zero trust networks.
Keeping it simple, zero trust networks means trust no devices or users but allow for access where required. Google adopted this in their Beyond Corp implementation.
GCP and Securing Workloads
GCP also provides several solutions for securing workloads that are simple to deploy and at the same time effective in managing sophisticated attacks. The GCP list of security services is extensive. Here are a few that impressed me:
An expedient and highly scalable data loss prevention tool is Cloud DLP. It quickly looks into raw data and is able to classify and determine its sensitivity. It is especially strong in finding data that has PII, HIPPA and other compliance requirements.
Cloud Security Command Center
In enterprises, security teams often have a lot to deal with simultaneously: far too many tools to use, an overwhelming number of threats, the unknown, and not enough engineers to assist. Cloud Security Command Center is a solid security management platform that also protects data.
It also looks at CIS Benchmarks to assess violations, a great way to work with a baseline security policy. Another benefit is that it integrates with a long list of products.
Containers are a popular way for enterprises to evolve their applications, modernize their software supply chain, and create greater portability when developing microservices. No company has ever deployed as many containers as Google, and they offer ways to scan your containers.
Start with a Secure Architecture
The services above are only a few that are available within GCP. The biggest challenge today is the majority of enterprise products do not consider security, nor do they consider security at the level that is required. Sometimes, security is simply not invited to the party in planning architecture. In many cases, security teams might not have the resources to assist with projects. Engaging security teams early in project and architecture design is key for a secure architecture.
The security teams need input on how their enterprise will consume resources within GCP. Start with the top and work down into the details.
Security Design Review
Security teams need to view all resources, organizations, folders, projects, services, etc. The design should be reflective of how zero trust networks are deployed to help mitigate risk (see Beyond Corp). Deploy the fundamental services, such as those noted above.
Note: The entire security architecture must reflect the company’s security policy requirements. If a security policy is not in place, or it is outdated, spend the extra time to design or update your security policy requirements. The updated security requirements should be measured against the proposed architecture solutions.
Use an Agile approach in Architecture Design
The next place architecture fails is when the company does not continuously review and improve it. If we look at architecture as software, we need to take an agile approach and always look to iterate on the initial designs. This is where SecOps (Security Operations) teams are beneficial. The idea of building it once is legacy and fails in today’s frenetic pace of technological evolution.
We cannot build a moat around our IT infrastructure and hope for the best. We need to constantly review our logs and leverage the power of GCP’s data platform to simplify things. Tools like Stackdriver are essential. When we do this, and tie into other tools like Big Query and Data Studio, very power solutions can be created to review large amounts of data.
Benefits of GCP and a Managed Service Provider (MSP)
Operational Cost Savings with Secure Architecture
A big challenge and expense for enterprises is operational costs for IT workloads, including security. Finding and keeping the right type of people to manage security can be tricky to manage. For example, oftentimes, there are not enough security engineers to cover the backlogs. As a managed service provider, Qwinix helps by keeping infrastructure secure. Some of the ways we do this are by reducing data loss and by managing operational initiatives through offering not just DevOps but also SecOps services. We do this so enterprises can focus on their business needs and projects, and spend their resources on being more competitive. Qwinix takes care of their IT operations for them.
You manage your business, we’ll manage your cloud.
Jumpstart your cloud journey with a free 30-minute consultation.