gCloud Genie Simplifies Security
Recommended: Please read the Introduction here: Tech blogs with a twist!
A sleek black Chevrolet Suburban SUV stopped in front of the gate of the Cygnos Imperial Bank, one gloomy overcast morning. The national flag, flying proudly on a small pole attached to the front, signified that the car carried a government functionary.
Angela Ramirez, VP and Head of the Audit Committee for the National Reserve Bank stepped out. All of 5’7”, but imposing military demeanor. She was clad in a formal black business suit, her hair now showing slight streaks of Grey, tightly combed and tied back in a ponytail. A file-folder in hand, she walked quick and sharp towards the elevators, with a curt nod to the waiting security personnel from the bank, as they held the door open for her.
Angela Ramirez had earned the moniker of ‘hell’s angel’ in banking circles. As head of the team that audited banks for cybersecurity and compliance, she could make most CISOs squirm with a single glance! She had the power to shut down any part of the infrastructure or operations if she deemed it was not secure enough! Hers was the last word, the buck stopped with her!
Angela was aware of the reputation she carried. The military manner was no coincidence. In her heart, Angela was a true patriot. From her background in military intelligence many years ago, where she protected the nation’s citizens from terror attacks, she retired early and took up this civilian role. In her mind, she was still performing the national duty of protecting citizens’ wealth from cyber attacks and theft.
Somewhere, in some corner of her mind, she wished that she’d be more respected and less feared in the industry. She hoped that CISOs saw her as a friend with a joint responsibility of securing the nation’s wealth, rather than a villain. In most cases, that never happened, because most never lived up to her expectations of security.
Today, she was here to meet Sam Rancher, the CISO of the Cygnos Imperial Bank, along with Zach Kennedy, his Enterprise Architect. CNB was steadily transforming their IT landscape with aggressive cloud adoption. While Angela was not opposed to the idea of cloud in banking, she still had to be sure no boundaries were being crossed. She was ushered into the top floor boardroom with a 360 degree view of the city.
With a nod, a smile and a shake of hands, they all settled down. She noticed that there was an air of calm, not one of stress in the room. “Interesting…” she thought.
Unknown to her, on Zach’s Laptop, in a minimized Window, ‘gCloud Genie’ was ready and poised to wow the lady!
“So…” she began. “I hear you’re doing some great work adopting Public Cloud to transform your business! That’s great, but I hope you’re keeping our citizen’s data safe!”
“Of course” said Sam, the CISO
“Okay, great! I want to hear about security from four perspectives, which I’ll explain first.
- Visibility — How do you gain insight into what’s happening in your cloud?
- Vulnerability Monitoring — How do you ensure someone doesn’t leave the door open, accidentally or otherwise?
- Threat Detection: How do you protect yourself from threats?
- Compliance: How do you demonstrate compliance with applicable standards?”
“Sure Angela, let me begin by assuring you that we have systems in place to address all your concerns. I’ll let Zach, my Enterprise Architect walk you through,” said Sam
“Hi Angela, this is Zach, I’m the EA for CIB. As you know, we’ve partnered with Google Cloud to help us transform ourselves. One of the reasons we chose GCP as our strategic transformation partner is because security is very intrinsic and core at Google.
“We use a tool called ‘Security Command Center’, which acts as our centralized Security and Compliance monitoring and reporting mechanism. It perfectly aligns with the four perspectives that you just outlined!
“Allow me to explain and demonstrate one by one”, Zach said.
Unknown to Angela, gCloud Genie was all set. He popped up a dashboard on Zach’s screen.
“If you can see here, this is the inventory screen. As you see, SCC captures a detailed inventory of every GCP asset that is spun up under our organization. We can discover our asset inventory across the organization. We can review historical discovery scans to identify new, modified, or deleted assets. To receive real-time notifications about resource and policy changes, we can create and subscribe to a feed.”
Angela raised up her hand.
She had seen many such tools. In many cases they were externally bolted on solutions, which were prone to breakage and loopholes. All in all she was not a big fan of the model, and yearned for someone to come up with a more robust solution.
Angela asked: “Let me guess — externally bolted security? Credentials created within GCP and given rights to all relevant APIs? The APIs then feed data to a 3rd party service? How do you handle situations where 3rd party integration breaks?
To her surprise, Zach smiled broadly! “Angela, the answer to each of the questions you just asked is a big no!
Google integrates SCC with GCP from the backend, not through the customer’s landscape. Not only does it have broad access to platform data sources to identify fine tuned detections, but its integration with the GCP control plane means attacks are unable to easily evade detection. Because it’s built by GCP for GCP, it can provide really deep insights.”
Angela sat upright! She was now truly interested!
“Tell me more!” she said.
“Oh there’s so much more to talk about”, said Zach. “Here, let me talk about Vulnerability Detections” he said, with a wink at gCloud Genie, who promptly popped up the Vulnerabilities Dashboard.
We have a ‘Security Health Analytics’ service that discovers and reports misconfigurations which lead to vulnerabilities. Also a ‘Web security Scanner’ for discovering common Web Application Vulnerabilities. We can act and remediate those vulnerabilities with handy guides that Google has provided. Also, SCC integrates deeply with other security solutions within Google’s portfolio such as “Chronicle, Anomaly Detection, Binary Authorization, Cloud DLP, Google Cloud Armor, Forseti and VM Manager”
“Tell me something, what is the detection time like? I’m assuming that the telemetry data will have to be transported somewhere, churned and then based on the analysis, the vulnerability or threat would be notified to you? What’s that timeline like?
“Well, it’s near real time! It’s a matter of seconds! Remember, this is deeply GCP integrated. It’s super quick! Also, we don’t have to push the telemetry data out to another SaaS service, saving us egress costs and mitigating the risk of telemetry data flowing out externally!”
Now it was Angela’s turn to smile broadly! She couldn’t help herself!
“Continue…”
“Sure!” Zach said.
“Here, I’ll brief you about the threat detection capabilities. We have event threat detection and container threat detection. Event threat detection detects threats through scans of log files across the entire GCP landscape. Container threat detection helps detect threats to your Container environment”.
“Okay,” said Angela.
“I have one question. I’m assuming there will be somewhere in your cloud console where you go and turn this thing on. So what happens if your Cloud Console Credentials are compromised? If somebody gets access to the console itself, then it’s all over isn’t it?”
“Again, no!” replied Zach!
“The control plane for SCC is separate from the control plane for the cloud. If I have to Subscribe/ Unsubscribe to the SCC service, I have to contact Google for it, and that’s by design. This is also the reason why SCC can be turned on only for an entire Organization. Organizations often compromise on security for UAT/ Dev environments, and we both know that’s where threats get in, and then infiltrate into Production environments. With SCC, there’s none of that! It applies to the whole Organization. Compulsorily. Period!”
“Wow!” Angela was now beaming at both Zach and Sam! It had been a long time since she was so impressed!
“Coming to Compliance Reporting”, Zach continued…
Up came the Compliance Dashboard, thanks to gCloud Genie.
“Automated dashboarding of Cygnos Imperial Bank’s Compliance Posture with respect to major Industry Benchmarks such as CIS, PCI DSS, NIST 800–53 and ISO/IEC 27001. Drill down to check violations, which are categorized by severity. You can act by following the recommendations to fix the violations.”
“So, what do you think, Angela? Is CIB secure enough in your opinion?” asked Sam Rancher, in his capacity as the CISO
“Oh absolutely!” Angela gushed.
“I admit it’s been a while since I have been so impressed. I was apprehensive when I walked in, because you folks are the frontrunners in Cloud adoption in the country, and I was anxious for you to get security right. But you seem to be going great!
I’ll send in my team tomorrow to sit with you, dive deeper and actually validate everything with proof points, but I don’t see any issues here!
I wish you all the best for your future endeavors.”
She shook hands with both of them, and left the conference room, happier than she was in a long time. Unlike most of her meetings, she hadn’t left the room leaving behind a terrified, cowering, broken CISO. Sam Rancher and Zach were relaxed, confident and at ease, as they shook hands with her.
She had seen respect in their eyes, not fear.
She stepped outside. The morning gloom had cleared and the noonday sun was shining brightly.
Back in the conference room, gCloud Genie grinned as Zach thanked him and closed his laptop.
(The writeup chronicles the GA features of SCC premium as of 21st Oct 2022, and does not make any representation towards future functionality/ architecture)
