Google Cloud Platform Container and VM Threat Detection And Protection

Scaling securely

One of the advantages of moving to Google Cloud Platform is that security is woven into the fabric of the cloud. Still, most large enterprises have developed robust threat detection and protection ecosystems around their on-premise workloads, and would like to bring some of that explicit insight and control to the cloud.

One of Google Cloud’s goals is to meet you where you are, and one of the core building blocks of Google’s Security by Design is that…

Google Cloud Platform’s infrastructure security is designed in progressive layers — hardware, services, user identity, storage, internet communication, and operations. We call this defense in depth.

The above article describes those layers, including Google’s custom-designed chips Titan hardware security chips that allow Google to identify and authenticate legitimate Google devices at the hardware level.

The following explores some of the controls available to detect and protect against threats across Google Compute Engine instances, Kubernetes Containers and Google App Engine .

KVM Hypervisor

Google Cloud uses the open-source KVM hypervisor that has been validated by scores of researchers as the foundation of Google Compute Engine and Google Container Engine, and invests in additional security hardening and protection based on its research and testing experience. Then it contributes back changes to the KVM project, benefiting the overall open-source community.

Following are the main ways Google security hardens KVM to help improve the safety and security of your applications:

• Proactive vulnerability search
• Reduced attack surface area
• Non-QEMU implementation
• Boot and Jobs communication
• Code Provenance
• Rapid and graceful vulnerability response
• Carefully controlled releases

Find out more about the extensive security efforts behind each of these bullets here.

Compute Engine

GCE Shielded VMs (beta)

Shielded VMs are virtual machines on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.

Using Shielded VMs helps protect enterprise workloads from threats like remote attacks, privilege escalation, and malicious insiders. Shielded VMs leverage advanced platform security capabilities such as secure and measured boot, a virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.

GCE Trusted Images

GCE Trusted Images IAM policy allows you to restrict your project members so that they can create boot disks only from images that contain approved software that meets your policy or security requirements. You can define an organization policy that allows your project members to create persistent disks only from images in specific projects.

Docker, Kubernetes and Google Kubernetes Engine

Container security overview

The container security overview describes how to secure your container environment on GCP in three critical areas:

• Infrastructure security
• Software supply chain
• Runtime security

Infrastructure security

Exploring container security: Running a tight ship with Kubernetes Engine 1.10

This article provides best practices for hardening your Kubernetes Engine cluster, with updates for new features in Kubernetes Engine versions 1.9 and 1.10.

Container Optimized OS

Container-Optimized OS from Google is an operating system image for your Compute Engine VMs that is optimized for securely running Docker containers. It is the default node OS Image in Kubernetes Engine and other Kubernetes deployments on Google Cloud Platform. You can also use Container-Optimized OS to quickly bring up a Docker container on a Compute Engine instance with minimal setup.

It provides the following security benefits:

• Smaller attack surface: Container-Optimized OS has a smaller footprint, reducing your instance’s potential attack surface.
• Locked-down by default: Container-Optimized OS instances include a locked-down firewall and other security settings by default. It prevents installing third-party kernel modules or drivers.
• Automatic Updates: Container-Optimized OS instances are configured to automatically download weekly updates in the background; only a reboot is necessary to use the latest updates.

Software supply chain

Help secure software supply chains on Google Kubernetes Engine

This article shows you how to ensure that your software supply chain follows a known and secure path before your code is deployed in a Google Kubernetes Engine (GKE) cluster. The article reviews how binary authorization works, then explains how to best implement and use it with Google Cloud Platform (GCP) to ensure that your deployment pipeline can provide the most information possible to help you enforce approvals at each of your required stages.

Google Container Registry Image Analysis (beta)

Container Analysis provides package vulnerability scanning for Ubuntu, Debian, and Alpine images in Container Registry and assigns Common Vulnerability Scoring System (CVSS) scores based on external CVE data sources.

Container Analysis supports initial, incremental, and continuous scans.

Runtime security

gVisor Container Sandboxing (open source)

gVisor provides a fast and cost-effective solution for sandboxing untrusted Docker and Kubernetes workloads, making it simple and easy to run sandboxed containers in production environments. Sandboxing will prevent a potential compromise from spreading between containers; sandboxing untrusted applications and programs is one of the best practices to keep your system secure and robust. Google recommends having separate clusters and nodes to provide isolation between trusted and untrusted workloads on Kubernetes Engine.

Because it sandboxes untrusted workloads at a deeper level, you can deploy your trusted workloads and sandboxed untrusted workloads on the same node. This will simplify managing your workloads and allow you to optimize utilizing the resources in your cluster: you can have multiple sandboxes within a node, within a cluster, and within a project, without the long spin-up time creating clusters and VMs, and underutilized resources across your Kubernetes clusters inherent in separate clusters and nodes.

Binary Authorization (beta)

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring all container images deployed to a particular production environment have met the deploy policy. For example, you can require all images deployed to the prod-payment cluster to be signed by your centralized builder, QA team and staging test.

Cloud Security Scanner

Cloud Security Scanner is a web security scanner for common vulnerabilities in Google App Engine Standard, as well as (in alpha) Google Compute Engine and Kubernetes Engine. It can automatically scan and detect common vulnerabilities, including cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), clear text passwords, and outdated/insecure Javascript libraries.

Cloud Security Scanner enables you to detect key vulnerabilities in development prior to production; after you set up a scan, it automatically crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. You can select whether to use Chrome, Safari, Blackberry or Nokia browser agents.

Cloud Security Command Center (beta)

Cloud Security Command Center helps security teams gather data, identify threats, and act on them before they result in business damage or loss. It offers deep insight into application and data risk so that you can quickly mitigate threats to your cloud resources and evaluate overall health.

It helps identify threats like botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic with built-in anomaly detection technology developed by Google.

It also incorporates security insights from services such as the Cloud Security Scanner and third-party cloud security solutions from vendors such as Twistlock and Redlock.

Cloud Security Command Center provides a companion app for Pub/Sub integration which can be used to trigger Cloud Functions for remediation.

What’s next

Read the following to learn about implementation:

• Exploring container security: Running a tight ship with Kubernetes Engine 1.10
• Help secure software supply chains on Google Kubernetes Engine

Read the following to learn more about the concepts and solution components described in this article:

• Defense in depth
• The Google Cloud approach to security e-book
• Titan in depth: Security in plaintext
• 7 ways we harden our KVM hypervisor at Google Cloud: security in plaintext
• Shielded VMs
• GCE Trusted Images
• Container-Optimized OS
• Google Container Registry Image Analysis
• Binary Authorization
• gVisor Container Sandboxing
• Cloud Security Scanner
• Cloud Security Command Center

Read the following to learn about:

• Securing and auditing the Google Cloud Platform perimeter
• Security Operations Center Data Lake

Acknowledgements

Many thanks to Andy Chang and Nelly Porter for making this article better.