Application security in the Cloud: A definitive guide
How can Google Cloud help with security of your apps?
At this point in the evolution of cloud computing it is fair to say that you have at least some apps in the cloud, or are planning to have a few in the near future. So, you may be wondering about the kind of security measures available to you. In this issue of GCP Comics we are covering exactly that!
We will go over cloud security fundamentals including the three very simple security concepts.
Here you go! Read on and please share your thoughts in the comments below.
Three security fundamentals
Google Cloud provides protection from threats through a secure foundation. It offers the core infrastructure that is designed, built and operated to help prevent threats. How is it done? Here are a few of the ways!
Defense in depth
Google’s infrastructure doesn’t rely on any single technology to make it secure. Rather, builds security through progressive layers that deliver true defense in depth.
Other cloud providers may describe a similar stack of capabilities, but the way Google Cloud approaches many of these is unique. Here is how:
- The hardware is Google controlled, built and hardened.
- Any application binary that runs on Google infrastructure is deployed securely.
- There is no assumption of any trust between services, and multiple mechanisms are used to establish and maintain trust — the infrastructure was designed to be multi-tenant from the beginning.
- All identities, users and services, are strongly authenticated.
- Data stored on Google’s infrastructure is automatically encrypted at rest and distributed for availability and reliability.
- Communications over the Internet to Google Cloud services are encrypted.
- The scale of the infrastructure allows to absorb many Denial of Service (DoS) attacks, and there are multiple layers of protection that further reduce the risk of any DDoS impact.
- The operations teams detect threats and respond to incidents 24 x 7 x 365.
If this is intriguing, here is a white paper on Google infrastructure design that goes into all of these areas in significant details.
End-to-end provenance & attestation
Google’s hardware infrastructure is custom-designed by Google “from chip to chiller” to precisely meet their requirements, including security.
Google’s servers and Operating Systems(OS) are designed for the sole purpose of providing Google services.
- The servers are custom built and don’t include unnecessary components like video cards or peripheral interconnects that can introduce vulnerabilities.
- The same goes for software, including low-level software and OS, which is a stripped-down, hardened version of Linux.
- Further, Google designed and included hardware specifically for security — like Titan, custom security chip that is used to establish a hardware root of trust in the servers and peripherals.
- Network hardware and software are also purpose built to improve performance as well as security.
- This all rolls up to the custom data center designs, which include multiple layers of physical and logical protection.
Understanding provenance from the bottom of the hardware stack to the top allows Google Cloud to control the underpinnings of the security posture. Unlike other cloud providers, Google has greatly reduced the “vendor in the middle problem” — if a vulnerability is found, steps can be taken immediately to develop and roll out a fix. This level of control results in greatly reduced exposure.
Google operates one of the largest backbone networks in the world. There are more than 130 points of presence across 35 countries — and there is a continuous addition of more zones and regions to meet customers’ preferences and policy requirements.
Google’s network delivers low latency but also improves security. Once customers’ traffic is on Google’s network it is no longer transiting the public internet, making it less likely to be attacked, intercepted, or manipulated.
Encryption at rest by default
We will cover this one in more details in the upcoming comics but in short, all data at rest or in motion is encrypted by default on the Google network. And some services offer the option to supply or manager your own keys.
Update at scale without disruptions
Google has the ability to update the cloud infrastructure without disrupting customers using a technology called Live Migration.
Updates add functionality, but from a security standpoint, they also are required to patch software vulnerabilities. No one writes perfect software, so this is a constant requirement.
Keeping ahead of threats
Security landscape rapidly evolves and many organizations struggle to keep pace. Because Google runs on the same infrastructure that is available to the customers, customers can directly benefit from those investments.
The global footprint across enterprises and consumers gives Google an unprecedented visibility into threats and attacks. As a result, solutions can be developed before many other organizations even see the threats, reducing exposure.
In the cloud there can be a lot of control options to make sure the app, the data and the services you deploy are secure. The most important thing to understand is that “cloud security requires collaboration”
Your cloud provider (Google Cloud) is responsible for securing the infrastructure.
You are responsible for securing your data.
And.. Google Cloud provides the best practices, templates, products and solutions to help you secure your data and services.
Keeping this section short because I am planning on doing another comic issue on this topic, there is a lot more to learn here, so stay tuned! 😊
In order to protect the sensitive data that you store in Google Cloud, it maintains and goes though compliance including complex regulatory, frameworks and guidelines. For example HIPPA, FedRAMP, SOC etc.
Read about the detailed compliance standards and certifications here.
To learn more about security fundamentals on Google Cloud, check out this link to the detailed security whitepaper.