Improve Security Posture(AI included) on GCP using Security Command Center (Enforce & Detect)

The problem

The Security Posture feature in Security Command Center (SCC) helps us to define, assess and improve security posture in a single place. One of the challenges for organizations is the diversity of tools available but with the new Security Posture feature released in SCC the process is greatly simplified (Organization Level Activation required). Also if you require a quick and secure approach to start onboarding AI Workloads as quick as possible there are built-in templates already available.

The basics

Let me walk you through a simple process to get us started. First things first let’s define the basics: the Security Posture will be a combination of both Enforcement and Detective Controls managed in a single place (both at runtime and also its definition itself would be part of more broader IaC pipeline). Enforcement controls are Canned (Built-in) Organizational Policies and Custom Organizational Policies. Detective Controls are based on Predefined and Custom Security Health Analytics (SHA) Modules. Custom SHA Modules are based on CEL(Common Expression Language) expressions.

The approach

So we will be executing the following steps:

• Define the posture (Terraform or YAML file with set of policies and detectors, in case of YAML this file should be versioned appropriately). Look in the reference section for more information on how the Posture file is structured.
• Upload the posture definition to a live Posture object in SCC (Terraform will do this step also)
• Deploy the posture to specific places in our GCP hierarchy (Organization, Folders or Projects). The deployment will be the actual implementation of organizational policies (both canned and custom) at the specified level. Remember that Security Posture still relies on Org Policies and SHA modules under the hood.
• Assessment and Monitoring with SCC Findings (See best practices on how to effectively handle this operational aspect of Security Posture in SCC)

1. Define the Security Posture

The following is a sample Security Posture written using Posture Terraform module that implements the following:

• Enforcement Control (Canned Org Policy) to restrict use of TLS 1 and TLS 1.1
• Enforcement Control (Custom Org Policy) to allow only non public GKE clusters
• Detective Control (Predefined SHA Module to detect GCS Buckets without versioning enabled)
• Detective Control (Custom SHA Module to detect BigQuery Tables not following naming convention)

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "5.15.0"
    }
  }
}

provider "google" {
  # Configuration options
}

resource "google_securityposture_posture" "posture01" {
  posture_id  = "posture_1"
  parent      = "organizations/00000000"
  location    = "global"
  state       = "ACTIVE"
  description = "Security Posture 01"
  policy_sets {
    policy_set_id = "org_policy_set"
    description   = "set of org policies"
    policies {
      policy_id = "canned_org_policy"
      constraint {
        org_policy_constraint {
          canned_constraint_id = "gcp.restrictTLSVersion"
          policy_rules {
            values {
              denied_values= ["TLS_VERSION_1","TLS_VERSION_1_1"]
            }
          }
        }
      }
    }
    policies {
      policy_id = "custom_org_policy"
      constraint {
        org_policy_constraint_custom {
          custom_constraint {
            name           = "organizations/00000000/customConstraints/custom.GKEPrivateCluster"
            display_name   = "Enable GKE private cluster"
            description    = "All k8s clusters should expose only private nodes"
            action_type    = "ALLOW"
            condition      = "resource.privateClusterConfig.enablePrivateEndpoint == true && resource.privateClusterConfig.enablePrivateNodes == true"
            method_types   = ["CREATE", "UPDATE"]
            resource_types = ["container.googleapis.com/Cluster"]
          }
          policy_rules {
            enforce = true
          }
        }
      }
    }
  }
  policy_sets {
    policy_set_id = "sha_policy_set"
    description   = "set of sha policies"
    policies {
      policy_id = "sha_builtin_module"
      constraint {
        security_health_analytics_module {
          module_name             = "OBJECT_VERSIONING_DISABLED"
          module_enablement_state = "ENABLED"
        }
      }
      description = "enable CLOUDSTORAGE_OBJECT_VERSIONING_DISABLED"
    }
    policies {
      policy_id = "sha_custom_module"
      constraint {
        security_health_analytics_custom_module {
          display_name = "custom_SHA_policy"
          config {
            predicate {
              expression = "resource.name.matches('^table-(abc|def)-v\\d+$')"
            }
            resource_selector {
              resource_types = ["bigquery.googleapis.com/Table"]
            }
            severity       = "LOW"
            description    = "Custom Module"
            recommendation = "BIGQUERY TABLE Naming"
          }
          module_enablement_state = "ENABLED"
        }
      }
    }
  }

}

Please consider the above code as sample only, refactor appropriately and consider it illustrative only (Don’t forget plan and apply). Real life production Security Postures will have more policies but the principle still applies

2. Implement the Security Posture

Once the posture definition is created we can proceed to deployed it (Apply the Security Controls contained in the Posture at a specific location in the GCP Hierarchy and SCC will start tracking it). After deployment the enforcement controls will be live and any modification to those settings will be flagged as a findings(Posture Violation) in SCC and also the SHA modules will be tracking any changes according to the rules and conditions.

3. Asses and Monitor

Try to test unintended changes in the policies or trigger a configuration that breaks the rules and you will see a new Finding in SCC with the Security Posture Category either as drift or SHA finding

Once you remediate the finding state will become “Inactive”

Some Best Practices:

• Apply general posture at the org level and then apply more restrictive postures at lower levels (One posture per location is allowed)
• Secure the IAM roles to manage security posture itself (Security Posture Admin (roles/securityposture.admin) or Security Center Admin (roles/securitycenter.admin))
• By the time of this writing some functionality to manage Security Posture is only available from gcloud but most functionality is already present in terraform module
• Automation works best at scale so prefer automatic remediation rathen than manual actions.
• When defining the security posture Enforcement Controls use Policy Analyzer (for both canned and custom org policies). The Graphical tools really helps to visualize the hierarchy and impact of the posture

Summary and next steps

We reviewed an approach to get us started but we have many more features available and at our disposal to strengthen our Security Posture in GCP using SCC.

• Group Policies into Policy Sets and align them with Security Frameworks
• Extract Posture from “Live” environments
• Leverage predefined Security Templates for common use cases like: Secure AI (A Predefined posture template with org policies and SHA detectors that apply to Vertex AI workloads)

References

Manage Security Posture

SHA Custom Modules — Supported Resources

Posture YAML File

Secure AI Template