Google’s Cloud has over 4 million users, many of whom use the platform to run instances for applications, storage, and cloud computing. Google’s Cloud security is almost second to none. The platform completely controls hardware, pentests its infrastructure, and is one of the only cloud platforms to offer complete backups for users. At the same time, Google uses a shared responsibility policy for security. Its users share responsibility for security including integrations, configurations, and password security. That’s standard for any cloud application, because the application has no control over what users do. Google Cloud pentesting can help you to ensure your assets and instances are secured. Using Google Cloud lightens your security responsibilities, but you’re still vulnerable, and it’s important to regularly assess those vulnerabilities.
Why Pentest Google Cloud?
Why pentest an environment running on a custom hardened system with 2048-bit RSA encryption? Most Google vulnerabilities relate to users, integrations, configurations, and the security of the workstations you use to access Google Cloud. In fact, Google only ever pentests its own infrastructure. Your applications will never be tested. That’s your responsibility.
That means you’re vulnerable through your own code, your own workstations, and your own users.
Application Vulnerabilities – Your application, instance, and integrations are your responsibility. You have to review the code, pentest the application, and ensure everything is secure. Google strongly recommends using API monitoring tooling like StackDriver to assess unusual activity, but you still need pentesting to ensure you aren’t vulnerable.
Configuration Vulnerabilities – Most Google Cloud vulnerabilities relate to poor configuration. This normally relates to ports, password policies, internal security, missing patches, etc. Google attempts to force you to maintain good security policies with its security model. For example, if you haven’t properly secured ports, anyone could access them. And, the default Google Cloud firewall setting (0.0.0/0) allows anyone to access it. Configuration vulnerabilities also include passwords, software updates, password management, etc.
Google is responsible for securing its hardware and its infrastructure. You will never have to pentest Google Cloud infrastructure or servers. In fact, you shouldn’t. However, you do have to manage security for:
- Data governance and rights management
- Endpoint security
- Accounts and access management
- Directory infrastructure security
- Your operating system security
- Application security
- Network controls
Google’s built-in IAM tooling makes Google Cloud more secure than some of its competitors. However, you still want to regularly pentest your instances and apps to ensure ongoing security.
How Do You Test Google Cloud?
Google doesn’t require you to notify them of a pentest, so there are no steps to take before starting an assessment. The rules of engagement are also simple. Any assessment must only affect your projects (not other customers) and you and your pentester have to follow the Terms of Service and Acceptable Use Policy. If you do find a Google Infrastructure issue, you’re asked to report it under the Vulnerability Reward Program.
Essentially, you’re testing your applications, your configurations, and your properties on the cloud, not the cloud itself. This means:
- Testing systems hosted in Google Cloud instances, such as virtual applications, computing, etc. This testing is normally about finding program errors, code failure, integration vulnerabilities, third party vulnerabilities, etc.
- Testing Google configurations, such as user accounts, IAM, port settings, firewall settings, etc. Much of this can be solved by optimizing settings in the Google Cloud Security Dashboard.
Best Practices for Google Cloud Security
Google Cloud offers dozens of tools to ensure cybersecurity. Whether it’s IAM accounts, built-in access management, or built-in scanners, Google works to keep its, and therefore your, assets safe.
- Check GIT repository configuration
- Set up secondary verification before publishing commits
- Set up secure password policies to prevent employees from re-using passwords across multiple accounts
- Force multi-factor authentication to reduce breaches in case of a password leak, reuse, or LFI/RGE stolen credentials
- Check privileges for all IAM members and restrict privileges as much as possible
- Configure Kubernetes Engine for security (where applicable)
- Turn on StackDriver to log and monitor API changes and use
- Turn on encryption
- Turn on Google Cloud Security Scanner
- Check firewall settings
- Configure Cloud Function
- Assign someone to checking data from security tools and acting on it
- Regularly review what’s public and what’s inside your perimeter
In some cases, you may still be vulnerable, even with good security policies. Application vulnerabilities, third-party integrations, and third-party partners can all create weaknesses in your cybersecurity.
Getting Started with Google Cloud Pentesting
If you’re ready to secure your Google Cloud instance or application, we can help. PentestHero has 10+ years of experience pentesting cloud applications including GCP, Azure, AWS, and more. We can thoroughly test every aspect of security, within Google Guidelines, and according to standards like OWASP, OSSTMM, NIST, and more. Plus, with cloud pentest report delivery, we offer an Agile-friendly pentesting solution, so your teams can immediately role vulnerabilities into sprints, so you stay secure.