Doing Google Cloud Security Right ! An AWS View, A Pentester's View and All about Landing Zone

Learn how to protect your GCP environment from experts who approach it from different angles

Thank You - This Newsletter is for You

Thank you for all for all the love to our newsletter and sharing it with others 🙏🏻,

Its amazing how quickly a month goes or even a year 🤓 - We are more than halfway through 2023 and its been a rather interesting year for many. Companies are reeling in from 2 or 3 years (depending on who you speak to) of pandemic and digital transformation 💻 and now tackling some tumultuous economic times (agains the background of AI 🤖 explosion). And its nearly time for Hacker Summer Camp ! 🎮

Speaking of which if you are attending, please do come and say hello to us. As usual we will be floating to make sure we say hello to all our favourite cloud security folks, capture some fun interviews and insights for you all. And if you cant make it this year - Don’t fear, you will have a 1st hand account of all the best bits in true Cloud Security Podcast Way. Make sure you follow us on our socials to know where to find us 🙂 - though we are usually hard to miss 🦚

Incase this was forwarded to you? You can signup here for more Cloud Security

Cloud Security Podcast This Month: Its all about Google Cloud Security !

Last month we took you on a journey on how to do security better in an AWS environment and also with us virtually to AWS re:inforce! If you missed any of the episodes you can find them all on our YouTube Page or on your podcast platforms.

We kicked off Google Cloud Month with a fun episode with none other than Day Johnson of Cyberwox about Threat Detection in Google Cloud.

Next up with had a very interesting conversation with Caleb Tennis, who is an Information Security Principal at Sequoia Capital about An AWS Centric View of Google Cloud Identity!

What we learnt from Caleb Tennis

Google Cloud Usage: A Surprising Reality

Caleb shared his insights on the extensive usage of Google Cloud that organizations might not even be aware of.

  • Unnoticed Google Cloud Services: If you use Google Workspace, including email, Google docs, Google drive, you're actually using Google Cloud. The Identity and Access Management (IAM) service for Google Cloud runs parallel to your Workspace. Essentially, users with an email address can utilize Google Cloud services without needing any special activation or administration.

  • Google APIs: If your software communicates with Google APIs like Google Maps API, you're already using Google Cloud. Whether it's a simple website displaying locations or an Android app, Google Cloud services are involved.

  • Custom Chrome Extensions: If your organization builds and manages custom Chrome extensions, you are relying on Google Cloud for the back end.

  • Google Apps: The interactive macro features of Google Apps like Spreadsheets and Docs operate within the Google Cloud infrastructure.

  • Firebase and BigQuery: If you're using Firebase for mobile and web applications, or BigQuery for data warehousing, you're definitely part of the Google Cloud ecosystem.

In essence, if you're utilizing any of these services, you're running a Google Cloud tenant.

Starting Journey with Google Cloud Platform (GCP)

Caleb provided some valuable advice for organizations starting their journey with GCP. Here are the crucial steps to begin with:

  • Inventory and Analysis: The first step is to understand the GCP console and learn how to navigate it. Interestingly, if you're an administrator for Google Workspace, you automatically become an admin for Google Cloud, making this transition even smoother.

  • Understand the Hierarchy: Understanding GCP's organizational structure is essential, given its slight differences from AWS. For example, GCP operates within 'projects,' which are equivalents of AWS accounts. These projects are quite flexible and easy to manage, allowing you to better control the scope of work and maintain security.

  • Project Mapping and Inventory: It's vital to take stock of all existing projects, the users assigned to them, and the services each project uses. This process allows you to create a hierarchy, nest projects, and assign management roles based on geography or specific teams.

  • Use Cloud Inventory Tools: Numerous cloud inventory or cloud health solutions exist to help you gain a better understanding of your Google Cloud assets. They offer a broader visibility than just using the console.

To sum it up, organizations are often using Google Cloud services without even realizing it, and getting started with GCP requires a deep dive into inventory and project mapping. This exploration is crucial for the effective management and optimal usage of the cloud services at your disposal. Caleb shared that you may find the Google Cloud Security Centre Documentation useful as you start on this journey.

Now you may start to think that you actually are using Google Cloud or have started to think about Google Cloud Security, we had the pleasure of speaking to Jimmy Barber, who is the VP of Cloud Security for a Fintech

On-Prem to Cloud Transition

Shifting from on-premises to the cloud comes with a significant change in the balance of control and power.

  • You're moving from a defined perimeter (your walls, firewalls, and security appliances) to a concept of 'perimeters everywhere' in the cloud.

  • Your team will face more expectations and avenues to explore, as well as different services to try.

  • Security interaction with the cloud happens through a console, an API, or pipelines that interact with the API, opening new doors for interaction.

  • Understanding these interactions and the services involved, as well as the security boundaries and controls, is crucial.

Building Blocks of working with GCP

Building a robust Google Cloud Platform (GCP) security framework involves a few key steps:

  1. Defining Your Guardrails

    • Establish guardrails as early as possible, regardless of your project's scope or size.

    • These guardrails create a safe, repeatable environment for your development teams.

  2. Understanding IAM

    • Learn the fundamentals of GCP's Identity and Access Management (IAM) like roles, bindings to identities, and interactions with Google workspaces.

    • Be cautious of overprivileged roles, like the editor role, which is not recommended for use by Google.

  3. Implementing Threat Detection

    • Employ threat detection tools like the security command center or build your own using Google tools.

    • Consider aggregating your logs with Stackdriver and BigQuery or offloading to a SIEM (Security Information and Event Management).

  4. Managing Security Posture

    • Understand the security posture of the resources you're deploying and tackle them accordingly.

    • If you're using the infrastructure-as-code deployment method, have a robust policies-as-code approach.

  5. Setting Organization Constraints

    • Define policies that limit or restrict the use of certain services and controls.

    • You can even prohibit the use of public IP assignment to a VM, a common cloud misstep.

    • Process for handling exceptions is also crucial, as it allows your developers to move at speed while maintaining security.

So….What is a Landing Zone?

A landing zone is not a GCP-specific term. It's a framework or a collection of repeatable patterns and services:

  • It's helpful for organizations of considerable size looking to offer cloud services to different business units or departments.

  • It provides an additional layer of abstraction where services and structures are grouped together, allowing repeatable deployment patterns.

  • The shared responsibility model plays a significant role in using landing zones.

The age old question of which to use: Cloud Native Services vs. Vendor Tools

Choosing between cloud-native services and other tools boils down to your specific needs and scenarios:

  • Cloud providers' best practices and security guidance can often lean towards their product suite, which might not scale well for large or multi-cloud organizations.

  • The cost model of each service, the billing methods, and how it aligns with your organization's growth and scale are other factors to consider.

  • The decision ultimately depends on whether a more centralized multi-cloud model or a cloud provider-specific model suits your organization best.

Remember, cloud security is a dynamic field that demands constant awareness and understanding of the evolving landscape. This episode highlights the importance of robust security strategies, the right tools, and best practices to make the most of your GCP deployment.

To compliment the learnings we had from our chat with Jimmy, we spoke to Anjali Shukla, a senior security consultant about a pentester’s view of Google Cloud!

Getting a Grip on Google's Identity Aware Proxy (GCP IAP)

Anjali offered an in-depth look at the inner workings of Google Cloud's Identity Aware Proxy (GCP IAP).

What is GCP IAP?

The Identity Aware Proxy is a Google-managed service that's all about authentication and authorization. Perfect for example, if you have a web application that's still in testing mode and needs to be accessed by your QA team and no one else. No need for a VPN, firewall, or a white-list, IAP handles it all while letting you focus on your app.

GCP IAP and Zero Trust

Gone are the days when the focus was solely on perimeter security. Now the tide has turned towards the zero trust architecture.

This approach regards every bit of traffic, whether internal or external, as untrusted.

IAP fits right into this model as it follows a two-step process: authentication using OAuth 2.0, followed by authorization to confirm whether the user has permission to access the app.

GCP IAP vs AWS Cognito: Your probably asking are they similar?

Here's a nifty comparison between the two based on Anjali's insights:

  • AWS Cognito

    Primarily used for sign-in or sign-up functionality, AWS Cognito offers you the flexibility to let users register on your application or to manage the registration process yourself. It also enables users to access AWS services after logging in.


    The functionality of IAP is slightly different. It focuses on access management and controls the traffic to your private or internal applications. IAP doesn't allow for user registration or control over registration methods like Cognito does. If you're looking for a more Cognito-like service in GCP, then Identity Platform would be your best bet.

Anjali's Approach to Cloud Security Assessment

Anjali provided some valuable insights into her cloud security assessment strategy:

  • She begins with a basic scan using an open-source tool such as Prowler, CloudQuery, or Steampipe. The output of this scan then undergoes a thorough validation process.

  • Following the scan, she recommends hunting for the 'low hanging fruits.' This refers to vulnerabilities that are relatively easy to spot and exploit, such as whether an App Engine service or storage bucket can be accessed with or without a Gmail ID.

  • If the application is deployed on the compute engine, checks for XSS vulnerability or SSRF checks should be performed as part of the security assessment.

Google Cloud Security Month has been Jam Packed of Goodness - Already 4 episodes in, you may think we are done for this month but we have 2 more episodes dropping in the coming days to keep you eyes and ears peeled on our socials or podcast platforms 🔊

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet? We have a session running this coming Monday so make sure you are signed up to get the invite!

But in the spirit to continuing the learning together, we have kicked off another Free Cloud Security Bootcamp, running once every month LIVE. If you want to join in or know someone who will benefit from it - you/they can subscribe to it here.

Cloud Security Podcast in August

Cloud Security Podcast will be at Hacker Summer Camp in August and running right on theme a month of Offensive Cloud Security with some stellar guests - we are also doing something rather special with these episodes so definitely follow and subscribe (as we say 😊) to stay updated on when these episodes drop!

Are you liking this new format newsletter? What can we do better? What else would you like to see here?

Our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)

Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.


Was this forwarded to you? Sign up here

Want to partner with Cloud Security Podcast ! Lets make it happen

Have a topic or idea to share? Submit it here

Need Cloud Security or AI Security Training or Consulting? Let’s Connect