Eliminate Critical Risks in the Cloud

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

Top Google Cloud Security Tools [By Use Case]

10 native tools for IAM, data protection, network security, threat detection, and compliance management.

Wiz Experts Team
8 minutes read

Google Cloud Platform (GCP) offers a robust suite of security tools to empower users to attain comprehensive protection for their cloud resources.

So what does that look like in practice? In short, comprehensive security in Google Cloud environments necessitates a layered approach. IAM meticulously controls access to your resources, acting as a digital gatekeeper. To safeguard sensitive information, Google Cloud offers data protection tools that secure data at rest and in transit. Then there are network and application security tools in GCP that can help to filter out malicious traffic and protect your workloads. GCP also offers a number of threat and compliance management solutions to identify security threats and simplify meeting regulatory compliance requirements.

This blog post explores the key Google Cloud security tools that achieve these critical aims. Let’s get started.

Identity access management (IAM)

Cloud Identity

Cloud Identity is the identity as a service (IDaaS) solution in GCP, and it provides a centralized identity management system to simplify user management, reduce administrative overhead, and ensure consistent access policies across your entire IT infrastructure. Cloud Identity can be used to manage identities across your entire organization, including those used for Google Workspace, other cloud applications, and even on-premises systems with additional configuration.

With Cloud Identity, you can leverage existing groups and roles for GCP resources, and these roles can either be predefined or custom created to cater to your security requirements. Cloud Identity helps implement single sign-on and multi-factor authentication, two important capabilities to add an additional layer of security:

Single sign-on: Single sign-on can be enabled if you are using a Cloud Identity or a Google Workspace account to access Google Cloud services.You can enable single sign-on for cloud apps in Google so that authentication is handled by your existing third-party identity provider, like Okta, Microsoft Entra ID, or Ping Identity.

Figure 1: Google Cloud SSO architecture (Source: Google Cloud)
  • Multi-factor authentication: Google Cloud Identity can be configured to support multi- factor authentication (MFA), also known as 2-step authentication, for additional security when users attempt to access cloud resources. The second step of the authentication can be through a text message, a phone call, a Google prompt, via the Google Authenticator app, or with security keys. Of these options, using security keys is the recommended approach because it offers the most protection.

Data protection

Next, let’s take a look at Google Cloud’s offerings that help protect data at rest and in transit.

Google Cloud Key Management Service (KMS)

Google Cloud KMS acts as a central vault for your encryption keys. You can use KMS to generate, manage, and control access to these keys, which are essential for encrypting your data at rest and in transit. The benefits of Google Cloud KMS include: 

  • Flexible operation: With KMS, you can generate keys in Google Cloud, bring your own keys (BYOK), or integrate with third-party external key management (EKM) systems.

  • Access control: KMS allows you to set permissions outlining who can access stored keys. You can also track keys’ usage through integration with IAM and Google Cloud Audit Logs.

  • Automated backup: Keys are backed up automatically to protect from data corruption and data loss.

  • Key rotation: KMS configures key rotation automatically when keys are created, however, users have the flexibility to adjust the default configuration to align with organizational requirements.

Figure 2: Google Cloud KMS and EKM integration (Source: Google Cloud)

Chronicle SIEM

Chronicle is the security information and event management (SIEM) solution from Google. By ingesting data from various sources, including security logs and network traffic, Chronicle SIEM pinpoints security threats and potential data breaches. Other benefits are:

  • Threat detection: Chronicle SIEM can help identify activities in your GCP resources that could indicate a data breach attempt. The Chronicle Detection Engine helps automate the process of searching data to identify security issues.

  • A curated view: Chronicle SIEM can curate threat domains and present an at-a-glance view of priority alerts that need to be addressed.

  • Simplified usage: Available as a simple browser-based application, it can also be accessed through an API interface.

Cloud Data Loss Protection

Cloud Data Loss Protection (DLP) is part of Sensitive Data Protection from GCP, designed to discover and protect sensitive data managed by organizations. DLP boasts:

  • Predefined detectors: DLP has more than 150 predefined detectors that can be used to profile and detect sensitive data in BigQuery. You can also create your own custom detectors.

  • Integration with Chronicle and SCC: By integrating DLP with SCC and Chronicle, you can leverage the combined intelligence of these tools to prioritize and investigate threats.

  • Data masking: When training machine learning models, use DLP to mask data to prevent the misuse of sensitive information and ensure privacy.

Network and application security

Google Cloud offers a multi-layered approach to securing your network and applications through tools such as Google Cloud Armor, VPC Service Controls, and Identity-Aware Proxy.

Google Cloud Armor

Google Cloud Armor is a GCP security service that shields web applications and services from threats such as DDoS attacks and vulnerabilities such as SQL injection, cross-site scripting, local file inclusion, and remote file inclusion. As it operates at the edge of Google's points of presence (PoPs) across the world, Cloud Armor can protect applications from malicious traffic before it reaches its systems.

  • DDoS protection: Google Cloud Armor provides strong DDoS protection to mitigate volumetric, protocol, and application-layer attacks. It uses Google's global network to absorb and tackle large-scale attacks.

  • Centralized security policies: With Google Cloud Armor, you can set up central security policies that apply to all of your web apps and services. Use these rules to allow or block access to your resources based on factors like IP addresses, geographic location, and other criteria.

  • Scalability: Google Cloud Armor can scale seamlessly to handle traffic spikes and neutralize DDoS attacks without impacting application performance.

  • Logging and monitoring: To provide visibility into security events and cyber threats, Google Cloud Armor integrates seamlessly with the native logging and cloud monitoring capabilities of GCP.

Figure 3: Google Cloud Armor policy overview (Source: Google Cloud)

VPC Service Controls

Google Cloud VPC Service Controls enhances security by creating a protective boundary around Google Cloud Platform resources in a virtual private cloud (VPC). By regulating the egress of information from VPC networks, VPC Service Controls minimizes the risk of data exfiltration. The service also offers:

  • Context-aware access: VPC Service Controls helps implement context-aware access, where resource access is regulated based on client attributes such as device data, network IP, VPC network, and identity type.

  • Data exfiltration protection: VPC Service Controls works alongside network egress protections to stop clients that are beyond the defined boundaries from reaching Google-managed services.

Dry-run mode: Use dry-run mode to analyze access attempts to resources in VPC networks. This allows you to observe traffic patterns and understand service usage in order to implement the right service controls without impacting authorized access.

Identity-Aware Proxy

Identity-Aware Proxy (IAP) helps establish application-layer authorization through IAM without depending on network firewalls. With IAP, users can securely access applications hosted on Google Cloud or on-premises without the need for a VPN. Other benefits of IAP are:

  • Granular access: IAP intercepts incoming requests to your applications, verifies the user's identity through Google Cloud Identity, and authorizes application access based on roles defined for the user.

  • Zero-trust security: IAP is aligned with the Google Cloud zero-trust security model. 

  • TCP forwarding: Using the TCP-forwarding feature of IAP, you can access VMs in Google Cloud through SSH & RDP through the public internet. The communication is secured through HTTPS.

  • Hybrid cloud support: IAP can be used to secure access to applications hosted in Google Cloud, on-premises, and other cloud platforms.

Figure 5: IAP authentication flow (Source: Google Cloud)

Compliance management

Compliance management in GCP is enabled by services such as Organization Policy Service and Google Cloud Security Command Center.

Organization Policy Service

Google Cloud's Organization Policy Service empowers organizations to establish and enforce policies throughout their cloud environment. These policies help ensure compliance with internal guidelines, industry standards, and legal requirements. Count on Organization Policy Service for:

  • Centralized policy management: As its name implies, Organization Policy Service helps with the centralized management of policies, which define restrictions for how organization resources are used, such as the location of services, resource sharing, usage of IAM services, and more.

  • Policy hierarchy: The Organization Policy Service facilitates the implementation of a hierarchical policy structure at organization, folder, and project levels. This hierarchical setup gives organizations the flexibility to control policy application based on their organizational structure and specific needs.

  • Predefined and custom policies: Google Cloud provides pre-built policies for common areas like resource handling, security, and access control. Additionally, organizations can craft custom policies.

For instance, this sample code shows how to create an organization policy that disables serial port access: 

{
  "name": "RESOURCE_TYPE/RESOURCE_ID/policies/gcp.disableSerialPortAccess",
  "spec": {
    "rules": [
      {
        "condition": {
          "expression": "resource.matchTag(\"ORGANIZATION_ID/disableSerialAccess\", \"yes\")"
        },
        "enforce": true
      },
      {
        "enforce": false
      }
    ]
  }
}

Google Cloud Security Command Center

Google Cloud Security Command Center (SCC) is a native cloud-risk and posture-management service that helps businesses manage security, identify threats, and reduce data-breach risks. It provides a clear view of the security posture of all resources in Google Cloud. Here are SCC’s key features:

  • Compliance dashboard: SCC offers a compliance dashboard as part of Security Health Analytics that provides visibility into compliance status and adherence to industry standards and regulatory requirements. With assessments of configuration settings and security controls, the dashboard allows you to track compliance with standards such as PCI DSS, HIPAA, GDPR, and SOC 2.

  • Unified security view: SCC provides a centralized view of security findings, threats, and vulnerabilities across Google Cloud products and services. It can aggregate data from multiple sources, including on-premises as well as other cloud environments, along with Google Cloud.

  • Continuous risk engine: The risk engine in SCC simulates attack vectors and provides rich insights and attack-exposure scoring.

  • Cloud identity and entitlement management (CIEM): SCC’s CIEM feature manages excessive or dormant access permissions in GCP that could pose security risks. CIEM uses a machine learning algorithm to analyze how permissions are used (including inherited permissions) to identify permissions that need to be revoked.

Figure 6: Google Cloud Security Command Center services and operations (Source: Google Cloud)

Threat detection

Google Cloud Web Security Scanner is a tool that scans web applications, containers, and virtual machines for potential security flaws. It assists companies in identifying and addressing vulnerabilities in their web apps hosted on Google App Engine, Google Kubernetes Engine (GKE), and Google Compute Engine. Google Cloud Web Security Scanner provides:

  • Automated scanning: Automatically scan web applications deployed on Google Cloud for common security vulnerabilities, including cross-site scripting (XSS), SQL injection, and insecure direct object references.

  • OWASP Top 10 category support: The Google Cloud Web Security Scanner is aligned with OWASP’s Top 10 critical web application security risks and displays associated findings from your applications.

  • False positives management: Inbuilt security guardrails prevent false positives, reducing alert fatigue. (However, it’s always a good idea to incorporate other security scanners in case vulnerabilities are underreported due to these guardrails.)

Enhancing Google Cloud security with third-party tools

As we’ve seen, GCP offers a robust set of native security tools. Still, to protect against sophisticated threats, businesses need advanced, specialized solutions. Enter Wiz. Our all-in-one solution excels at securing your GCP deployments.

With our cloud native application protection platform (CNAPP), you’ll get comprehensive security for GCP, along with other leading cloud providers. Our industry-leading solution includes:

  • Cloud security posture management (CSPM): Wiz offers an agentless design, simplifying deployment and reducing operational overhead. We proudly deliver 100% visibility across different cloud environments. Wiz can be used to scan VMs, serverless resources, databases, data repositories, and other PaaS solutions—regardless of whether you have just GCP or follow a multi-cloud strategy.

  • Centralized visibility: Wiz’s graph-based system helps you spot and understand threats right away, and it helps your organization make data-driven security decisions.

  • Cloud detection and response (CDR): The contextual information provided by Wiz helps you correlate threats and enables real-time remediation. You can monitor workloads across multiple cloud platforms to identify malicious behaviors and leverage out-of-the-box playbook integration to respond to incidents.

  • Data security posture management (DSPM): By constantly scanning for possible data exposure paths, Wiz protects your personally identifiable information (PII), protected health information (PHI), and payment card industry (PCI) data.

Simply put, Wiz provides you with the ability to take proactive measures to secure your data and reduce the likelihood of breaches by identifying possible exposure paths.

Get a demo today to learn more!

Secure everything you build and run in Google Cloud

Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.