Source URL: https://cloud.google.com/blog/products/identity-security/5-ways-google-cloud-can-help-you-minimize-credential-theft-risk/
Source: Cloud Blog
Title: 5 ways Google Cloud can help you minimize credential theft risk
Feedly Summary: Threat actors who target cloud environments are increasingly focusing on exploiting compromised cloud identities. A compromise of human or non-human identities can lead to increased risks, including cloud resource abuse and sensitive data exfiltration. These risks are exacerbated by the sheer number of identities in most organizations; as they grow, the attack surface they represent also grows.
As described in the latest Google Cloud Threat Horizons Report, organizations should prioritize measures that can strengthen identity protection.
“We recommend that organizations incorporate automation and awareness strategies such as strong password policies, mandatory multi-factor authentication, regular reviews of user access and cloud storage bucket security, leaked credential monitoring on the dark web, and account lockout mechanisms,” said Iain Mulholland, senior director, Security Engineering, in last week’s Cloud CISO Perspectives newsletter.
Today, we are detailing key risk mitigations from Google Cloud security experts that you can quickly act on. Every organization should evaluate these mitigations as part of their efforts to protect their cloud deployments.
aside_block
Google Cloud’s built-in protections
Google Cloud provides always-on account protection measures that help mitigate credential theft. Many of these protections are based on heuristics that detect likely credential theft and terminate an attacker’s session. Others limit the use of suspected stolen cookies to minutes, instead of hours.
Google Cloud requires users to reauthenticate to confirm the validity of their credentials before allowing many sensitive actions in the Cloud Console. This reauthentication can happen deterministically or based on a risk score.
Google Cloud sets default Organization Policies on newly created organizations to guard against common risks of service credential theft and sharing of resources.
However, as attacker tactics evolve, it’s important to have additional layers of defense in place spanning multi-factor authentication (MFA), protecting sessions, protecting service credentials, identity and access controls, and security monitoring.
Google Cloud customers are encouraged to adopt the following measures to help increase protection against credential theft:
Multi-factor authentication (MFA): As part of our shared fate approach to help customers, we recently described our plans to make MFA mandatory for all Google Cloud users this year. If you have not enabled MFA yet, you can take these steps in advance of mandatory enforcement:
Enable MFA on your primary Identity Provider (IdP). For Google Cloud customers who use Google Cloud Identity as their primary IdP, follow these instructions.
Add an MFA instrument to Google Cloud Identity accounts for re-authentication. If Google Cloud Identity is not your primary IdP, this provides an independent layer of verification prior to allowing sensitive actions. Follow these instructions.
Configure your IdP to always challenge (ideally with MFA) when accessing Google. When Google Cloud customers use Cloud Identity with their own IdP through SAML or OIDC, Cloud Identity queries the IdP for an attestation when the session expires or when Google Cloud requires re-authentication. In the default configuration, IdPs silently approve all these attestations to minimize user friction. However, most IdPs can be configured to always require re-entering credentials, and even to always require MFA whenever Google Cloud requests an attestation. This configuration can be set up to only apply to the app representing Google Cloud, and not for all apps that the IdP federates for a smoother user and administrative experience.
Protecting sessions: We recommend four controls that can help increase session protection:
Limiting session length can reduce the usefulness of stolen cookies. The default session length is 16 hours, and is user-configurable. Here are instructions for setting session length, and you can read more on session length management.
Limiting IPs allowed to access Cloud Console and APIs with Context-Aware Access (CAA) can make stolen credentials useless (unless the attacker has access to allowlisted IPs, such as the corporate network or VPN IPs.)
Certificate-based access can be used to require mTLS certificates to access Cloud Console and Google Cloud APIs. mTLS provides strong protection against cookie theft, requiring users to present an mTLS certificate in addition to existing credentials such as cookies. mTLS certificates are typically stored in the Trusted Platform Module (TPM) of the user’s device, making them extremely difficult for an attacker to steal. Many enterprises already deploy mTLS certificates to their users, and Google Cloud allows customers to either reuse their existing mTLS certificates, or use new ones just for Google Cloud.
Contextual-access restrictions can be configured with Access Context Manager, which allows Google Cloud organization administrators to define fine-grained, attribute based access control for projects and resources. Access levels can be configured to require additional device and user attributes to be met in order for a resource request to be successful. For example, you can require that a corporate-managed be used to access and configure resources.
Protecting service credentials: Organizations should also build layered protection for non-human identities. Google Cloud offers detailed best practices for managing, using, and securing service account keys and API keys. Three important controls to consider:
Disable creation of service account keys: This Organization Policy setting prevents users from creating persistent keys for service accounts. Instead of allowing unqualified use of service account keys, choose the right authentication method for your use case, and allow exceptions for service account keys only for scenarios that cannot use more secure alternatives.
Disable leaked service account keys automatically: Google Cloud regularly scans public repositories (including Github and Gitlab) for leaked service account keys. If Google Cloud detects an exposed key, it will automatically disable the key. It also creates a Cloud Audit Logs event and sends a notification about the exposed key to project owners and security contacts. We strongly recommend not modifying the DISABLE_KEY option (which is on by default).
Binding service account keys to trusted networks: Context Aware Access for service accounts enables customers to bind service accounts to an IP-range or specific VPC networks, and enforce that service accounts can access Google Cloud services and APIs only from these trusted networks. Customers can request early access to this control using this form.
Identity and access controls: Adhering to the principle of least privilege can help limit the impact of credential compromise; use these controls to limit access and privileges to only what users need to perform their job functions.
Google Cloud Identity and Access Management (IAM) lets you grant granular access to specific Google Cloud resources and can help prevent access to other resources. Permissions are grouped into roles, and roles are granted to authenticated principals. You should regularly review and right-size permissions using tools such as IAM Recommender. The Google Cloud Architecture Framework provides additional best practices for managing identity and access.
VPC Service Controls enable a powerful, context-aware approach to control access for your cloud resources. You can create granular access control policies based on attributes such as user identity and IP address. These policies ensure specific security controls are in place before granting access to cloud resources from untrusted networks. By allowing access only from authorized networks, VPC Service Controls helps protect against the risk of data exfiltration presented by clients using stolen OAuth or service account credentials.
Principal access boundaries can precisely define the resources that a principal is eligible to access. If a policy makes a principal ineligible to access a resource, then their access to that resource is limited regardless of the roles they’ve been granted.
Restrict identities by domain using domain-restricted sharing to limit role grants to users belonging to a specific domain or organization. When domain restricted sharing is active, only principals that belong to allowed domains or organizations can be granted IAM roles in your Google Cloud organization.
Security monitoring: In addition to implementing preventative controls, you should proactively monitor your cloud environment for signs of compromise. Early detection can help limit the business impact of a compromise.
Security Command Center (SCC) is Google Cloud’s built-in security and risk management platform. It provides comprehensive security posture management, threat detection, and compliance monitoring. With SCC’s Cloud Infrastructure Entitlement Management (CIEM) capabilities, you can manage which identities have access to which resources in your deployments, mitigate potential vulnerabilities that result from misconfigurations, and enforce the principle of least privilege. The Sensitive Actions Service within SCC automatically detects and alerts on potentially damaging actions occurring across your cloud organization, folders, and projects. SCC’s Virtual Red Teaming capability continuously detects if high value resources are exposed and surfaces the identities and access paths that could lead to compromise.
Next steps
Maintaining a strong security posture requires ongoing evaluation of the risks your organization faces, and the controls you have in place to address them. These recommendations can help you strengthen your cloud estate against the growing risks associated with credential compromise.
You can learn more about protecting your Google Cloud deployments in our security Best Practices Center.
AI Summary and Description: Yes
**Short Summary with Insight:**
The text highlights the escalating threat of compromised cloud identities in cloud environments, driven by increased activity from malicious actors. It outlines actionable recommendations from Google Cloud experts for enhancing identity protection and mitigating risks related to credential theft. This information is especially relevant for security professionals in the cloud computing domain, as it emphasizes the necessity of robust multi-factor authentication, identity and access controls, and proactive security monitoring.
**Detailed Description:**
The text discusses the growing concern of threat actors exploiting compromised identities in cloud environments, emphasizing the increased risk of cloud resource abuse and sensitive data exfiltration. The sheer volume of identities, both human and non-human, in organizations expands the attack surface, necessitating effective measures for identity protection.
Key Points:
– **Threat Landscape**:
– Organizations face heightened risks from compromised identities.
– The Google Cloud Threat Horizons Report underscores the urgency of addressing these vulnerabilities.
– **Recommendations for Enhanced Identity Protection**:
– **Automation and Awareness**:
– Strong password policies.
– Mandatory multi-factor authentication (MFA).
– Regularly review user access and cloud storage bucket security.
– Monitor leaked credentials on the dark web.
– Implement account lockout mechanisms.
– **Google Cloud Built-in Protections**:
– Always-on account protections, including heuristics to detect credential theft.
– Reauthentication requirements for sensitive actions.
– Default Organization Policies to guard against credential theft.
– **Mitigation Strategies**:
– **Multi-Factor Authentication (MFA)**:
– Upcoming mandatory MFA for all Google Cloud users.
– Specific steps for enabling MFA on Identity Providers (IdPs).
– **Session Protection**:
– Limiting session lengths and IP address access to the Cloud Console.
– Using mutual TLS (mTLS) certificates for added security.
– Contextual access restrictions via Access Context Manager.
– **Service Credential Protection**:
– Disable creation of service account keys unless necessary.
– Automatic disabling of leaked service account keys.
– Binding service accounts to trusted networks.
– **Identity and Access Controls**:
– Employ the principle of least privilege using Google Cloud IAM.
– Regularly review and adjust permissions.
– Utilize VPC Service Controls for context-aware access.
– **Security Monitoring**:
– Proactively monitor for signs of compromise using tools like Security Command Center (SCC).
– Employ threat detection and compliance monitoring to manage security posture effectively.
– **Next Steps**:
– Ongoing risk evaluation and adaptation of security controls are essential for maintaining a strong security posture.
– Guidance is provided for accessing additional resources in the Google Cloud security Best Practices Center.
This comprehensive approach not only helps organizations mitigate the risk of identity-related security breaches but also aligns with best practices in cloud security, making it a critical read for professionals responsible for cloud security and compliance.