Google Cloud Platform compliance and integration with ignyte assurance platform
Previously we published an article discussing some of the best practices surrounding cloud security, in this article, we will discuss cloud a little more specifically by focusing on one in particular provider Google. Google offers several different solutions for customers known as GCP or the Google Cloud Platform. GCP is set infrastructure tools and services which customers can utilize to build environments they need in order to facilitate a solution for their business.
 
Number of Services and Types
GCP offers 115 different types of services as of October 2019, which fall under the GCP terms of service. They provide many more and are constantly adding new ones, but those do not necessarily fall under the same agreement. The services are separated into various types and run on the same infrastructure that Google uses internally for its end-user products. Below are some key types of services, and the coordinating service offered:

AI & Machine Learning

  • Vision AI
  • Video AI
  • Translation
  • Natural Language
  • Dialogflow
  • AutoML Tables
  • Cloud Text-to-Speech API
  • Recommendations AI
  • Cloud Speech-to-Text API
  • Cloud Inference API
  •  
    API management

  • Apigee API Platform
  • API Analytics
  • API Monetization
  • Apigee Hybrid
  • Apigee Sense
  • Developer Portal
  • Cloud Text-to-Speech API
  • Apigee healthcare APIx
  • Cloud Healthcare API
  •  
    Compute

  • Compute Engine
  • Shielded VMs
  • Google Kubernetes Engine (GKE)
  • Anthos on-premises
  • Container security
  • Migrate for Compute Engine
  • App Engine
  • Cloud Run (beta)
  • Cloud Functions
  • Cloud Functions for Firebase
  •  
    Data analytics

  • BigQuery
  • Cloud Dataflow
  • Cloud Dataproc
  • Cloud Datalab
  • Cloud Dataprep
  • Cloud Pub/Sub
  • Cloud Composer
  • Cloud Data Fusion
  • Cloud Data Fusion
  • Genomics
  •  

    Databases

  • Cloud Spanner
  • Cloud Memorystore
  • Cloud Firestore
  • Cloud SDK
  • Cloud SQL
  • Cloud Bigtable
  • Networking

  • Cloud CDN
  • Cloud NAT
  • Hybrid Connectivity
  • Cloud DNS
  • Network Telemetry
  • Traffic Director

  •  

    GCP Security Services

    Google recognises the need for greater security in the realm of cyberspace today, taking great steps to not mitigate known bugs, but also find potentially devastating new ones. They also offer several additional security services and products inside GCP which integrate with the Ignyte Assurance Platform. These include:

    Network security

  • Virtual Private Cloud
  • Cloud Load Balancing
  • Hybrid Connectivity
  • Encryption in transit
  • Application Layer Transport Security
  • Cloud Armor
  • Infrastructure security

  • Cloud Infrastructure Security Overview
  • Container Security Overview
  • Shielded VMs
  • Binary Authorization
  • Cloud SQL
  •  

    Endpoint security

  • Chromebooks
  • Chrome Browser
  • G Suite Device Management
  • Safe Browsing
  • User Protection Services

  • Phishing Protection
  • ReCAPTCHA Enterprise
  • Web Risk API
  •  
    Identity & access management

  • Cloud Identity
  • Identity Platform
  • Cloud IAM
  • Policy Intelligence
  • Cloud Resource Manager
  • Cloud Identity-Aware Proxy
  • Managed Service for Microsoft Active Directory
  • Security key enforcement
  • Titan Security Key
  •  
    Data security

  • Encryption at Rest
  • Cloud KMS
  • Cloud Data Loss Prevention
  • G Suite Data Loss Prevention – Gmail
  • G Suite Data Loss Prevention – Drive
  • G Suite Information Rights Controls
  • Cloud HSM
  • VPC Service Controls
  • G Suite phishing and malware protection
  • G Suite third-party application access controls
  • G Suite security sandbox
  •  

    Security monitoring & operations

  • Cloud Security Command Center
  • Security center – G Suite
  • Alert center – G Suite
  • Data regions – G Suite
  • Access Transparency
  • Access Transparency – G Suite
  • Event Threat Detection
  • Cloud Audit Logs
  • Governance, risk, and compliance

  • Third-party audits and certifications
  • Cloud Data Loss Prevention
  • Access Transparency
  • Vault – G Suite
  •  
    Application security

  • Apigee
  • Cloud Security Scanner
  •  

    Managing Risk & Compliance of GCP with Ignyte

    GCP meets several compliance and regulatory standards, however, it is important to keep in mind that this only means Google’s product meets those standards, it does not mean that by using the products you do not have to put in place compliant practices. Being compliant regardless of the standard is behavioural and requires administrative checks. Action has taken place which is deemed compliant, and repeated actions are necessary in order to maintain compliance across the business.

    A great example of this from Google specific to the Health Insurance Portability and Accountability Act or HIPPA states “It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and Google. Specifically, HIPAA demands compliance with the Security Rule, the Privacy Rule, and the Breach Notification Rule. Google Cloud Platform supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance.”[1] Google maintains several different compliance standards as well as adheres to different laws and regulations across multiple countries. Currently, they meet regulatory requirements to provide HIPAA compliant systems, as well as NIST 800-171. These will complement the NIST Cyber Security Framework as it’s designed to be used alongside other standards which greatly enhances your approach to securing your environment.

    Today there are over 30 GCP IT risk and compliance frameworks in the industry frameworks in the industry that you may need to comply with. Compliance today requires both automated and manual controls. Because manual controls are required, there are absolutely no way technologies like GCP can solve all of your compliance needs, regardless of standard.

    Ignyte helps extend internal on-premise security and compliance policies & procedures into the cloud while keeping your enterprise on track to ensure compliance and regulatory standards are met. As stated earlier manual checks are required in order to meet compliance needs. Some examples of this for HIPAA specifically would be assigning a HIPAA security officer. This officer’s duty is to enforce compliance throughout the entire company, not just IT. HIPAA requires background checks for individuals who will be accessing sensitive information and systems too which reduces the likelihood of criminals accessing and selling internal information. One more example of control which HIPAA puts in place to enhance security is a separation of duties, making sure no one person has too much access to information based on their role, through policies, and procedures.
     

    Managing 3rd Party Risk in GCP

    Many organizations use GCP for developing critical applications. These applications work with sensitive information which poses a risk to the business because of the sensitive nature of the information. Also, mission-critical applications require around the clock uptime in order to fulfil the needs of the organization. While GCP can help with technical protection measures and back up strategies, only the organization themselves can protect from a 3rd party contractor. These contractors are sometimes needed due to the tight labor market, and skills gap today. How do you manage 3rd party risk within your cloud operations? Ignyte helps facilitate this process through the Ignyte’s Vendor RIsk module which helps you onboard vendors that are safe and secure. Vendor management for cloud is critical and often overlooked component. Many data breaches occur due to poor access permissions and controls over the cloud environment In general, all vendors should have their own security program to manage client data but often this is simply not the case. The liability should flow down to the vendor through a contractual agreement given proper procedures are followed.

    How Ignyte Can Help

    What the Ignyte Assurance Platform allows for is greater understanding regarding policy, compliance, governance, and risk mitigation through a visual representation of the steps taken to comply with the policy. With each piece of technology used we have constructed a demonstrable module which ingests the item, and maintains a record of each action taken to meet or exceed any policy which may be put in place. This allows your organization to show the steps taken, the current progress, and what needs to be done in order to meet your regulatory needs. This helps by providing you with the information you need to present to management at any given time. We are ready for whatever technology which you so choose to use, and ensure that technology is being used in a fashion which meets, or exceeds any security standard which can be put in place regardless to enterprise business strategy.

    How can this be possible?

    We have published datasheets, and whitepapers spanning healthcare, and financial industry outlining exactly this! Another example specific to FedRAMP showing how Ignyte simplifies the compliance process. The Ignyte Assurance Platform is truly technology agnostic, providing a method for solving any issue through proven practice in the compliance space. Ignyte aids organizations regardless of technologies, business objectives, or compliance needs. Remember technology does not satisfy compliance standards. It is up to your business to perform due diligence in order to meet compliance and regulatory standards. Ignyte can help manage this process allowing you to extend your policies into the cloud as well as manage physical controls on-premise.

    Ignyte Assurance Platform Business & Professional Services