CLOUD SECURITY REFERENCE GUIDE

Cloud Security
Reference Guide

Version -1.0

Year - 2024

BY

Faiz Kazi

1
 CLOUD SECURITY REFERENCE GUIDE

Table of Contents
Cloud Security Preface........................................................................................................... 3
Introduction to Cloud Security ............................................................................................... 4
How Cloud Security Works? ............................................................................................... 5
Cloud Security Assessment .................................................................................................... 6
Cloud Native Security Features .............................................................................................. 8
Multi cloud Security Features Comparision ...................................................................... 10
Various CSP Security Checklists............................................................................................ 13
AWS Checklists ................................................................................................................ 13
Microsoft Azure Checklists ............................................................................................... 16
Google Cloud (GCP) Checklists ......................................................................................... 19

2
 CLOUD SECURITY REFERENCE GUIDE

Cloud Security Preface

As organizations increasingly move to cloud environments, security concerns become a top priority.
Cloud security involves the strategies, technologies, and best practices designed to protect cloud-
based systems, data, and infrastructure from cyber threats. It addresses a wide range of security
challenges, including data breaches, insider threats, insecure interfaces, and denial-of-service attacks.

Cloud security is complex due to the shared responsibility model between the cloud service provider
(CSP) and the user. While CSPs ensure the security of the cloud infrastructure, customers are
responsible for securing their data, applications, and access. Key areas of focus include encryption,
identity and access management (IAM), threat detection, compliance, and disaster recovery.

With cloud environments constantly evolving, cloud security demands proactive measures,
continuous monitoring, and adherence to regulatory frameworks to ensure robust protection.

key references on cloud security with comparision with Top CSPs ( AWS, Azure & GCP) are highlighted
in this Guide.

3
 CLOUD SECURITY REFERENCE GUIDE

Introduction to Cloud Security

Cloud security refers to the set of policies, controls, procedures, and technologies designed to protect
data, applications, and services hosted in the cloud. As organizations increasingly move their
infrastructure, applications, and data to cloud environments, securing these assets has become a
critical priority.

By implementing cloud security measures, organizations can safeguard their sensitive data, ensure
compliance, and maintain trust in the digital services they offer.

Why is cloud security important?

Cloud security is paramount for organizations leveraging cloud computing in any capacity. While the
cloud offers undeniable benefits like scalability and agility, it introduces a unique security landscape
compared to traditional on-premises IT infrastructure. Here's why prioritizing cloud security is crucial:

 Protection from Evolving Threats: Cloud environments store sensitive data, making them
prime targets for cyberattacks. Robust cloud security safeguards this information from
unauthorized access by hackers who employ ever-more sophisticated techniques. Measures
like encryption, access controls, and intrusion detection systems form the first line of defense.

 Business Continuity and Disaster Recovery: Cloud security often involves data backups and
disaster recovery plans. This ensures business continuity in the event of outages caused by
unforeseen circumstances. This can range from natural disasters to power failures, minimizing
downtime and potential financial losses.

 Compliance with Regulations: Many industries have strict regulations regarding data privacy
and security. Cloud security helps organizations meet these compliance requirements by
ensuring data is stored and accessed securely. This is especially important for businesses
dealing with sensitive data like financial information or healthcare records.

 Reduced Costs: Cloud security can potentially reduce costs in the long run. Cloud providers
typically handle the underlying infrastructure security, potentially eliminating the need for
significant investments in in-house security hardware and expertise. Additionally, features like
automated threat detection and remediation can streamline security processes and reduce
manpower requirements.

 Shared Responsibility but Enhanced Security: Cloud security is a shared

responsibility between the cloud provider and the customer. The provider secures the
underlying infrastructure, while the customer is responsible for securing their data,
applications, and access controls within the cloud environment. By implementing a
comprehensive cloud security strategy, organizations can leverage the shared security model
to achieve a more robust security posture than they might manage on their own.

4
 CLOUD SECURITY REFERENCE GUIDE

How Cloud Security Works?

Cloud security works by implementing a variety of security controls and configurations across the
following categories or Key Areas:

1. Data Protection: Ensures that data stored in the cloud is protected against unauthorized
access, breaches, and leaks. This includes encryption (both in transit and at rest), access
control mechanisms, and secure data backups.

2. Identity and Access Management (IAM): Controls who can access cloud resources and under
what conditions. IAM involves managing users, roles, and policies to ensure the principle of
least privilege—only granting the minimum permissions necessary for users to perform their
tasks.

3. Compliance: Many industries have regulatory requirements regarding data protection and
privacy. Cloud security involves ensuring that cloud services comply with relevant laws and
standards (e.g., GDPR, HIPAA, SOC 2).

4. Threat Detection and Response: Cloud environments need continuous monitoring for
potential security threats. Cloud providers often offer tools for detecting anomalous behavior,
identifying vulnerabilities, and responding to security incidents in real-time.

5. Network Security: Includes strategies like firewalls, virtual private networks (VPNs), and micro-
segmentation to protect the cloud environment from external attacks.

6. Shared Responsibility Model: Cloud security operates under a shared responsibility model,
where the cloud provider (e.g., AWS, Azure, Google Cloud) is responsible for securing the
infrastructure, while the customer is responsible for securing their data, applications, and
configurations.

The Below Figure Demonstrates the Cloud Security Controls.

5
 CLOUD SECURITY REFERENCE GUIDE

The Below Figure Demonstrates the Basic view of an Cloud Security Architecture for Various CSPs.

Cloud Security Assessment

A Cloud Security Assessment is a structured evaluation of the security posture of a cloud environment,
ensuring that controls, processes, and configurations align with best practices and industry standards.

Below Table is a summary of key components in a typical cloud security assessment:

Cloud Security Assessment Summary

Sr.n
o. Security Function Description
Access Access and identity management Is the first crucial step in cloud
1 Management security risk management
It is crucial to maintain credentials for Identity and access in a
2 Directory Service Secured Directory
Data Loss
Prevention and Data Loss can put your business at severe risks, so you need to make
3 Backup Policies sure key information is easily recoverable
Make sure your cloud Infrastructure is in the hands of Competent
4 Security Team Specialists
5 Encryption Good encryption will leave the leaked information useless for hackers
The security systems must always be up-to-date to maintain a secure
6 Security Updates cloud environment
Do you want to know about every loophole in you cloud system?
Then it is important to implement a proper logging system from the
7 Monitoring get-go

6
 CLOUD SECURITY REFERENCE GUIDE

Following are basic questionnaires assessed by the security team while conducting under Cloud
Security Assessment.

Cloud Security Assessment Questionnaires

Sr.n
o. Security Function Description
Who has access to your cloud system?
What devices can Access the system?
Access Do you Allow Guests to access the cloud account?
1
Management What permissions do guest accounts have?
Is multi-factor authentication enabled and (at least 2 step
authentications followed)
Do you have any Ldap-compliant directory to keep the identities?

2 Directory Service How often do you update security protocols for this directory in a way
that leverages the latest technologies and practices?
Are security specialists who manage this directory adequately vetted?

Do you have a comprehensive recovery plan?

Does your provider have a default data backup functionality?
Does your cloud environment support third party data backup
Data Loss
software?
3 Prevention and
Backup Policies What are the existing plans and procedures for data recovery
(Physical storage locations, local area networks, cloud backup and
other solutions?
Do you perform regular check-ups of these physical storages and
supplementary cloud infrastructures?
Is the security team properly trained?
Does a senior cloud security specialist at your company have relevant
experience?
Dis the security team incorporate a proper cloud data security
strategy?
4 Security Team
Did your organization adapt security governance into the cloud?
Is everyone in the team aware of their responsibilities concerning
cloud security?
Do you have in-company guidance on how to remain secure within
the cloud infrastructure?
Have you determined what files, databases and network require
encryption?
Is all key data on your servers encrypted?
5 Encryption
How many encryption services do you have? Do you use different
services for databases, files, certificates, and public keys?
How are you managing your crypto key (KMAS or BYOK)?
How often do you install security updates and patches?
Does the IT team test security updates before deploying them?
6 Security Updates Can you do a rollback change to the security systems in case of an
emergency?
Does the security team scan the system for vulnerability regularly?

7
 CLOUD SECURITY REFERENCE GUIDE

Can your cloud system log alterations to policy assignments, security

policies and admin groups?
Can you monitor applications that work with sensitive data?
7 Monitoring
Does the security team manually check the system for potential
security breaches?
How long has the monitoring system been in place?

Cloud Native Security Features

Each of the three leading cloud service provider Amazon Web Services (AWS), Microsoft
Azure, and Google Cloud Platform (GCP) offers a rich set of security features tailored to protect
cloud resources, data, and applications.
The following figures describes the cloud Security features for each top CSPs
(AWS/Azure/GCP)

8
CLOUD SECURITY REFERENCE GUIDE

9
 CLOUD SECURITY REFERENCE GUIDE

Multi cloud Security Features Comparision

The table provides key security features of these platforms In detail:

Comparision Table Outlining the Key Security Features of AWS, Microsoft Azure and GCP
Sr.no. Category AWS Azure GCP
Aws IAM:
centralized Azure active
Identity , MFA directory
and granular (AAD):
Identity & Access role based centralized Google cloud IAM:
1
Management (IAM) access control, Identity, MFA, Centralized Identity,
integration conditional MFA, fined grained
with aws sso access, role- access control, and
and aws based access integration with
organizations control google workspace
Aws Key Azure Key Google cloud KMS:
management Vault: Customer managed
Service (KMS): Customer keys and encryption
Customer managed keys for data at rest and in
managed keys ( and encryption transit with AES-256
CMKs) and for data at rest supported
2 Data Encryption
Server-side and in transit.
encryption for TTLS and AES-
data at rest 256 supported
and in transit.
TTLS and AES-
256 supported
AWS security VPC firewall II Rules,
Grous & Azure Network Cloud Armor for
NACLs: stateful Security DDoS protection,
and stateless Groups (NSGs), Google cloud Shield,
firewall, VPC Azure DDoS Private Google Access
3 Network Security peering, AWS protection,
WAF for web Azure Firewall,
applications Vnet Peering,
and AWS shield Azure web
for DDoS application
protection firewall ( WAF)
AWS Cloud Azure Monitor Google Cloud
Trail (for API or Azure Logging, Google cloud
calls), AWS Security Monitoring, Google
cloud watch Center, Azure cloud security
4 Monitoring & logging (for logs and Sentinel and command center
metrics), AWS Azure Activity (SCC), cloud Audit
config Log for Logs
(resource monitoring and
Compliance) auditing

10
 CLOUD SECURITY REFERENCE GUIDE

Broadest Comprehensive Extensive compliance

Compliance compliance certifications (e.g.
Certifications certifications SOC, ISO, HIPAA, PCI
(e.g. SOC, ISO, (e.g. SOC, ISO, DSS), GCP compliance
HIPAA, PCI HIPAA, PCI reports and Assured
5 Compliance DSS), AWS DSS), Azure workloads for
Artifact on Compliance regulatory needs
demand access Manager offers
to compliance regulatory
reports compliance
tracking
AWS Sheild Azure DDoS Cloud Armor for
(Standard and protection DDoS protection and
Advanced), (Basic and Google cloud CDN for
AWS WAF for Standard), Content delivery
6 DDoS protection
Layer 7 Attacks Integrated with security
Azure WAF for
Layer 7
Protection
AWS Security Azure Security Google cloud security
Hub, Aws Center, Azure command center
Config, Guard Defender for (SCC), Event Threat
Duty, Inspector threat Detection, Forseti for
for protection, policy enforcement
7 Security Management Tools
vulnerability Microsoft and IAP for Identity-
management Defender for aware
and Trusted cloud, Azure
Advisor policy for
compliance
Amazon Azure Defender Google cloud SCC and
Inspector for for cloud for Forseti for
scanning EC2 VM scanning, vulnerability
instances, Integration management, Event
8 Vulnerability Scanning Guard duty for with Microsoft Threat Detection for
threat Defender ATP ongoing Security
detection and for endpoint Scans
AWS trust protection
Advisor
Amazon Macie: Azure Google cloud DLP:
Sensitive data Information Scans and protects
detection and Protection: sensitive data,
protection for Detects and customizable via
S3, integrated protects policies for various
9 Data Loss Prevention
with Guard sensitive data sources
duty information
across services,
integrated with
Azure Purview

11
 CLOUD SECURITY REFERENCE GUIDE

AWS Guard Azure Sentinel Google Event Threat

Duty for Threat (SIEM) for Detection, Cloud SCC,
detection, threat Chronicle SIEM
Amazon detection and integration and Cloud
10 Threat Detection
Detective for response, Armor
Investigation, integration
integration with Defender
with Macie and Monitor
AWS Systems Azure Defender Google Cloud SCC,
Manager for for cloud, Integration with
patch Microsoft endpoint
management, Defender ATP management tools,
11 Endpoint Security integration for IAP for secure access
with AWS comprehensive
inspector for endpoint
security scans security and
patching
AWS API Azure API Google Cloud
gateway with Management, Endpoints with
integrated Azure WAF and Integrated API
WAF, IAM roles Integration management,
12 API security
and AWS with Azur AD authentication with
lambda for for secure cloud IAM
secure APIs access and API
management
AWS Security Azure Sentinel Google Chronicle for
Hub, Amazon (SIEM), Azure SIEM, Cloud SCC for
Detective, Aws Security Center threat detection and
systems and Azure logic response automation
13 Incident Response
manager for Apps for tools
investigation automating
and response responses to
automation threats
AWS clearly Azure provides GCP offers detailed
defines the a detailed documentation on
shared shared shared responsibility,
responsibility responsibility clarifying roles in
14 Shared Responsibility Model model for model, splitting security management
security duties between
between AWS Microsoft and
and the customers
customer

12
 CLOUD SECURITY REFERENCE GUIDE

Various CSP Security Checklists

Here are comprehensive AWS / Azure / GCP Cloud Security Implementation Checklists & Best
practice cloud security guidelines to help you implement and maintain robust security in your
specific cloud environment.

AWS Checklists

AWS Cloud Security Best Practice Guidelines / Checklists

Sr.no. Category Description

* Enable Multi-Factor Authentication (MFA) for all

IAM users
* Use IAM roles for EC2 instances instead of
hardcoding credentials
* Enforce the Principle of Least Privilege when
assigning policies
* Use IAM Groups to assign permissions rather than
1 Identity & Access Management (IAM) directly to individual users
* Rotate access keys regularly, if they must be used
* Delete unused IAM users and access keys
* Create and use separate AWS accounts for
production and development environments
* Set up strong password policies for IAM users
* Use AWS Organizations for managing multiple
accounts with Service Control Policies (SCPs)

* Enable AWS CloudTrail to log all API activity in the

AWS account
* Ensure CloudTrail logs are encrypted and stored in
S3
* Enable log file validation in CloudTrail to detect
tampering
* Enable Amazon Cloud Watch for real-time
monitoring of performance metrics and logs
2 Logging & Monitoring * Set up Cloud Watch Alarms for key security
metrics (e.g., failed login attempts, CPU usage
spikes)
* Enable AWS Config to track resource
configurations and detect drift
* Enable AWS GuardDuty for continuous monitoring
for malicious activity
* Regularly review CloudTrail and CloudWatch logs
for suspicious activity
* Enable VPC Flow Logs to capture information

13
 CLOUD SECURITY REFERENCE GUIDE

about the IP traffic going to and from network

interfaces in your VPC

* Enable server-side encryption for S3 buckets (SSE-

S3, SSE-KMS, or SSE-C)
* Use AWS Key Management Service (KMS) to
manage encryption keys for data at rest
* Ensure that all sensitive data in transit is encrypted
using TLS/SSL
3 Data Security * Restrict access to S3 buckets by setting up correct
bucket policies
* Enable S3 bucket versioning and logging to track
changes and access
* Enable RDS encryption for data at rest
* Use EBS encryption for EC2 volumes where
sensitive data is stored

* Use AWS VPC (Virtual Private Cloud) to isolate

resources
* Restrict inbound and outbound traffic using
Security Groups
* Ensure that Security Groups follow the least
privilege model
* Use Network Access Control Lists (NACLs) for an
additional layer of network security
4 Network Security * Use VPC Endpoints to privately access AWS
services without exposing traffic to the public
internet
* Enable AWS WAF (Web Application Firewall) to
protect web applications from common attacks
* Use VPC Peering or AWS Transit Gateway for
secure communication between VPCs
* Deploy VPN or Direct Connect to secure on
premise connections to the AWS cloud

14
 CLOUD SECURITY REFERENCE GUIDE

* Ensure applications use HTTPS to encrypt data in

transit
* Implement input validation to prevent injection
attacks (e.g., SQL injection)
* Use AWS Secrets Manager to securely store
5 Application Security sensitive data such as API keys, passwords, etc.
* Use AWS Lambda or EC2 with restricted IAM
permissions for backend processing to limit the
attack surface
* Set up AWS Shield for DDoS protection for web
applications

* Enable AWS Security Hub to get a comprehensive

view of your security posture
* Use AWS Trusted Advisor for security and cost
optimization recommendations
* Enable AWS Config Rules to ensure compliance
with security policies and standards
6 Compliance & Governance
* Conduct regular security audits and risk
assessments
* Use AWS Artifact for managing compliance-related
documents
* Implement automated security frameworks (e.g.,
NIST, PCI-DSS, ISO 27001) where applicable

* Implement an incident response plan and train

staff regularly
* Enable AWS CloudFormation StackSets for disaster
recovery setups
7 Incident Response
* Create snapshots and backups regularly, especially
for mission-critical data
* Configure AWS CloudWatch Events and AWS
Lambda for automated response actions

* Use AWS CloudFormation or Terraform to

automate infrastructure as code with security in
mind
* Automate incident response workflows using AWS
Lambda (e.g., shutting down instances on security
8 Security Automation
events)
* Create automatic backups of your resources (e.g.,
using AWS Backup)
* Use AWS Systems Manager Patch Manager to
automate OS and application patching

15
 CLOUD SECURITY REFERENCE GUIDE

* Regularly review and update IAM roles and

policies
* Audit unused resources and delete them to reduce
the attack surface
* Apply security patches promptly on all services
9 Regular Maintenance
and infrastructure
* Review and update Security Groups and NACLs to
ensure no open access exists
* Regularly review AWS Trusted Advisor security
checks

Microsoft Azure Checklists

Microsoft Azure Cloud Security Best Practice Guidelines / Checklists

Sr.no. Category Description
* Enable Multi-Factor Authentication (MFA) for all
users, especially for Azure AD administrators
* Use Azure Active Directory (Azure AD) for
centralized identity and access management
* Implement Role-Based Access Control (RBAC) to
assign the least privilege access to resources
* Regularly audit and remove unused accounts
Identity & Access Management and access rights
1
(IAM * Use Conditional Access Policies to enforce
access controls based on the user’s location,
device, and risk level
* Use Azure AD Privileged Identity Management
(PIM) to manage, control, and monitor access to
critical Azure resources
* Implement strong password policies and
enforce password expiration policies

16
 CLOUD SECURITY REFERENCE GUIDE

* Enable Azure Activity Logs to track changes to

resources and management operations
* Use Azure Monitor and Log Analytics to
centralize logs and metrics
* Enable Azure Security Center to provide security
assessments and recommendations
* Implement Azure Sentinel for security
information and event management (SIEM) and
automated threat detection
2 Logging & Monitoring * Configure Azure Policy to enforce compliance
with organizational standards and track
compliance issues
* Enable Diagnostics Logging for all services (e.g.,
Azure SQL Database, Virtual Machines) and store
logs in a centralized location like Azure Log
Analytics or Azure Storage Accounts
* Set up Alerts and Notifications using Azure
Monitor to detect suspicious activities (e.g., failed
logins, unusual network traffic)
* Encrypt Data at Rest using Azure Storage Service
Encryption (SSE) and Azure Disk Encryption for
VMs
* Encrypt Data in Transit by enforcing TLS/SSL for
communication between services
* Use Azure Key Vault to securely manage
encryption keys, certificates, and secrets (API
keys, connection strings)
3 Data Security
* Implement Azure Disk Encryption for virtual
machines and managed disks
* Ensure Azure SQL Database Encryption is
enabled (Transparent Data Encryption - TDE)
* Enable Azure Storage Account Firewall to
restrict access to specific IP addresses or subnets
* Enable Azure Backup and Azure Site Recovery
for disaster recovery and data protection
* Use Azure Virtual Networks (VNet) to isolate
resources and control traffic flow
* Implement Network Security Groups (NSGs) to
control inbound and outbound traffic at the
subnet and NIC level
* Use Azure Firewall to provide network security
and protect against malicious traffic
* Configure Web Application Firewall (WAF) with
4 Network Security
Azure Application Gateway to protect web
applications from common attacks (e.g., SQL
injection, XSS)
* Restrict inbound traffic using Just-in-Time VM
Access to reduce exposure to attacks
* Use Azure VPN Gateway or ExpressRoute for
secure, encrypted communication between on-
premise networks and Azure

17
 CLOUD SECURITY REFERENCE GUIDE

*Enable DDoS Protection with Azure DDoS

Protection Standard for critical applications

* Enable Azure Security Center for DevOps to

monitor and enforce secure coding practices
* Use Azure App Service Environment (ASE) for
hosting applications in a fully isolated and highly
secure environment
* Enable Azure WAF for web applications to
protect against OWASP top 10 security risks
5 Application Security * Secure APIs using Azure API Management with
OAuth2 and other authentication mechanisms
* Use Azure DevOps and GitHub Actions to
automate security scans (e.g., static code analysis,
dependency vulnerability scanning)
* Ensure Azure Functions and Logic Apps have
restricted access and follow least privilege
principles
* Enable Azure Security Center and ensure all
high-severity recommendations are remediated
* Use Azure Policy to enforce security and
compliance rules across resources
* Regularly review security baselines using Azure
Blueprints to maintain compliance with industry
standards (e.g., ISO 27001, PCI-DSS)
6 Compliance & Governance * Use Azure Cost Management to track usage and
costs, helping identify unusual spikes in resource
usage
* Implement Azure AD Identity Protection to
detect and respond to identity-based risks (e.g.,
compromised credentials)
* Use Azure Compliance Manager to assess and
manage compliance with regulatory requirements
* Set up an incident response plan using Azure
Sentinel for detection and investigation of
security incidents
* Enable Azure Monitor Alerts for real-time
notifications of potential security incidents
7 Incident Response * Configure Azure Automation Runbooks to
automatically respond to security threats (e.g.,
disabling compromised accounts)
* Enable backup and disaster recovery with Azure
Site Recovery and Azure Backup to ensure
business continuity

18
 CLOUD SECURITY REFERENCE GUIDE

* Automate infrastructure deployment and

security settings using Azure Resource Manager
(ARM) Templates or Terraform
* Use Azure Automation and Azure Logic Apps to
automate security responses (e.g., automatically
shutting down suspicious VMs)
8 Security Automation
* Enable Auto-healing policies in Azure Security
Center to automatically remediate security
threats
* Automate patch management using Azure
Update Management and ensure that all systems
are up-to-date with the latest security patches
* Regularly review and update RBAC roles and
permissions
* Review Azure Security Center and Azure Advisor
recommendations regularly
* Implement regular backups and test recovery
9 Regular Maintenance processes to ensure resilience
* Regularly review Network Security Groups
(NSGs) to ensure no open inbound/outbound
access exists unnecessarily
* Ensure VMs and applications are regularly
patched using Azure Update Management

Google Cloud (GCP) Checklists

GCP Cloud Security Best Practice Guidelines / Checklists

Sr.no. Category Description
* Enable Multi-Factor Authentication (MFA) for
all users, especially those with elevated
permissions
* Use Google Cloud Identity or Google
Workspace for centralized identity management
* Apply the Principle of Least Privilege (PoLP) to
assign the minimum permissions necessary for
each user or service
* Use Predefined and Custom Roles in GCP IAM
Identity & Access Management
1 instead of assigning the “Owner” role
(IAM)
* Regularly audit and remove unused or inactive
user accounts and roles
* Enable service accounts and avoid using user
credentials for application authentication
* Use Identity-Aware Proxy (IAP) to control
access to cloud applications based on identity
and context
* Implement VPC Service Controls to restrict data
exfiltration from sensitive resources

19
 CLOUD SECURITY REFERENCE GUIDE

* Enable Cloud Audit Logs for all resources to

track access and changes to GCP services
* Set up Cloud Monitoring for real-time
monitoring of resources and performance metrics
* Enable Cloud Logging to store and analyze logs
for network traffic, security events, and system
changes
* Use Cloud Security Command Center (SCC) for a
2 Logging & Monitoring
centralized view of your GCP security posture
* Configure Cloud Monitoring Alerts for abnormal
activity, such as spikes in traffic or resource usage
* Enable VPC Flow Logs to monitor network
traffic for suspicious activity
* Ensure Logs are centralized in a secure location,
like Google Cloud Storage or BigQuery for further
analysis
* Use Cloud KMS (Key Management Service) to
manage encryption keys for sensitive data
* Ensure all data at rest is encrypted using
Google-managed encryption or Customer-
managed encryption keys (CMEK)
* Enable TLS/SSL encryption for data in transit
between services
* Set up Cloud Storage Object Versioning to
3 Data Security
protect against accidental data deletion
* Use Bucket Policies and IAM to restrict access
to Cloud Storage
* Enable Cloud DLP (Data Loss Prevention) to
scan for sensitive data (PII, PHI, etc.) in structured
and unstructured data
* Enable Google Cloud Armor to protect against
DDoS attacks and secure applications at the edge
* Use VPC networks to isolate resources and
apply security policies (e.g., segmentation)
* Configure Firewall Rules to limit inbound and
outbound traffic to only what is necessary
* Use Private Google Access to keep traffic
internal to Google’s network and avoid exposure
to the public internet
* Use Cloud Armor to protect applications from
common web-based attacks (e.g., SQL injection,
4 Network Security
XSS)
* Implement Virtual Private Network (VPN) or
Cloud Interconnect for secure connections
between GCP and on-premises environments
* Enable DNS Security (DNSSEC) for Cloud DNS to
ensure the integrity of DNS records
* Enable VPC Service Controls to create
perimeters that prevent data exfiltration to
unauthorized users or services

20
 CLOUD SECURITY REFERENCE GUIDE

* Enable Cloud Identity-Aware Proxy (IAP) to

secure access to web applications
* Use Google Cloud Armor to protect web
applications against common threats (e.g.,
OWASP Top 10)
* Enable reCAPTCHA Enterprise to prevent bot
attacks on your applications
* Scan code repositories for vulnerabilities using
5 Application Security Container Scanning and Security Health Analytics
* Use Binary Authorization to enforce security
policies on containerized applications before
deployment
* Ensure API Security by using Google Cloud
Endpoints with proper authentication and rate
limiting
* Utilize Cloud Build to integrate security checks
into the DevOps pipeline (CI/CD)
* Enable Cloud Security Command Center (SCC)
for centralized security monitoring and alerts
* Use Google Cloud’s Policy Intelligence tools to
recommend least privilege policies and improve
IAM configurations
* Enable Google Cloud Policy Analyzer to assess
and analyze policy violations
6 Compliance & Governance * Use Cloud Compliance Reports and Google
Cloud Artifact to manage compliance with
regulations (e.g., GDPR, HIPAA, PCI-DSS)
* Set up Organization Policies to enforce
governance controls, such as restricting specific
locations for resource deployment
* Implement Audit Policies and regularly review
logs for anomalies or suspicious behavior
* Implement a comprehensive incident response
plan using Cloud SCC and Cloud Logging to detect,
investigate, and respond to security incidents
* Set up Cloud Monitoring Alerts for critical
security and performance events
7 Incident Response
* Use Cloud Functions and Cloud Pub/Sub to
automate responses to incidents
* Regularly test incident response procedures
through simulation and drills

21
 CLOUD SECURITY REFERENCE GUIDE

* Automate security checks and resource

provisioning using Terraform or Deployment
Manager
* Use Cloud Functions to automate responses to
security events, such as disabling compromised
accounts or shutting down vulnerable resources
8 Security Automation * Automate patch management using OS Patch
Management for VMs and use OS configuration
management to maintain consistent
environments
* Implement Security Command Center
Automation to automatically trigger alerts and
remediation workflows
* Regularly review and update IAM roles and
permissions to ensure they align with current
business needs
* Patch and update your virtual machines (VMs)
and applications regularly using OS patch
management
9 Regular Maintenance * Regularly review firewall rules, VPC
configurations, and network settings
* Use Forseti Security to regularly scan your GCP
environment for security misconfigurations
* Use Cloud Profiler and Cloud Debugger to
monitor and improve the performance of
applications and services

***************************************************************************

22