Defense-in-Depth and Breadth using Google Cloud Armor

With just a tap on our phones, we can run the world – Thanks to applications. Regardless of the industry, digital footprints and data linked with businesses are constantly updated.
In the fast-paced digital world we live in today, it becomes tedious to maintain web threat checks for these evolving applications. This is why security has moved to the forefront of most firms’ priorities in recent years.

Security breaches stemming from potential vulnerabilities are becoming increasingly regular and conventional security systems such as network firewalls are not enough. Google Cloud focuses on solving these security problems and aids to create a safer cloud deployment. Its security model, world-scale infrastructure, and unique capability help innovate and keep organizations secure and compliant.

In this blog, we will explore how Google Cloud provides Cloud Armor and IAP controls to tackle cyber attacks and safeguard your application without having to manage the underlying infrastructure and application code of security solutions.

Cloud Armor: DDoS Protection & WAF

DDoS Protection

Let us understand the above architecture by breaking down the Cloud Armor capabilities and its pre-configured rules that prevent common attacks and vulnerability exploits.

Transport Layer Security - HTTPS

With a lot of valuable information flowing through the systems, there is a need to protect all communication channels and secure customer information even during increased site traffic.
Transport Layer Security (TLS) the official name for HTTPS, is a cryptographic protocol that provides secure communication over a computer network. It ensures privacy and data integrity between applications. HTTPS guarantees trust and security, while also working to legitimize any site that uses it to make the businesses verified.

Google Cloud Load balancer

Google Cloud Load Balancer distributes user traffic across multiple instances of an application. By spreading the load, load balancing reduces the risk of the applications experiencing performance issues. Enabling external HTTPS load balancers, Google Cloud provides rules for the respective load balancers. These rules route the traffic by IP addresses and allow traffic from HTTPS by enabling firewall rules for backend health checks.

Google Cloud Armor

Google Cloud Armor is a web application firewall that defends applications and websites against denial of service (DoS) and web attacks.
A denial-of-service (DoS) attack disables and makes a network resource unavailable to users, causing the host’s services to be temporarily or permanently disrupted. The incoming traffic flooding the victim in an advanced attack, called the distributed denial-of-service (DDoS) attack, is unpredictable and comes from a variety of sources.
Cloud Armor protects key google properties and provides built-in defenses against Layers 3 and 4 from DDoS attacks. Whereas, for hybrid and multi-cloud deployments, Cloud Armor defends applications from DDoS or web attacks by enforcing Layer 7 security policies.

Filtering Traffic using IP allow/deny and Geo

Cloud Armor’s cloud security solution provides built-in defenses against web attackers and is backed by a Global HTTP(S) Load Balancer. IP blacklists and whitelists in Cloud Armor help to restrict or enable access to the HTTP(S) load balancer at the Google Cloud’s end. It prevents malicious users or traffic, from taking over resources or accessing virtual private cloud (VPC) networks. Security policies in Cloud Armor generate logs that may be examined to see when traffic is blocked and when it is authorized, along with the source of the traffic.

Best practice: Global LB + Cloud Armor + IAP

Cloud Armor

Cloud Armor’s cloud security solution provides built-in defenses against web attackers and is backed by a Global HTTP(S) Load Balancer. IP blacklists and whitelists in Cloud Armor help to restrict or enable access to the HTTP(S) load balancer at the Google Cloud’s end. It prevents malicious users or traffic, from taking over resources or accessing virtual private cloud (VPC) networks. Security policies in Cloud Armor generate logs that may be examined to see when traffic is blocked and when it is authorized, along with the source of the traffic.

Secure Access to Web Apps with Identity-Aware Proxy

The Cloud Identity-Aware Proxy (IAP) is the first step toward implementing a zero-trust security solution for controlling access to applications and virtual machines. IAP uses User Identity and Context of the request to authenticate the user, enabling employees to work and connect from any network or location without the use of a VPN.

Here are some key features of Identity-Aware Proxy IAP:

  1. It manages access to HTTP-based apps both on Google Cloud and outside of Google Cloud
  2. It provides a single point of control for managing user access to web applications and cloud resources
  3. It takes less time to secure access to apps and VMs than it takes to set up a VPN
  4. It has a wide range of external identity providers that can be enabled, such as:
    1. Email/password
    2. OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.)
    3. SAML
    4. OIDC
    5. Phone number
    6. Custom
    7. Anonymous

Web Application Firewall (WAF)

The global nature of Google Cloud’s network absorbs and dissipates attacks across devices and applications. Cloud Armor provides a set of pre-configured rules to help defend against attacks such as cross-site scripting (XSS) and SQL injection (SQLi) attacks. There is also a list of pre-defined WAF rules that help in tackling and mitigating OWASP Top 10 risks.

WAF rules also come with dozens of signatures that are compiled from open-source industry standards. These signatures help in evaluating the incoming requests by accepting (considering it ‘true’) or blocking (considering it ‘noisy’) against these pre-configured rules.

Custom Match Parameters (Layer 3 to Layer 7)

Google Cloud Armor security policies are sets of rules that help to enforce application-layer firewall rules protecting the externally facing applications or services. Each rule is evaluated concerning incoming traffic and ensures safe operation and availability of protected applications.

Google Cloud Armor security policies are made up of rules that filter traffic based on layers 3, 4, and 7 attributes. For example, you can specify conditions that match an incoming request’s IP address, IP range, region code, or request headers.

Addressing Apache Log4j vulnerability with Cloud Armor

Early this year it has come to notice that the widely used Java logging library Log4j contains an unauthenticated remote code execution (RCE) and denial of service vulnerability if a user-controlled string is logged.

With an understanding of Cloud Armor, we know that it provides DoS and WAF protection for applications and services hosted on Google Cloud, on your premises, or hosted elsewhere. Google Cloud introduces a new preconfigured WAF rule called “cve-canary” which detects and blocks exploit attempts of Apache Log4j2 2.0-beta9 through 2.15.0.

Download our eBook to read more about Google Cloud Armor capabilities and understand how to mitigate OWASP top 10 risks along with a list of Google Cloud Products that can help you defend against these security risks.

Download Now

Conclusion:

Enterprises should prepare themselves for future successes without having to rethink twice about their security and safety, SpringML which is a trusted Google Cloud Partner becomes an obvious choice. We offer basic management services to our customers that would like to ensure their data and application are secure in the cloud by enabling users to be authorized with a single click. These dependable techniques allow you to swiftly access your cloud applications and information while also allowing you to respond to any potential security threats. The experts at SpringML have rich proficiency expertise in providing data-driven innovative solutions to companies around the world. The clientele is widespread and includes several enterprises from the Fortune 500 quadrant.

Thought Leadership