aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Practices
  • Technology

Compliance Engineering – Continuous Compliance GCP Case Studies

  • aster.cloud
  • December 27, 2021
  • 5 minute read

Our previous article provided tools and techniques to transform your productionalization process and make it ready for Cloud workloads. In this post, we will cover technical examples of GCP controls and how it can help your organization maintain your security and compliance posture in GCP.

In comparison to on-prem infrastructure, GCP is a highly integrated environment and provides out of the box capabilities to evidence a large variety of controls. The following cornerstones build the foundation of an effective control attestation:


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

  • Inventory Management – On-prem workloads frequently have discovery tools installed to understand what infrastructure components are actually deployed in the corporate IT environment. In GCP, every component has to be explicitly declared for it to exist. This accurate and real-time inventory is the basis for the below case studies to reach continuous compliance.
  • Infrastructure as Code – All deployments and configuration in GCP should be implemented in machine readable instructions (such as Terraform) and as part of a CI/CD pipeline staging to higher level environments. The programmatic definition of infrastructure resources allows for efficient checking of the security posture before the deployment takes place (such as a misconfigured Google Cloud Storage bucket that would be exposed to the public Internet).
  • Compliance as Code – The same is true for the implementation of policies. Programmatic definition, “Compliance as Code” should be used to automate the evidence-gathering and compliance-checking during the lifetime of the workload. Google Cloud’ Risk and Compliance as Code solution can help implement such a process based on best practices.

Now let’s take a few controls out from the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) and show how GCP helps you to fulfill them.

Case Study – Log Key Lifecycle Management events

Let’s have a look at a specific control from CSA CCM regarding log key lifecycle management:

LOG-11 – Logging & Monitoring Transaction/Activity Logging – Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.

Read More  Apple Turns (RED) To Raise Visibility For World AIDS Day

Cloud Key Management Service (KMS) in combination with Cloud Audit Logs records customer activities on the Key object, such as creating or destroying a key. Customers can define the retention period of the logs as well as access permissions. A log message would look like the following:

gcloud logging read "logName : projects/my-project/logs/cloudaudit.googleapis.com" --project=my-project

[...]
   permission: cloudkms.cryptoKeys.create
    resource: projects/my-project/locations/us-central1/keyRings/sample-keyring
    resourceAttributes:
      name: projects/my-project/locations/us-central1/keyRings/sample-keyring/cryptoKeys/key-us
      service: google.cloud.kms
      type: google.cloud.kms.CryptoKey
  methodName: CreateCryptoKey
[...]

Figure 1 – Logging of key creation

 

In order to actively monitor these activities, a counter log-based metric in Operations Suite has to be created for protoPayload.methodName=”CreateCryptoKey” . This log-based metric can then be used to create an alarm for each event, or trigger a notification for when a certain threshold is reached. Cloud Monitoring will display an incident notification and have visualizations ready to be inspected.

Case Study – Change restoration

In the traditional IT world, production roll-outs are often staged through the environments guarded by a strict change management process and subject to change approval boards. In the cloud world, equivalent checks should take place but can be accomplished end-to-end much more quickly. As mentioned above, there should be limited human interaction in the production environment. All application and infrastructure deployments should be following the infrastructure as code pattern and leverage automation technologies. Repeatable automated patterns will simplify operations and enable compliance verification at scale. Let’s look at the following example out of the CSA CCM control set:

CCC-09 Change Control & Configuration Management – Change Restoration – Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns.

By describing the state of the infrastructure configuration in Terraform, each change can easily be rolled-out and rolled-back without missing out a step or having a non-reversible change. The control owners have assurance that the changes are automated and fully reversible to a known working state.

Read More  Professor Michio Kaku visits THE LINE to learn about NEOM’s city of the future

As a best practice, we recommend storing the Infrastructure as Code patterns along the application project source code in the version control system, and staging it through the environments by leveraging a CI/CD pipeline.

Case Study – Safeguard Logs Integrity

Extensive logging capabilities of GCP such as Cloud Audit Logs and Access Transparency take a record of activities happening in the environment. Especially in regulated industries, these logs have to be kept for an extended period while ensuring their immutability and integrity. This requirement is reflected in the following CSA CCM:

 IAM-12 Identity & Access Management – Safeguard Logs Integrity – Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

Leveraging GCP Log Sinks, log entries can be exported into different supported destinations, including Google Cloud Storage. Log entries will be stored as JSON files on a GCS bucket. GCS buckets support data retention policies, which govern how long objects in the bucket must be retained. The  “Bucket Lock” feature lets you set a permanent non-reversible configuration of the data retention policy on the corresponding GCS bucket.

Example Terraform for locking a bucket and keeping the files for 2 days:

resource "google_storage_bucket" "my-log-bucket" {
  name          = "my-log-bucket-8225"
  location      = "EU"
  force_destroy = false

  retention_policy {
    retention_period = 172800
    is_locked        = true
  }
}

Figure 2 – Bucket Locking mechanism

 

The Bucket Lock is a non-reversible activity. As outlined in the above example, files stored within that GCS bucket will be retained for the defined period, including roles with privileged access.

$ gsutil retention get gs://my-log-bucket-8225
  Retention Policy (LOCKED):
    Duration: 2 Day(s)
    Effective Time: Tue, 30 Nov 2021 13:17:14 GMT

$ gsutil retention set 1d gs://my-log-bucket-8225
Setting Retention Policy on gs://my-log-bucket-8225/...
AccessDeniedException: 403 Cannot reduce retention duration of a locked Retention Policy for bucket 'my-log-bucket-8225'.

gsutil rm gs://my-log-bucket-8225/README.txt
Removing gs://my-log-bucket-8225/README.txt...
AccessDeniedException: 403 Object 'my-log-bucket-8225/README.txt' is subject to bucket's retention policy and cannot be deleted, overwritten or archived until 2021-12-02T05:24:02.18624-08:00

Figure 3 – Bucket Locking effects

Read More  Google Cloud Recommendations For Investigating And Responding To The Apache “Log4j 2” Vulnerability (CVE-2021-44228)

 

FSI transformation

Automation has been a key driver for accelerating transformation at Deutsche Bank:

With the last few controls being transformed to ‘cloud ready’ and the initial set of applications passing through the controls, control automation is now at the center of our focus. As we progressively learn, utilize, and gain confidence in the real power of the embedded control framework of Google Cloud, we closely work with the control owners to leverage Google Cloud native capabilities. The success we see in automation is now driving the momentum in the on-prem world as well, therefore the hybrid model for automating controls is the next challenge for us in the upcoming months.Greta Binder, Operational Readiness Product Owner – Vice President at Deutsche Bank

 

The integrated environment of GCP provides foundational capabilities (such as real-time inventory) that can significantly reduce the burden for control owners as they work to establish and maintain their security and compliance posture. The case studies give examples as to how GCP customers can move into continuous compliance, encompassing real-time attestation and notification (something which could occur in case of a misconfiguration, for example). The more familiar control owners become with the GCP capabilities the more confident they feel to automate their controls.

Building on the control automation examples we covered, potential next steps could be embedding the controls into policies within GKE Policy Controller, and GKE Config Connector seamlessly logging into Cloud Operations Suite, as well as Security Command Center. Read more about this topic as part of our recently released solution Modernizing Compliance: Introducing Risk and Compliance as Code.

 

 

By: Florian Graf (Technical Account Manager) and Jo Hellwig (Technical Account Manager)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

You May Also Like
View Post
  • Computing
  • Multi-Cloud
  • Technology

Host a static website on AWS with Amazon S3 and Route 53

  • June 27, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Prioritize security from the edge to the cloud

  • June 25, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

6 edge monitoring best practices in the cloud

  • June 25, 2025
Genome
View Post
  • Technology

AlphaGenome: AI for better understanding the genome

  • June 25, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Pure Accelerate 2025: All the news and updates live from Las Vegas

  • June 18, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management

  • June 18, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

What is cloud bursting?

  • June 18, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it

  • June 17, 2025

Stay Connected!
LATEST
  • Camping 1
    The Summer Adventures : Camping Essentials
    • June 27, 2025
  • Host a static website on AWS with Amazon S3 and Route 53
    • June 27, 2025
  • Prioritize security from the edge to the cloud
    • June 25, 2025
  • 6 edge monitoring best practices in the cloud
    • June 25, 2025
  • Genome 5
    AlphaGenome: AI for better understanding the genome
    • June 25, 2025
  • 6
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • 7
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • What is cloud bursting?
    • June 18, 2025
  • 9
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • What is confidential computing?
    • June 17, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • Fine-tune your storage-as-a-service approach
    • June 16, 2025
  • 3
    Advanced audio dialog and generation with Gemini 2.5
    • June 15, 2025
  • Google Cloud, Cloudflare struck by widespread outages
    • June 12, 2025
  • 5
    Global cloud spending might be booming, but AWS is trailing Microsoft and Google
    • June 13, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.