As a member of the Security Practice in Google Cloud’s Professional Services Organization, we regularly help customers to solve this question and many more cloud security challenges. Our global team works across industries to bring our Google Cloud security expertise directly to customers. We specialize in cloud security domains such as cloud native compliance, zero trust architecture, application security, data protection, and security operations.

In this post, we will provide a couple examples of how we advise our customers to configure preventive security controls using Google Cloud’s native capabilities and industry best practices. Preventive security controls, also known as security “guardrails”, are controls that allow developers the flexibility to innovate within the boundaries of defined security policies. Preventing a misconfiguration or vulnerability before it becomes exploitable.

Infrastructure as Code: Deploying securely

It can be difficult to solve organizational security challenges solely with technology. Mature cloud security programs are a blend of repeatable, operational processes and automated controls. To help ensure developers are innovating on a secure baseline, we recommend customers design a centralized process for developers to request new GCP projects and register workloads. This allows the security team the ability to properly configure GCP projects with defined security parameters.  To help enable repeatability and consistency of the process, we automate using  Google Cloud Project Factory  to centrally deploy opinionated projects to developers.

The goal of guardrails is to prevent security violations before they can impact the production platform. Stopping a security issue before it occurs can be an effective risk mitigation tactic. Traditionally organizations used cumbersome change management processes to manually control deployment and evaluate security posture. On Google Cloud, we work with customers to design Infrastructure as Code (IaC) pipelines to define security policy checks and automatically validate posture before the deployment. A typical design pattern uses “policy-as-code” tools, such as Terraform Validator, to enforce security guardrails for developers as part of the CI/CD pipeline. This design allows customers to configure security constraints, based on their specific requirements or risk tolerance.

Building preventive controls using GCP native capabilities

Google Cloud works to deliver  the industry’s most trusted cloud offering native platform and product capabilities that enable organization-wide preventive security control. We collaborate with security teams to design foundational architecture and recommend security services to meet their requirements. To highlight, the following Google Cloud services are commonly used to implement security guardrails for developers:

• Organization Policy – Provides centralized and programmatic control over how the organization’s resources are deployed. Security teams can select from a list of available constraints to restrict how a resource is configured, preventing a potential  misconfiguration from occurring. For example the organization policy constraint, constraints/storage.publicAccessPrevention, will prevent a developer from publicly exposing a cloud storage bucket.

• VPC Service Controls – Prevents unauthorized data movement by isolating GCP resources and restricting data flows with fine grained rules. VPC Service Controls enable context-based perimeter security to secure API-based services. Developers working on a protected service within a VPC Service Control perimeter will be restricted to the rules defined by the administrator, helping to mitigate the risk of data exfiltration.  For example, customers will configure VPC Service Controls to limit BigQuery access to a developer’s specified location or device.

• Cloud IAM – Enables granular access to ensure Developers only have access to specific Google Cloud resources. Security teams are able to apply the principle of least privilege, preventing overly permissive roles to reduce the overall attack surface of the platform.

These native GCP services are supported by Infrastructure as Code pipelines. To help ensure consistent protection for developers, preventive security services should be configured and deployed with the previously discussed managed IaC pipeline. Building a repeatable automated pattern for IaC deployment will simplify the process for developers and protect the environment with the defined security guardrails.

For more information on building a secure Google Cloud deployment, check out the Security Foundations Blueprint.