Welcome to the GCP Security Monitoring knowledge base!
The CUIT Cybersecurity team has built this security monitoring process to detect security vulnerabilities or misconfigurations in the GCP Cloud. Each alert has a criticality assigned to demonstrate how to prioritize the issue detected. A description and remediation are also provided in each alert to guide you as the project owner on how to solve the issue at hand. Additionally each alert has references to the GCP Support Site, CIS Benchmark or MITRE ATT&CK framework which were the teams source to build the monitoring alerts.
Below is a search bar which will let you type in the alert name and find additional information about the event. On the left you can see a drop down under GCP Security Monitoring, this will provide you access to a comprehensive list of detections which we use in our monitoring.
GCP Security Best Practices
We have compiled the following list as best practices to provide a security foundation to GCP Project owners. These controls are designed to limit exposure and reduce the attack surface of your cloud resources.
Run Antivirus or Anti-Malware on virtual machines
If you are looking for antivirus or anti-malware CUIT provides Malwarebytes to the university
IT Staff around the university can request a site to manage their endpoints
Limit public resources
Buckets and databases should be restricted from being directly accessible from the outside world
This will prevent from information being exposed which it was not intended to
Google recommends against this configuration
“The Cloud Storage access control system includes the ability to specify that buckets are publicly writable. While configuring a bucket this way can be convenient for various purposes, we recommend against using this permission - it can be abused for distributing illegal content, viruses, and other malware, and the bucket owner is legally and financially responsible for the content stored in their buckets”
Limit which region resources are provisioned
Since Columbia University is operating out of the United States from a legal perspective it is in the Universities best interest to host data within the same region.
Deploying workloads to regions outside of the US will require an exception, you can find that process to the left of this page
Leverage University login systems and Multi Factor authentication
The Identity and access management system provide a platform to enable UNI based authentication on applications
No Public IPs on Virtual Machines
Security best practice is to limit which network ports are accessible via the world on virtual machines
To facilitate applications which need to be publicly accessible a load balancer should be used to provide that connectivity. This will also provide you additional features such as distribution of workload and high availability