PaaS service default configurations usually require authentication but come with limited network-level protection. By default, PaaS services belong to one zone: the worldwide internet, where everybody can reach everything.<\/p>\n\n\n\n
Figure 1 illustrates the network security configurations when creating instances for two typical GCP PaaS services: Cloud Storage, Google\u2019s object storage service, and managed SQL database instances. When engineers create a database service in GCP, they have to choose between a public and a private IP address (Figure 1, 1). A public IP means that everyone on the internet can connect to this service. If the authentication mechanisms are in place and configured correctly and if attackers cannot get access keys etc., this is a perfectly safe approach. However, it is a challenge to ensure that none of hundreds or thousands of engineers in a larger IT organization ever make a critical mistake. And indeed, Goole provides the option to restrict access to certain network zones to reduce the risk (Figure 1, 2).<\/p>\n\n\n\n When creating a Cloud Storage bucket, engineers must decide whether to enforce the prevention of public access to the data stored in this bucket. The challenges with any object storage are \u2013 be it in GCP, Azure, AWS, or any other cloud \u2013 contradicting network security needs for the two primary use cases.<\/p>\n\n\n\n The first use case for object storage is storing classic (internal) application data. An archiving system might store Pdf files, security solutions potentially video recordings that document who performed which command on a particular system. Such data must not be made available to the internet. The perfect security setting preventing for such an object storage service instance is \u201cforbid all internet access.\u201d<\/p>\n\n\n\n The second use case for object storage is storing and delivering websites, e.g., a web page with an interview text plus incorporated pictures. Everyone on the internet should be able to access the web pages and read the interview. There is no need for network firewalls or authentication mechanisms.<\/p>\n\n\n\n So, there are two highly relevant use cases, and one technology solves both needs and challenges. That is, usually, perfect, just not in this case. In this peculiar case, it is a security risk. When you configure the object storage for a bank\u2019s know-your-customer documents by mistake as publicly accessible website storage, you might only notice when your documents appear for sale in the darknet.<\/p>\n\n\n\n Public IPs and the risk of misconfiguration is not a GCP specialty. Figure 2 presents a GUI mask for creating a Cosmos DB database service via the Azure portal. Two settings create public endpoints: \u201call networks\u201d and \u201cpublic endpoint (selected networks).\u201d Especially in the case of \u201call networks,\u201d anyone on the internet can reach the Cosmos service instance. In other words, access control misconfigurations can have catastrophic results.<\/p>\n\n\n\n To point out the situation clearly \u2013 and this is the same for GCP Cosmos DB or Azure SQL databases and many more database services in the cloud \u2013 there is no sensible reason why databases should have a public IP. Databases are backend systems. There is no point reaching them from outside the organization.<\/p>\n\n\n\n The screenshot in Figure 2 has a third option for Cosmos DB: Private Endpoints. The following section looks at the details.<\/p>\n\n\n\n Some time ago, Azure introduced Private Endpoints and Private Links. They provide an extra layer of security. Thanks to them, engineers can incorporate PaaS service instances (e.g., Cosmos databases) into a VNet and access PaaS services without going via public IPs. When creating a Cosmos Database Service instance with this option, engineers create a Private Endpoint in their VNet with a VNet-internal, private, non-public IP. The Private Endpoint points to the actual resource, e.g., a Cosmos Database, via a Private Link.<\/p>\n\n\n\n \u201cPrivate Endpoint\u201d is the third connectivity option in the example of creating a Cosmos service instance (Figure 3). When chosen, engineers can create and add a private endpoint. The Private Endpoint has a name \u2013 and the engineer specifies into which VNet Azure shall deploy the Private Endpoint.<\/p>\n\n\n\n Figure 4 illustrates what happens in the background in the case of a private endpoint \/ private link connectivity (B) versus the traditional approach (A).<\/p>\n\n\n\n In addition to configuring Azure Private Endpoints and Private Links, engineers must be aware of and mitigate two more risks. First, Private Links and Private Endpoints are for themselves save, but the cloud architecture must ensure no firewalls are open on the resource itself (risk C). The benefit is that there is no need to open a firewall to make solutions work and components interact. Thus, forbidding opening ports gets feasible. Second, criminal employees might try to exfiltrate data. They could send company data to a personal Cosmos Database service instance controlled and owned by themselves as private persons (D). Cloud security architects can demand that all traffic to storage or database services goes via Azure Private Endpoints thanks to Private Endpoints and Private Links. Auditing and analyzing networks for exfiltration paths gets much more straightforward.<\/p>\n\n\n\n Before discussing Google\u2019s real cool feature for PaaS perimeter protection, a final remark about Azure Private Links. Azure Private Link Service enables engineers to make their own services and resources available via Azure Private Endpoints. Thereby, they benefit from the same security features for their code that Microsoft relies on for protecting its Azure PaaS services.<\/p>\n\n\n\n Google\u2019s VPC Service Controls concept enables cloud security architects to build a perimeter-protected network zone composed of IaaS and (!) PaaS resources. A VPC Service Control definition comprises five main elements: projects, services in scope, accessible services, access level, and traffic exceptions.<\/p>\n\n\n\n The GCP projects<\/strong> of a VPC Service Control define the trust perimeter. These projects trust each other and can freely interact as defined by the network configurations. In contrast, applications in other VPC Service Control perimeters must not access the resources if not permitted explicitly.<\/p>\n\n\n\n The GCP<\/strong> Services<\/strong> part of a VPC Service Control definition specifies for which services the perimeter protection of the VPC Service Control applies. That is a crucial setting. If, for example, Cloud Storage is not part of the perimeter definition, engineers can easily transfer data in and out of the VPC Service Control perimeter. A note: Google adds the feature to more and more services, but it might not yet be available for all needed by a company. Thus, disabling unprotectable GCP services can e a necessity.<\/p>\n\n\n\n GCP Accessible Services<\/strong> add another nuance to perimeter definitions. The feature enables engineers to limit the GCP services, which resources can invoke within the Service Control perimeter.<\/p>\n\n\n\n As a result of a VPC Service Control definition, services respectively their callability fall into three categories:<\/p>\n\n\n\n The GCP Access Level<\/strong> is an option for context-aware authentication and authorization. It is a new and upcoming approach requiring a detailed analysis worth a dedicated article.<\/p>\n\n\n\n A last core element is an option for defining exceptions, i.e., adding ingress and egress traffic<\/strong> rules<\/strong> allowing otherwise not allowed traffic into and out of the VPC Service Control. Thus, VMs from within one service parameter might get read access to Cloud Storage in a different service perimeter.<\/p>\n\n\n\n VPC Service Controls in the GCP world and the Azure Private Link\/Private Endpoint help cloud security architects shield PaaS (and IaaS) service instances from the internet or other internal network zones. Their absoluteness \u2013 especially the exceptionally rigid VPC Service Controls \u2013 is what makes them so valuable. No one has to define, analyze, and manage thousands of rules and exceptions to understand and ensure the overall security posture of a network consisting of IaaS and PaaS resources. Instead, PaaS security becomes (nearly) a child\u2019s play.<\/p>\n","protected":false},"excerpt":{"rendered":" With all the efficient and innovative Platform-as-a-Service (PaaS) services in the cloud world, a catastrophe is only one click away. An engineer wrongly configures a database or object storage service, and cybercriminals have access to all data from anywhere on the internet. Booz Allen Hamilton, WWE, Verizon Wireless, Accenture, the Pentagon: these are just some […]<\/p>\n","protected":false},"author":1,"featured_media":1309,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,22,25,23],"tags":[37,42,41],"class_list":["post-1304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-cloudsecurity","category-gcp","category-securityarchitecture","tag-network-security","tag-paas","tag-paas-security"],"_links":{"self":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1304"}],"version-history":[{"count":1,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1304\/revisions"}],"predecessor-version":[{"id":1310,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1304\/revisions\/1310"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/media\/1309"}],"wp:attachment":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/04\/gcp_paas_services_cloud_storage_sql_server_instance_network_security.jpg\")
<\/a><\/a>Azure Private Endpoint and Link<\/h1>\n\n\n\n
<\/a><\/a>GCP Perimeter Protection with VPC Service Controls<\/h1>\n\n\n\n