What Google Cloud security layer does strong authentication for data access relate to
Show
These mappings of the Google Cloud Platform (GCP) security controls to MITRE ATT&CK® are designed to empower organizations with independent data on which native GCP security controls are most useful in defending against the adversary TTPs that they care about. These mappings are part of a collection of mappings of native product security controls to ATT&CK based on a common methodology, scoring rubric, data model, and tool set. This full set of resources is available on the Center’s project page. Aggregate Navigator Layer For All Controls (JSON) Contents
Controls1. Access TransparencyAccess Transparency logs record the actions that Google personnel take when accessing customer content. Access Transparency log entries include details such as the affected resource and action, the time of the action, the reason for the action, and information about the accessor.
Techniques
Tags
References
Back to Contents 2. Actifio GoActifio GO is a Google Cloud backup and disaster recovery offering which enables powerful data protection for Google Cloud and hybrid workloads. Actifio GO supports Google workloads such as Compute Engine and VMware Engine, as well as hybrid workloads like VMware, SAP HANA, Oracle and SQL Server, and others.
Mapping CommentsThis mapping was scored as significant due to the control’s notable remediation capabilities. Techniques
Tags
References
Back to Contents 3. AdvancedProtectionProgramThe Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. Current capabilities include MFA, blocking harmful downloads while using chrome, and prevention of data requests from non-vetted apps. New protections are automatically added to defend against today’s wide range of threats.
Techniques
Tags
References
Back to Contents 4. AnthosConfigManagementAnthos Config Management enables platform operators to automatically deploy shared environment configurations and enforce approved security policies across Kubernetes clusters on-premises, on GKE, and in other public cloud platforms. It also lets platform admins configure Google Cloud services using the same resource model.
Mapping CommentsBased on the medium detection coverage for the correlated cyber-attacks, most of the techniques and sub-techniques in this security solution were rated as partial. Techniques
Tags
References
Back to Contents 5. Artifact RegistryArtifact Registry provides a single location for storing and managing your system packages and container images.
Mapping CommentsThis control may provide information about software vulnerabilities in the environment. Techniques
Tags
References
Back to Contents 6. Assured WorkloadsAssured Workloads provides Google Cloud customers with the ability to apply security controls to an environment, in support of compliance requirements, without compromising the quality of their cloud experience. Customers should only use Assured Workloads if their Google Cloud use case is actively subject to regulatory compliance.
Mapping CommentsAssure workloads doesn't appear to provide any specific mitigation for TTPs. Rather, it focuses on enabling customers to apply other security controls in ways to support regulatory compliance. As a result, we have not mapped any TTPs to this control. Techniques
Tags
References
Back to Contents 7. BeyondCorp EnterpriseA zero trust solution that enables secure access with integrated threat and data protection. It provides secure access to critical applications and services, and increases visibility into unsafe user activity.
Mapping CommentsThis solution was rated as significant due to the control’s high threat protection coverage and temporal factors (e.g., real-time, periodical). Techniques
Tags
References
Back to Contents 8. Binary AuthorizationBinary Authorization is a service that provides software supply-chain security for container-based applications.
Mapping CommentsBinary authorization provides the capability to configure a policy that is enforced when an attempt is made to deploy a container image. Techniques
Tags
References
Back to Contents 9. Certificate Authority ServiceGoogle Cloud Certificate Authority Service (CAS) is a highly available & scalable service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).
Techniques
Tags
References
Back to Contents 10. ChronicleChronicle is Google Cloud's data aggregation platform and threat detection system designed to collect massive amounts of security telemetry, detect malicious events, and report based on known indicators of compromise. Most of the attacks were correlated using Chronicle's documentation and the threat detection rules available on their GitHub repo.
Mapping CommentsThis mapping is given a score of minimal due to low threat detection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. Chronicle is able to ingest and aggregate raw logs from multiple data formats, to include: json, csv, xml, and syslog. Techniques
Tags
References
Back to Contents 11. Cloud ArmorCloud Armor protects applications by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches load balanced backend services or backend buckets.
Techniques
Tags
References
Back to Contents 12. Cloud Asset InventoryCloud Asset Inventory provides inventory services based on a time series database. Cloud Asset Inventory allows you to search asset metadata, export all asset metadata at a certain timestamp or export event change history during a specific timeframe, monitor asset changes by subscribing to real-time notifications, and analyze IAM policy to find out who has access to what.
Techniques
Tags
References
Back to Contents 13. Cloud CDNCloud CDN (Content Delivery Network) uses Google's
global edge network to serve content closer to users, which accelerates access to websites and applications.
Techniques
Tags
References
Back to Contents 14. Cloud Data Loss PreventionCloud DLP provides tools to classify, mask, tokenize, and transform sensitive elements to help you better manage the data that you collect, store, or use for business or analytics.
Techniques
Tags
References
Back to Contents 15. Cloud Hardware Security Module (HSM)Google Cloud's Hardware Security Module (HSM) is a security feature available under Google Cloud Key Management Service that allows customers to host encryption keys and perform cryptographic operations in a FIPS 140-2 level 3 certified environment.
Mapping CommentsThis control provides a secure alternative to storing encryption keys in the file system. Techniques
Tags
References
Back to Contents 16. Cloud IDSCloud IDS is an intrusion detection service that inspects network traffic and triggers alerts to intrusions, malware, spyware, or other cyber-attacks. Cloud IDS' default ruleset is powered by Palo Alto Network's advanced threat detection technologies and the vendor's latest set of threat signatures (e.g., antivirus, anti-spyware, or vulnerability signatures). Cloud IDS is dependent on Cloud logging feature to collect network telemetry. Further threat detection rule can be crafted to generate alerts based on network traffic (e.g., PCAP, Netflow).
Mapping CommentsThis mapping was scored as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). Techniques
Tags
References
Back to Contents 17. Cloud IdentityCloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product. It offers the identity services and endpoint administration that are available in Google Workspace as a stand-alone product. As an end-user, Cloud Identity protects user access with multi-factor authentication. As an administrator, one can use Cloud Identity to manage users, apps, and devices from a central location—the Google Admin console.
Techniques
Tags
References
Back to Contents 18. Cloud Key ManagementA cloud-hosted key management service that allows a user manage symmetric and asymmetric cryptographic keys for cloud services the same way one does on-premises. It also manages encryption keys on Google cloud.
Mapping CommentsSimilar to AWS Key Management Service, AWS Cloud HSM, and Azure KeyVault. Techniques
Tags
References
Back to Contents 19. Cloud LoggingCloud Logging is a fully managed service that allows user to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. User can collect logging data from over 150 common application components, on-premises systems, and hybrid cloud systems.
Mapping CommentsThis control is not mappable because it does not provide significant detection of malicious techniques. Some of the other security controls that this control maps to are Azure DNS Analytics, AWS CloudTrail, AWS S3, and AWS Audit Manager. The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself. Techniques
Tags
References
Back to Contents 20. Cloud NATCloud NAT (Network Address Translation) lets certain resources without external IP addresses create outbound connections to the internet.
Mapping CommentsThis control doesn't appear to provide coverage for any ATT&CK Techniques. Techniques
Tags
References
Back to Contents 21. Cloud StorageGoogle's Cloud Storage is an object storage service that provides customers with replication, availability, access control, and data management. A feature to highlight is that Cloud Storage by default always encrypts data before it's written to disk on the server side.
Mapping CommentsThere are other methods available for users to secure data with the use of client-side encryption and customer encryption-keys. Techniques
Tags
References
Back to Contents 22. CloudVPNCloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway and then decrypted by the other VPN gateway. This action protects your data as it travels over the internet. You can also connect two instances of Cloud VPN to each other.
Techniques
Tags
References
Back to Contents 23. Confidential VM and Compute EngineConfidential VM includes inline memory encryption to secure processing of sensitive data in memory. This type of virtual machine that uses AMD Secure Encrypted Virtualization to provide encryption of data during processing (e.g., data-in-use encryption).
Techniques
Tags
References
Back to Contents 24. Config ConnectorConfig Connector is a Kubernetes addon that allows you to manage Google Cloud resources through Kubernetes.
Mapping CommentsThis control was not mapped as it is not considered a security control but rather an alternative to deploying and managing Google Cloud. Techniques
Tags
References
Back to Contents 25. Container RegistryContainer Registry is Google Cloud's service that provides a single location for storing and managing container images that support Docker Image Manifest V2 and OCI image formats. Container Analysis is the vulnerability scanning feature in Container Registry that detects software weaknesses from the following sources: Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database.
Mapping CommentsGoogle Cloud's Artifact Registry is the recommended service for managing containers. Container Registry provides a subset of the features found in Artifact Registry and will only receive critical security fixes. Techniques
Tags
References
Back to Contents 26. Data CatalogGoogle Cloud's Data Catalog enables customers to quickly query cloud assets, identify sensitive data, and automatically tag it for integration with Google Cloud's Data Loss Prevention (DLP) tool.
Mapping CommentsThis control was not mapped because the Data Catalog service isn't considered a security control capable of defending against MITRE's ATT&CK techniques, and would require the use of a secondary product, such as DLP, for cyber defense. Techniques
Tags
References
Back to Contents 27. Deployment ManagerGoogle Cloud's Deployment Manager is an infrastructure management service that enables users to build predictable cloud resources using static or dynamic configuration file templates.
Mapping CommentsThis control was not mapped because Deployment Manager does not provide a security capability as a stand-alone tool and would require a 3rd party tool (e.g., Terraform) to mitigate denial of service type of cyber-attacks. Techniques
Tags
References
Back to Contents 28. Endpoint ManagementWith Google endpoint management, you can make your organization's data more secure across your users' mobile devices, desktops, laptops, and other endpoints.
Techniques
Tags
References
Back to Contents 29. FirewallsGoogle Cloud VPC Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations and. VPC firewalls are stateful and exist not only between your instances and other networks, but also between individual instances within the same network. Connections are allowed or denied on a per-instance basis. Firewall activity can be captured via Firewall rules logging and analyzed with Firewall Insights.
Mapping CommentsDocumentation is segmented into 4 sections: VPC Firewall rules, Hierarchical firewall policies, Firewall insights, Firewall rules logging. These sections are listed under Firewall Insights and Virtual Private Cloud (VPC) rather than a generic Firewall documentation page. Its unclear if the data in these sections should correspond to the "Firewalls" control, or the parent control under which its documented. Techniques
Tags
References
Back to Contents 30. Google Kubernetes EngineGoogle Kubernetes Engine (GKE) provides the ability to secure containers across many layers of the stack, to include container images, container runtime, cluster network, and access to cluster API.
Mapping CommentsThis control provides information about security best practices and policies to apply when deploying Google Kubernetes Engine. Techniques
Tags
References
Back to Contents 31. Hybrid ConnectivityGoogle Cloud Hybrid Connectivity provides several options for connecting to Google Cloud with high-performance, guaranteed uptime, and flexible VPNs.
Mapping CommentsThis is not a security control and the controls that fall under the Hybrid Connectivity umbrella have their own mapping files. Techniques
Tags
References
Back to Contents 32. Identity Aware ProxyIdentity Aware Proxy (IAP) includes a number of features that can be used to protect access to Google Cloud hosted resources and applications hosted on Google. IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
Mapping CommentsThis mapping was scored as Partial due the control's low to medium threat protection fidelity from specific (sub-)techniques found in MITRE’s ATT&CK framework. Techniques
Tags
References
Back to Contents 33. Identity and Access ManagementIdentity and Access Management (IAM) gives administrators fine-grained access control and visibility for centrally managing enterprise cloud resources. It gives more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets users adopt the security principle of least privilege, so you grant only the necessary access to your resources.
Mapping CommentsSimilar to Azure AD for Managed Identities, Azure Role Based Access Control, AWS Identity and Access Management. Techniques
Tags
References
Back to Contents 34. IdentityPlatformIdentity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud.
Techniques
Tags
References
Back to Contents 35. Packet MirroringThis control is a feature found under Virtual Private Cloud tool that provides users with the ability to duplicate traffic to enable cyber forensic investigations.
Mapping CommentsThis tool provides the functional ability to clone traffic, but is not considered a stand-alone security control as it requires a secondary security tool (e.g., IDS/IPS) to enable cyber defense and digital forensics. Techniques
Tags
References
Back to Contents 36. Policy IntelligencePolicy Intelligence helps enterprises understand and manage their policies to reduce their risk. By utilizing machine learning and analytics, policy intelligence provides more visibility and automation and customers can increase their workload.
Mapping CommentsSimilar to Azure Role based access control and Azure policy Techniques
Tags
References
Back to Contents 37. ReCAPTCHA EnterpriseWith reCAPTCHA Enterprise, you can protect your site from spam and abuse, and detect other types of fraudulent activities on the sites, such as credential stuffing, account takeover (ATO), and automated account creation. reCAPTCHA Enterprise offers enhanced detection with more granular scores, reason codes for risky events, mobile app SDKs, password breach/leak detection, Multi-factor authentication (MFA), and the ability to tune your site-specific model to protect enterprise businesses.
Techniques
Tags
References
Back to Contents 38. ResourceManagerGoogle Cloud Platform provides resource containers such as organizations, folders, and projects that allow users to group and hierarchically organize other GCP resources. This hierarchical organization lets users easily manage common aspects of your resources such as access control and configuration settings. Resource Manager enables users to programmatically manage these resource containers.
Techniques
Tags
References
Back to Contents 39. Secret ManagerSecret Manager allows you to store, manage, and access secrets as binary blobs or text strings. Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime.
Techniques
Tags
References
Back to Contents 40. Security Command CenterSecurity Command Center (SCC) provides analysts with a centralized dashboard for cyber situational awareness by aggregating threat and vulnerability reports. SCC works by scanning for weaknesses or monitoring an organization's logging stream for anomalies (e.g., Google Workspace logs, containers, vulnerabilities in web applications, and hypervisor-level instrumentation). To further mitigate risks in the infrastructure, SCC easily integrates with other Google Cloud security solutions: Cloud DLP, Chronicle, Binary Authorization, Cloud Armor, and 3rd party solutions (e.g., SIEM, SOAR). The cyber-attacks in this solution are correlated to SCC's premium tier which included additional security features for: Event Threat Detection, Container Threat Detection, Virtual Machine Threat Detection, Web Security Scanner, and Security Health Analytics
Mapping CommentsThis mapping was rated as significant due to the control’s notable detection accuracy, mappable threat coverage, and time-related factors (e.g., real-time). SCC also provides users with compliance mappings that scan environments against violations according to PCI-DSS v3.2.1, OWASP Top Ten, NIST 800-53, and ISO 27001. To improve cyber-situational awareness and detection against various threats, SCC ingests logging data from multiple sources. Cloud Audit Admin Activity logs are always enabled by default and cannot be disabled. SCC Premium consumes logs automatically when activated. SSH Logs and syslog inform the brute force detector, and the set of network logs (VPC Flow/Cloud Firewall/Cloud NAT/Cloud DNS). Further automated response functionality can be extended in SCC to take actions against threats. A full list of automated actions can be found on GCP's GitHub. Reference: https://github.com/GoogleCloudPlatform/security-response-automation Techniques
Tags
References
Back to Contents 41. Shielded VMShielded VMs are virtual machines (VMs) on Google Cloud hardened by a set of security controls that help defend against rootkits and bootkits. Shielded VMs leverage advanced platform security capabilities such as secure and measured boot, a virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.
Techniques
Tags
References
Back to Contents 42. SiemplifySiemplify is a security orchestration, automation and response (SOAR) provider that is unified with Google's Chronicle security control to provide an intuitive workbench that enables security teams to manage risk better and reduce the cost of addressing threats.
Mapping CommentsSiemplify primarily acts as a layer for alerts generated by other controls to be collected and trigger mitigation and remediation actions to be taken by other controls provided by the Google Cloud Platform. On its own, Siemplify does not provide additional coverage of Attack techniques and is not mappable. Techniques
Tags
References
Back to Contents 43. Terraform on Google CloudTerraform is an open source tool that lets you provision Google Cloud resources with declarative configuration files—resources such as virtual machines, containers, storage, and networking. Terraform's infrastructure-as-code (IaC) approach supports DevOps best practices for change management, letting you manage Terraform configuration files in source control to maintain an ideal provisioning state for testing and production environments.
Mapping CommentsIn its current state, this control was scored as not mappable as it does not look reasonable to correlate to specific (sub-) techniques of MITRE’s ATT&CK. While Terraform provides some security capabilities specific to Terraform processes (encryption between Terraform Clients, encrypting workspace variables, Techniques
Tags
References
Back to Contents 44. Titan Security KeyThe Titan Security Key provides a tamper resistant hardware security key that is used for 2-factor authentication.
Techniques
Tags
References
Back to Contents 45. VMManagerVM Manager is a suite of tools that can be used to manage operating systems for large virtual machine (VM) fleets running Windows and Linux on Compute Engine. VM Manager helps drive efficiency through automation and reduces the operational burden of maintaining these VM fleets.
Mapping CommentsThis mapping was scored as Partial due to the medium threat protection coverage to specific (sub-) techniques of MITRE’s ATT&CK framework. Techniques
Tags
References
Back to Contents 46. VPC Service ControlsVPC Service Controls improves your ability to mitigate the risk of data exfiltration from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify.
Techniques
Tags
References
Back to Contents 47. Virtual Private CloudGoogle Cloud's Virtual Private Cloud (VPC) allows users to logically isolate resources and define security perimeters that filters [ingress and egress] traffic in a virtual network based on user identity or policies for cloud assets (e.g., instance or subnet).
Techniques
Tags
References
Back to Contents 48. Virus TotalVirusTotal analyzes suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community. It's a web-based scanner that utilizes over 70 antivirus scanners and URL/blacklisting services, among other tools, to extract signals from uploaded content.
Mapping CommentsThis mapping was scored as significant due to the control’s high threat protection coverage to specific ATT&CK (sub-)techniques and temporal factors (e.g., real-time). Techniques
Tags
References
Back to Contents 49. Web RiskWeb Risk is a Google Cloud service that lets client applications check URLs against Google's constantly updated lists of unsafe web resources. Unsafe web resources include social engineering sites—such as phishing and deceptive sites—and sites that host malware or unwanted software. With the Web Risk, you can quickly identify known bad sites, warn users before they click infected links, and prevent users from posting links to known infected pages from your site.
Techniques
Tags
References
Back to Contents Control Tags1. Access Control PoliciesControls
Views
Back to Contents 2. Access ManagementControls
Views
Back to Contents 3. Adaptive Network HardeningControls
Views
Back to Contents 4. AnalyticsControls
Views
Back to Contents 5. AntimalwareControls
Views
Back to Contents 6. AntivirusControls
Views
Back to Contents 7. AuditingControls
Views
Back to Contents 8. Binary AuthorizationControls
Views
Back to Contents 9. Certificate ServiceControls
Views
Back to Contents 10. ChronicleControls
Views
Back to Contents 11. Cloud IDSControls
Views
Back to Contents 12. Config ManagementControls
Views
Back to Contents 13. Configuration ManagementControls
Views
Back to Contents 14. ContainersControls
Views
Back to Contents 15. CredentialsControls
Views
Back to Contents 16. Data CatalogControls
Views
Back to Contents 17. Data Loss PreventionControls
Views
Back to Contents 18. Data SecurityControls
Views
Back to Contents 19. DatabaseControls
Views
Back to Contents 20. Denial of ServiceControls
Views
Back to Contents 21. Domain Name System (DNS)Controls
Views
Back to Contents 22. EncryptionControls
Views
Back to Contents 23. FirewallControls
Views
Back to Contents 24. IdentityControls
Views
Back to Contents 25. Internet of Things (IoT)Controls
Views
Back to Contents 26. Intrusion Detection Service (IDS)Controls
Views
Back to Contents 27. KubernetesControls
Views
Back to Contents 28. LoggingControls
Views
Back to Contents 29. MalwareControls
Views
Back to Contents 30. Multi-Factor AuthenticationControls
Views
Back to Contents 31. NetworkControls
Views
Back to Contents 32. Not MappableControls
Views
Back to Contents 33. OS SecurityControls
Views
Back to Contents 34. Palo Alto Network's Threat SignaturesControls
Views
Back to Contents 35. PasswordsControls
Views
Back to Contents 36. Patch ManagementControls
Views
Back to Contents 37. PhishingControls
Views
Back to Contents 38. PolicyControls
Views
Back to Contents 39. ReportsControls
Views
Back to Contents 40. Role Based Access ControlControls
Views
Back to Contents 41. SIEMControls
Views
Back to Contents 42. Security Command CenterControls
Views
Back to Contents 43. StorageControls
Views
Back to Contents 44. Threat DetectionControls
Views
Back to Contents 45. Threat HuntingControls
Views
Back to Contents 46. VPNControls
Views
Back to Contents 47. Virtual Private CloudControls
Views
Back to Contents 48. Vulnerability AnalysisControls
Views
Back to Contents 49. Vulnerability ManagementControls
Views
Back to Contents What are the three components of Google Cloud defense in depth data security design?Let's take a closer look at three network security controls to minimize risk and secure your resources.. Secure your Internet-facing services. ... . Secure your VPC for private deployments. ... . Micro-segment access to your applications and services.. What is Google Cloud's principle for granting access to users?IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.
Which security layer of the Google Cloud Platform contains the authentication and login abuse protection?The Google cloud platform security has distinct functions at each level of this infrastructure. For example, the layer of user identity primarily involves the function of login abuse safeguards and authentication.
What security does Google Cloud use?For data at rest, a GCP page states it “is encrypted by default in all Google Cloud Platform products.” GCP's Application-Level Security uses Google's Application Layer Transport Security (ATLS) system. ATLS uses mutual authentication and transport encryption and runs at the network's application layer.
|