Introduction

The consumption of cloud services has grown rapidly over the last few years and one of the major providers to benefit from this growth is Google Cloud Platform (GCP). The security challenges faced by small/medium companies and enterprises when deploying new services into the cloud can often be daunting, so to get a better understanding of these challenges on GCP and help pointing out the necessary and available security controls, we used a threat modelling approach.

As a first step we chose to threat model GCP’s Google Cloud Storage service. To gain a better understanding of the service, we identified its key features and then drew a high-level diagram of the service. During the construction of the diagram, it was possible to identify the main data assets involved and any base security controls that were enabled by default. From there, it was possible to create a threat model for the Google Cloud Storage service with all the available features, security control recommendations were provided that would mitigate the identified threats.

The STRIDE model was used to create the threat model, as it provided a well proven methodology and an industry recognised approach.

The first several sections of this post look at threat modeling generic public cloud services through a STRIDE threat modeling framework (as applied, by way of example, to Google Cloud Platform and its’ specific terminology, architecture, and services), but could equally be applied to other cloud vendors as well to think through potential threats in their services. In the Threat Mitigation section toward the end of the post, we offer some more GCP-specific configuration choices that can help mitigate some of these various types of security threats.

STRIDE Overview

The STRIDE model can be used to visualize network and infrastructure threats, derived from the architecture overview and the data flows. The STRIDE model derives its name from an acronym for the threat groupings that it uses to categorise the threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege).

The method builds on the diagram, and the security controls implemented, to enumerate distinct methods that may be used by an attacker, either independently or in conjunction with each other, to compromise the system.

• Spoofing – Spoofing is a violation of authenticity.
• Tampering – Tampering is a violation of integrity.
• Repudiation – Claiming to have not performed an action.
• Information Disclosure – Information disclosure is a violation of confidentiality.
• Denial of Service – Denial of service (DoS) is a violation of availability.
• Elevation of Privilege – Elevation of privilege is a violation of authorisation.

Source: https://en.wikipedia.org/wiki/STRIDE_(security)

Google Cloud Storage Key Features

Using publicly available documentation provided by Google, it was possible to identify the key features of the Google Cloud Storage service.

Diagram

The diagram of the Google Cloud Storage service was produced using the publicly available documentations and through access to a GCP console in a test environment. The aim of the diagram is to provide a high-level view of the main interfaces and components involved in the Google Cloud Storage service.

Assets

Assets represent data, functionality, or an attribute of a system that a threat actor is interested in acquiring. The assets identified that would need protection when using Google Cloud Storage, would likely to be the data stored in the buckets, the authentication credentials that would be used to access the service, and any audit log related data.

Threat Actors

Threat actors are individuals that attack the system to either gain access to sensitive information or disrupt the system’s normal behaviour. We could consider the following potential threat actors to model attack scenarios against Google Cloud Storage.

Attack Goals

An attacker’s motives and goals are often hard to accurately predict, but for Google Cloud Storage are likely to fall in the following categories.

Default Base Security Controls

Transport layer encryption and data-at-rest encryption are enabled by default on Google Cloud Storage and cannot be disabled by GCP users. These represent the default base security controls identified for the threat model. By default, data-at-rest encryption is enabled on buckets using a Google Managed Key, however Customer Managed Keys can also be used.

Other security controls are available and configurable on Google Cloud Storage, as can be seen in the key features. When enabled and configured correctly these can significantly improve the security of the service.

Potential System Weaknesses

By examining the diagram, it is possible to find areas of relative security weakness (i.e.: opportunities for stronger security configurations) in Google Cloud Storage, when only the default base security controls are in use. The following potential weaknesses and opportunities for user-driven increased security were identified.

• Weak administrator credentials, without Multi-Factor Authentication (MFA) could be stolen or guessed, which could lead to disclosure, modification, or loss of data. This could also lead to the weakening of the Cloud Storage security settings.
• Like for all cloud services, user credentials with Cloud Storage permissions could be stolen or guessed (e.g. through phishing and password guessing attacks), which could lead to disclosure, modification, or loss of data.
• Like for all cloud services, service account credentials used by external services and other GCP projects could be stolen or guessed (e.g. through phishing and password guessing attacks).
• Like for all cloud services, service account credentials used by other GCP services to access the storage bucket could be intercepted, stolen, or guessed (e.g. through phishing and password guessing attacks).
• External service is compromised, which could lead to the disclosure, modification, or loss of data.
• GCP service or application code is compromised, which could lead to the disclosure, modification, or loss of data. For example:
  • Vulnerability in code running on a VM.
  • Vulnerability in code running on App Engine or Cloud Functions.
  • Vulnerability in GCP service itself.
• Cloud storage bucket is publicly exposed, which could lead to the disclosure of data.
• Overly permissive access controls could lead to loss of confidentiality, integrity and availability by other GCP projects or Google Identities.
• Cloud Storage service outage causing loss of access to data, or loss of data.
• Service issues not being identified and resolved quickly, due to:
  • Lack of monitoring
  • Lack of logging resulting in and inability to identify issues
    • Organisation/project owner
    • Google
• Lack of detailed logging, impacting security investigations and repudiation.
• Google personnel accessing data stored in Cloud Storage buckets.

List of Potential Threats

Based on the potential security configuration options and their associated strength/weakness identified in Google Cloud Storage, the following are a list of potential threats.

Threat Mitigation

Google Cloud Platform provides a range of security controls that can be used to mitigate the threats identified. The following section gives more security control recommendations and security best practices that can be used to mitigate each threat.

T01 Theft of Google Cloud Platform login credentials or access tokens

• Enable Multi-Factor Authentication on all Google identities.
• A strong password policy should be used to set passwords on all Google identities, using uppercase, lowercase, numbers, and special characters. Passwords should be a least 10 characters in length.
• Where possible do not use service account keys, use an alternative service account authentication method:
  • Service account impersonation
  • Attached service accounts
  • Workload Identity
• Ensure that Google Cloud Storage roles are granted to principals using IAM rather than primitive roles, following a principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.

T02 Guessing of Google Cloud Platform credentials

• Enable Multi-Factor Authentication on all Google identities.
• A strong password policy should be used to set passwords on all Google identities, using uppercase, lowercase, numbers, and special characters. Passwords should be a least 10 characters in length.
• Ensure that Google Cloud Storage roles are granted to principals using IAM rather than primitive roles, following a principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.
• Security Command Center with event threat detection can be utilised to identify attacks.
• Configuring log metrics and alerts in the Google Operation Monitoring service, will help detect persistent requests being made to the login API.

T03 Unauthenticated access to Google Cloud Storage bucket

• Google recommends using “uniform” access controls on Google Cloud Storage buckets, rather than “fine grained” access controls. Uniform access controls can be enforced on buckets across the Google Cloud Platform organisation, by enforcing the “Enforce uniform bucket-level access” organisation policy.
• Ensure that Google Cloud Storage roles are granted to principals using IAM rather than primitive roles, following a principle of least privileges.
• Avoid granting access to the “AllUsers” principal, as this will all public access.
• To disable public access on a bucket, select “Enforce public access prevention on this bucket” during its creation, or the “PREVENT PUBLIC ACCESS” option once the bucket has been created.
• Public access on buckets across the Google Cloud Platform organisation, can also be prevented by enforcing the “Enforce Public Access Prevention” organisation policy.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.

T04 Authenticated access to Google Cloud Storage bucket

• Google recommends using “uniform” access controls on Google Cloud Storage buckets, rather than “fine grained” access controls. Uniform access controls can be enforced on buckets across the Google Cloud Platform organisation, by enforcing the “Enforce uniform bucket-level access” organisation policy.
• Ensure that Google Cloud Storage roles are granted to principals using IAM rather than primitive roles, following a principle of least privileges.
• Avoid granting access to the “AllAuthenticatedUsers” principal, as this will allow any Google Identity to access the bucket.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.

T05 Deletion or Modification of data stored in Google Cloud Storage bucket

• Using IAM, restrict which principals can delete or update objects in the bucket. Follow the principle of least privileges.
• Enable object versioning on the bucket, so that previous versions of the object can be recovered.
• Configure a retention policy on the bucket, to prevent objects from being modified or deleted for a minimum period. A retention policy can be enforced on buckets across the Google Cloud Platform organisation, by enforcing the “Retention policy duration in seconds” organisation policy.

T06 Writing malicious content to the Google Cloud Storage bucket

• Using IAM, restrict which principals can create objects in the bucket. Follow the principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.
• Configure a cross-origin resource sharing (CORS) policy on buckets to specify which origins are permitted to access the bucket.
• An event-driven pipeline can also be implemented that automatically performs malware scanning on objects uploaded to Google Cloud Storage.

T07 Exfiltration of data stored in Google Cloud Storage bucket

• Using IAM, restrict which principals can list and view objects in the bucket. Follow the principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the Google Cloud Storage API.
• The Google Cloud Data Loss Prevention (DLP) service can be used to automatically obfuscate sensitive data.

T08 Exploitable vulnerability in external service

• Using IAM, ensure that the service account used by the external service to access the Google Cloud Storage bucket has the minimum permissions required and does not have permissions on other services unless absolutely required. Follow the principle of least privileges.
• Enable “Data Read” and “Data Write” audit logs on the Google Cloud Storage service.

T09 Exploitable vulnerability in the application code running on Google Cloud Platform services

• Using IAM, ensure that the service account used by the application to access the Google Cloud Storage bucket has the minimum permissions required and does not have permissions on other services unless absolutely required. Follow a principle of least privileges.
• Enable “Data Read” and “Data Write” audit logs on the Google Cloud Storage.
• The Google Cloud Web Security Scanner can be run against the application to identify potential security problems.
• Security Command Center can identify potential weaknesses in Google Cloud resources.
• Cloud Armour can provide DDoS and Web Application Firewall (WAF) protection for the application.
• Notably, like any computer system, we cannot fully defend against yet-to-be-discovered exploitable vulnerabilities before they are found, so these mitigations are inherently incomplete, as they would be for any cloud service of software/hardware in general.

T10 Exploitable vulnerability in Google Cloud Platform services

• Google Cloud Platform services undergo rigorous security assessments.
• The Google Bug Hunters program allows groups or individuals to find and report vulnerabilities within Googles products, including Google Cloud Platform.
• Notably, like any computer system, we cannot fully defend against yet-to-be-discovered exploitable vulnerabilities before they are found, so these mitigations are inherently incomplete, as they would be for any cloud service of software/hardware in general.

T11 Logs do not contain sufficient data

• Enable “Data Read” and “Data Write” audit logs on the Google Cloud Storage service.

T12 Deletion of Logs

• Using IAM, ensure that only the logging service administrators in the project are granted permissions to delete the logging buckets. Follow a principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the logging API.
• Configure a retention policy on the log bucket, to prevent logs from being modified or deleted for a minimum period. A retention policy can be enforced on buckets across the Google Cloud Platform organisation, by enforcing the “Retention policy duration in seconds” organisation policy.

T13 Access to log data in Google Cloud Platform

• Using IAM, ensure that only the appropriate operations team members for the project are granted permissions to view the logs. Follow a principle of least privileges.
• VPC Service Controls can be used to restrict which IP addresses and principals can access the logging API.

T14 Google Cloud Storage bucket become unavailable

• Google Cloud Platform is globally distributed for resilience and high availability.
• To improve performance and availability, buckets can be created in two or multiple regions, making them more resilient to attack or regional outage.
• VPC Service Controls can be used to restrict which IP addresses and users can access the Google Cloud Storage API.
• Enable “Data Read” and “Data Write” audit logs on the Google Cloud Storage service to improve logging and monitoring.
• Configuring log metrics and alerts in the Google Operation Monitoring service, will help detect high volumes of requests and traffic.

T15 Google personnel accessing Cloud Storage bucket

• Enrol the organisation in the Google Access Approval service. Once the organisation has been enrolled, Google Personnel will require your explicit approval before they can access data. Access Approval ensures that a cryptographically signed approval is obtained before Google personnel can access an organisation’s content stored on Google Cloud.
• Enable “Access Transparency” within the organisation or project. Access transparency logs provide insights into Google personnel activity, such as fixing faults.

Conclusion

The threat modelling exercise has demonstrated that user/tenant configuration choices matter when evaluating the overall security posture of an instance of Google Cloud Storage, and that a number of relative weaknesses can be improved through deliberate choices on behalf of the user. We would also recommend, as we would in any cloud platform, that the storage bucket (in this case, the Google Cloud Storage bucket) be fully secured prior to the ingress of non-public or otherwise sensitive data.

GCP and the Google Cloud Storage service provide robust security controls that can mitigate all the threats identified during the exercise. When configured correctly, these security controls significantly improve the security of the bucket, making it more suitable for storing more sensitive classes of data.