Google Compute Engine: Comprehensive Security Analysis Report

Verified

Added on 2023/03/20

AI Summary

This report provides a comprehensive analysis of Google Compute Engine (GCE), a key component of Google Cloud Platform. It begins with an introduction to GCE, detailing its core components: persistent disks, networks, and virtual machines, highlighting their roles in data storage, connectivity, and scalability. The report then identifies critical assets at risk, including information, software, and services. It proceeds to outline major threats like data breaches, denial-of-service attacks, and insecure APIs, followed by an assessment of vulnerabilities such as full API access, IP forwarding, and open firewalls. The security objectives, including Security Health Analytics, Cloud Security Scanner, and phishing protection, are discussed, along with implemented controls and security measures. A risk evaluation using a heat map assesses the likelihood and impact of threats, concluding with an overview of GCE's strengths and areas needing security improvements.

Running head: GOOGLE COMPUTE ENGINE ANALYSIS
GOOGLE COMPUTE ENGINE ANALYSIS
Name of the Student:
Name of the University:
Author Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1GOOGLE COMPUTE ENGINE ANALYSIS
Table of Contents
Introduction................................................................................................................................2
Assets.........................................................................................................................................3
Threats........................................................................................................................................3
Vulnerabilities............................................................................................................................4
Security objectives.....................................................................................................................5
Controls or security measures....................................................................................................6
Risk Evaluation..........................................................................................................................6
Conclusion..................................................................................................................................7
Bibliography...............................................................................................................................8

2GOOGLE COMPUTE ENGINE ANALYSIS
Introduction
Google compute engine is a product developed by Google based on the infrastructure
service and is provided included as a part in the Google cloud platform bundle. The engine of
this product is made of three primary components which are persistent disks, networks and
virtual machines. The software is widely available and used in multiple Google datacentres
around the worldwide and is an exclusive service which is only available on demand. The
core component of the computing engine is the virtual machines running the engine
comprising of hundreds of high performance virtual machines running with the help of
thousands of virtual CPU cores. The workload handled by the computing engine is scalable
due to the different configurations of virtual machines involved in the system. The second
core component are the persistent disks or PDs which is a network based storage device used
by the VMs to store data. This is a very important component from the security point of view
because of its critical storage nature as it also works and protects data in case of hardware
failures. These persistent disks can be offered in the form of solid state disks to increase
performance.
Each virtual machine can have access to up to 16 PDs with a total storage of 10
terabytes of data. The third and the last component is the network and firewall which forms
the integral part of the security system of the Google compute engine. The networks are
channels through which the VMs connect to the external world. The network also creates
channels to communicate with the PDs. The core bandwidth of the Google compute engine
network is at 2Gbits/sec. A cloud project can have multiple VM instances but only one
network exists per VM. Each network given has integrated firewall capacity and is protected
by certain rules which allows only authorised access to the network connected devices. The
protocols for allowing is decided by the project managers as per their requirements. The

3GOOGLE COMPUTE ENGINE ANALYSIS
“deny all by default” is the main protocol followed to improve security of the system. The
network firewalls are all customisable and can be configured separately. For example, a VM
instance can only have connections to allow incoming SSH data requests from a specific IP
address. This does not allow the incoming data to spread to other VM instances. This
increases the overall security of the system. Overall the Google compute engine can be said
to be quite efficient, secure and scalable according to the load of the project.
Assets
The most important asset which can be placed under threat using a cloud service provider
is the company data and the applications it uses. The cloud services like Google compute
engine provides solutions to storage and computing hardware problems at cheap prices. The
assets of the company are then handled by such third party companies. The three main assets
that can be at potential risk in GCE are:
1. Information assets: This includes assets like documents and files containing crucial
information about clients, company secrets and financial data. These information if
hacked and made public can lead to huge losses in revenues.
2. Software assets: This includes any type of software developed or used by the
company hosted on the cloud which can be used for illegal purposes by a hacker. This
can be financial software or administrative software and can lead to huge losses and
lawsuits if used illegally.
3. Services: This includes any services the company is providing to its customers which
can be disrupted by a potential server failure of the cloud computing platform due to
cyber-attacks. This can lead to loss of revenue and lower the company’s customer
base.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4GOOGLE COMPUTE ENGINE ANALYSIS
Threats
The three major threats to this technology are:
1. Data breaches: This is one of the most common type of threat and affects thousands
of companies every year. In this threat, the information stored by the company and all
its data can be stolen or made public by cyber criminals and hacking groups which
could lead to potential loss of millions of dollars. The attackers attack the cloud
system architecture or infrastructure loopholes to steal data in this type of threat.
2. Denial of service: This is another common form of threat popular in cloud based
companies. In this type of threat a service is repeatedly disrupted in order to disrupt
business proceedings and create losses in revenues for the company. These services
are mainly online services like booking a train ticket or using a government online
service. The main type of attacks used here is Distributed denial of service attacks or
DDoS.
3. Insecure interfaces and APIs: This is another type of threat where an insecure API
may lead to unauthorised access into the system by the hackers. In the GEC, the main
type of API’s used are generally third party APIs and Firebase SDKs. The weaker a
Web UI interface is, the more chances are of getting hacked. The common type of
attack used in this cases are SQL injections.
Vulnerabilities
The three main vulnerabilities of the Google computing engine are;
1. Full API access: In this vulnerability, a VM instance is configured in such a way that
the default settings of the computing platform allow full access to the user to all
Google cloud platform APIs.

5GOOGLE COMPUTE ENGINE ANALYSIS
2. IP Forwarding enabled: This vulnerability indicates that the IP forwarding is
activated on all instances and the host system can get bombarded with incoming data
form IP addresses on all ports. This vulnerability can also be exploited by hackers to
forward or redirect important incoming data from the cloud system to other personal
IP addresses.
3. Open firewall: This is a big vulnerability which means that a firewall in a VM
instance has allowed incoming data packets from all IP addresses and practically
exposes all ports and devices connected to the network. This can be used by hackers
to easily gain access in to the system or steal crucial system information. Scanning
techniques like port scans, operating system scans and stealth scans can be used by
hackers here.
Security objectives
The three security objectives or requirements implemented in the Google computing engine
or GCE are:
1. Security Health Analytics: This is a tool which contains multiple other tools that can
be used to manage security vulnerabilities for the Google cloud platform including the
computing engine. The software suite manages and looks after security aspects of
cloud storage, compute engine, cloud key management (cryptography), network
securities and cloud SQL.
2. Cloud security scanner: This is another software suite bundled in the Google
compute engine platform which is used to manage web based vulnerability scanning
for compute engine serviced web applications, public App Engine and GKE. This
software meets the security requirements by scanning vulnerability loopholes like
cross site scripting and outdated libraries.

6GOOGLE COMPUTE ENGINE ANALYSIS
3. Phishing protection: This security measure incorporated in the cloud computing
platform prevents authorised compute engine users form accessing phishing sites by
segregating such sites and classifying them. The unsafe URLs are reported to Google
safe browsing or GSB and are blocked accordingly.
Controls or security measures
The main controls implemented by the Google compute engine are inbuilt software
services and third party security applications that help them to meet their security criteria and
make their platform secure for use.
The first tool used by the computing platform is the security health analytic suite
which is used to detect compute engine risks like IP forwarding and full API access and
mitigate them by blocking these loopholes.
The second tool used by the system is cloud security scanner whose job is to scan the
network component of the Google compute engine and to find and seal network
vulnerabilities and threats like default network, open firewall and legacy unsecure network.
The last mitigating tool is a third party application called Forseti security which is a
risk mitigating tools suite that gives the platform users tools to secure their resources and
detect threats early to reduce security risks.
Risk Evaluation
The risk evaluation of the threats is done as per their impact on the mentioned assets
and vulnerabilities. A risk evaluation matrix or a heat map is used to demonstrate the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7GOOGLE COMPUTE ENGINE ANALYSIS
likelihood and impact of these threats against a qualitative scale. The heat map is given
below:
Table 1 Risk Matrix (Heat Map)
Risk level Critical Medium Low
Critical Very High
(Data Breach)
High Moderate
Medium High Moderate
(DDoS)
Low
Low Moderate Low
(Insecure
Interfaces and
API)
Very low
The likelihood of these threats as per the heat map is:
1. Data breaches: Critical level
2. DDoS: Moderate level
3. Insecure interfaces and APIs: Low to moderate level

8GOOGLE COMPUTE ENGINE ANALYSIS
Conclusion
To conclude, the above report summarizes the entire Google compute engine and
illustrates its core components and functions. The report also highlights the main threats
faced by the compute engine, its vulnerabilities and mitigating techniques deployed. The
report also demonstrates the likelihood of impact and the risk analysis using a risk matrix or
heat map of the reported threats and vulnerabilities. Overall it can be clearly seen that the
Google compute engine is a powerful cloud platform capable enough of handling lot of
complex operations but still needs some improvements in the security aspect to become more
popular among the major customer base.

9GOOGLE COMPUTE ENGINE ANALYSIS
Bibliography
Google Cloud. (2019). Viewing vulnerabilities and threats in Cloud Security Command
Center | Cloud Security Command Center | Google Cloud. [online] Available at:
https://cloud.google.com/security-command-center/docs/how-to-view-vulnerabilities-
threats#security_scanner [Accessed 23 May 2019].
Link.springer.com.(2019).[online]Availableat:https://link.springer.com/content/pdf/
10.1007%2F978-1-4842-1004-8_4.pdf [Accessed 23 May 2019].