Skip to main content

GCP Cloud Security Assessment

Updated over 5 months ago

Service Overview

The GCP Security Assessment is designed to evaluate the security posture of a Google Cloud Platform environment. Its main goals are to:

  • Estimate the security level of the GCP organization

  • Identify high-risk vulnerabilities

  • Map possible attack routes in the environment

  • Recommend initial remediation steps necessary for the assessed entities

Methodology

CYE’s GCP assessment is a hands-on, manual penetration test based on a proprietary and structured methodology that combines review of representative platforms and systems with supporting interviews. The infrastructure assessment is based on the NIST Cybersecurity Framework, and risk rating is aligned with the CVSS 3.1 standard.

The assessment provides a comprehensive evaluation of cloud management, resources, and components, using a white-box method to ensure broad and deep visibility.

The activity includes, but is not limited to:

  • Identity and roles management
    Deep analysis of permission allocation, identification of privilege escalation vectors and excessive permissions, and testing of security features

  • Cross-context access testing
    Attempting privilege elevation across contexts (e.g., from “QA” to “Production”)

  • Potential access points
    Including network-level assets like web interfaces, databases, or VMs with excessive access

  • Identity-level access points
    Such as developers with access, unauthenticated API gateways, and overly permissive trust relationships

  • Secrets and key management
    Evaluation of secrets handling and scanning for cleartext secrets in configurations, environment variables, etc.

  • Hardening and best practices
    Testing for gaps in alignment with GCP and CIS best practices

  • Third-party access assessment
    Access of third parties to the environment poses a security risk. There is usually no way to know how the access is managed and what security policies the vendor adheres to while accessing the organization’s GCP environment. A part of the assessments is dedicated to evaluating the level and risk of vendor and external party access, including context escalation and unnecessary permissions as well as access to sensitive data

  • Segmentation and segregation
    Testing isolation levels between different cloud environments

CYE’s methodology applies a structured, manual approach to assess GCP environments and identify areas of weakness across identity, network, and access configurations.

CYE will not perform the following activities:

  • Application penetration tests for applications hosted on the GCP environment

  • Configuration changes on the assessed environment as part of exploitation

At the conclusion of the review, all findings are rated based on their risk to the organization.

Deliverables

  • All findings are presented in Hyver, CYE’s Continuous Threat Exposure Management (CTEM) platform

  • Attack routes executed from threat sources to business-critical assets are visualized on the mitigation graph, along with calculated risk ratings

  • Discovered findings are analyzed in accordance with the NIST Cybersecurity Framework and, combined with organizational insights, are used to determine the organization's security maturity level

Risk and maturity evaluations can be used by the customer to independently design and manage mitigation plans, including setting timelines, ownership, and cost-effort estimations

Prerequisites

CYE’s user must be assigned the following roles at the organization level (via Cloud Resource Manager):

  • Viewer

  • Browser

  • Security Reviewer

Additionally, a custom role must include the following permissions:

  • datastore.databases.getIamPolicy

  • datastore.namespaces.getIamPolicy

  • storage.buckets.get

Google Admin Console Requirements:

  • Group Reader admin role in Google Admin to list Google Group members

Example of role assignments on the organizational level at console.cloud.google.com

Group Reader admin role at admin.google.com

Customer Engagement

  • A 1-2 hour scoping meeting with a representative from the client’s team is required to define the full scope of the assessment and identify critical assets

  • During the assessment, a point of contact - usually from the security team - should be available to address questions regarding the environment, hosted assets, and user groups

Relevant Standards

CYE’s methodology is based on the following sources:

  • MITRE ATT&CK knowledge base of adversary tactics and techniques.

  • NIST Cybersecurity Framework

  • Center for Internet Security (CIS) Critical Security Controls

Security Domains Covered

  • Cross-organization policies, procedures, and governance

  • Security operations, monitoring, and incident response

  • Network level security

  • Servers, network equipment, and endpoints security

  • Application-level security

  • Sensitive data and information management

  • Identity management and remote access

Related Articles
Maturity Assessment
Azure Cloud Security Assessment
AWS Cloud Security Assessment
SharePoint Security Configuration Review
OT Environment Maturity Assessment
Did this answer your question?