Identity & Security
How Veolia protects its cloud environment across 31 countries with Security Command Center
The world’s resources are increasingly scarce and yet too often they are wasted. At Veolia, we use waste to produce new resources, helping to build a circular economy that redefines growth with a focus on sustainability.
Our sustainability mission transcends borders, and nearly 179,000 employees work in dozens of profit centers worldwide to bring it to life. It’s a massive operation that requires an IT architecture to match, which is why we’ve streamlined critical IT work across our global operations with Google Cloud. As Technical Lead and Product Manager for Veolia’s Google Cloud, it’s my team’s responsibility to standardize processes around security, governance, and compliance, and make sure our employees have all the right tools to do their best work, securely. Google Cloud’s Security Command Center (SCC) Premium is the core product that we use to protect our technology environment. We use it across 39 business units, spanning 31 countries worldwide.
Fueling autonomy and keeping secure with Security Command Center
In line with our sustainability motto “create once, then copy and adapt to reuse many times,” we encourage local teams to work autonomously. That includes their use of Google Cloud solutions. We use many Google Cloud products including BigQuery, Compute Engine, GKE, Cloud Functions, and Cloud Storage. Across the board, we’re working with Google Cloud in an agile and collaborative way to deliver smart water, waste, and energy solutions to communities globally.
But there’s no agility without security, and it’s my team’s responsibility to make sure our environment is secure at all times. Because our Google Cloud environment is extensive, and we give individual business units autonomy over their use of cloud solutions, we also set the parameters and policies for them to operate with all compliance and security controls in place in an organized way. SCC Premium is the common tool that all our business units use to keep their individual projects and assets secure. It helps us to gain visibility over our entire Google Cloud environment and identify threats, vulnerabilities, and misconfigurations with real-time insights.
Gaining visibility to drive results
Here’s that visibility in numbers: we use SCC Premium to monitor 2,800 projects with hundreds of thousands of assets. We continually observe our Google Cloud environment using SCC to quickly discover misconfigurations and respond to threats based on our latest findings. If an anomaly is revealed, we remediate incidents ourselves or alert respective business units. We’ve also started to consolidate our SCC findings in a global dashboard to give business units an overview of their security position, enabling them to take swift action.
Streamlining remediation to curb threats and wasted resources
As our risk management platform for Google Cloud, SCC enables us to streamline the process of security management. It provides findings in near real-time and with all its insights, we can decide on the next steps and alert relevant parties to remediate misconfigurations. I really like the context and recommended actions that SCC provides for each of the findings. These recommendations help us to remediate incidents ourselves or alert project owners. This new visibility has already helped us remediate misconfigurations that could adversely affect our cloud services. SCC, for example, enabled us to identify firewall misconfigurations and it saved us around 500 hours when compared to pre-SCC times.
Another benefit of the visibility we’ve gained with SCC is our ability to prioritize our security tasks and use our time more efficiently. As one of France’s biggest users of public cloud services, we have a lot of Google Cloud projects running, and a lot of ground to cover — from misconfigurations to imminent threats. Without SCC, it was difficult to identify patterns and adapt our priorities accordingly. Deleting unused service account keys, for example, used to be difficult, because we had to check service accounts for each project separately. With SCC, we identified unused keys and marked them for deletion. This has cut the time it takes us to delete unused service account keys by 1,000 hours. In addition, we use SCC to identify any misconfigurations like overly permissive roles associated with the service account and threats like service account self-investigation. Using SCC’s container threat detection, we can proactively identify threats like remote shell execution in our containers. For example, we were alerted to 1800 findings when a container with a remote shell inside had been duplicated. Thanks to SCC, we managed to identify the root cause and remediate these containers quickly.
Stronger compliance, more easily achieved
SCC also helps us to strengthen our compliance standards. Our Google Cloud environment needs to align with the CIS Google Cloud Computing Foundations Benchmark v1.1, which helps our organization to improve our overall security posture. Often, a lack of compliance simply means a lack of training. With our SCC findings, we don’t only evaluate where we stand, we are also able to educate our workforce to address issues proactively that help make us more compliant.
Securing a sustainable future with Security Command Center
We’ve already achieved a lot with SCC, and we are excited about the new capabilities we’re yet to explore. Currently, we’re working to implement auto-remediation to help us act on alerts immediately, whenever they occur. By connecting SCC with Pub/Sub, we’ll be able to trigger workflows that fix potential breaches automatically within minutes, by disabling accounts, for example. We also plan to use synergies with Google Workspace to send SCC findings directly to the project owners in real-time via Google Chat, ensuring that relevant employees are made aware of potential vulnerabilities right away.
Like all our cloud solutions, we want to use SCC to empower our individual business units with the autonomy they need to pursue their own goals as part of our larger organization. It’s a great tool at their fingertips, helping us to reduce risk and cut down waste across our cloud environment as we work to resource the world more sustainably.