Jump to Content
Serverless

Manage data exfiltration risks in Cloud Run with VPC Service Controls

August 20, 2021
Rachel Tsao

Senior Product Manager

Karolina Netolicka

Product Manager

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

Enterprises looking to take advantage of the scalability and ease-of-use associated with cloud technology have often turned to serverless computing architectures. In these systems, a cloud provider allocates resources on-demand as required by a particular workload, and abstracts much of the management of an application or system for a customer. But to the most security-minded enterprises, a serverless architecture can sometimes be confusing due to the black box nature of the security of a fully-managed cloud deployment. 

An understanding of the underlying security systems within a serverless offering can alleviate those concerns. Many cloud services include identity and access management (IAM) to secure data at the application level. Google Cloud strives be the most trusted cloud, which is why continuously updating our protection capabilities. In addition to IAM, we now support VPC Service Controls for Cloud Run, which creates enterprise-grade security guard rails, protecting your data at the network level while delivering the ease of use and speed to market you expect from a fully-managed system, in a product optimized for container workloads. 

As organizations plan cloud migrations, they often find that familiar security strategies, such as using firewalls to segment applications aren’t applicable when those apps are re-architected to take advantage of managed cloud services like Cloud Run. With VPC Service Controls (VPC-SC), administrators can define a security perimeter around Google-managed services to control communication to and between those services. Using VPC-SC, you can isolate your production GCP resources from unauthorized VPC networks or the internet, and isolate both production GCP resources and production VPC networks from unauthorized GCP resources.

VPC Service Controls (VPC SC) give you fine-grained control over how data moves into and out of a VPC SC service perimeter. VPC SC provides an additional layer of security defense for Google Cloud that is independent of Identity and Access Management (IAM). IAM currently enables granular identity based access control; VPC SC enables a security parameter that lets you secure your cloud resources and set up private connectivity to Google Cloud’s APIs and services.

This helps protect against risks including:

  • Data exfiltration from malicious insiders or compromised code

  • Accidental public exposure of private data, caused by misconfigured IAM policies

  • Access from unauthorized networks using stolen credentials

Using VPC Service Controls for Perimeter Security 

So how does this work? Let’s imagine you are using a Cloud Run service to do some data processing. When a push notification comes in from PubSub, your service reads data from Google Cloud Storage, performs data processing and writes the results back to Cloud Storage. In this example, access to both the dashboard and the data processing endpoint is protected by IAM.

Here is what this system looks like:

https://storage.googleapis.com/gweb-cloudblog-publish/images/without_VPC_SC.max-700x700.jpg

When this system is brought to production, it will be able to access sensitive data. While IAM protection is useful, it doesn’t completely protect against some avenues for data exfiltration. For example, malicious insiders could modify the service to write the output data to an unauthorized location on the internet via an HTTP call. We also don’t want to be in a position where one misconfigured permission can put our data at risk.

To introduce a second layer of security, we put our Cloud Run service inside a VPC SC perimeter by following the VPC SC integration guide for Cloud Run. We also enforce VPC SC on all other APIs our developers have access to. Here is the modified system:

https://storage.googleapis.com/gweb-cloudblog-publish/images/with_VPC_Sc.max-900x900.jpg

The Cloud Run service as well as the Cloud Run Admin API (used for deploying and managing the service) are now protected by the VPC SC service perimeter. This means that any requests to the Cloud Run Admin API or the endpoint of the Cloud Run service itself are now checked against the VPC SC policy.

This new setup helps prevent against more potential attacks. For example, a malicious insider with permissions on the Cloud Run service can no longer:

  • Redirect output from the service to a Cloud Storage bucket in a project under their control, outside the perimeter

  • Change the service to access or send data to arbitrary internet resources by altering the service’s egress settings to values incompatible with the Organization Policy. 

To allow services with legitimate requirements to communicate with the outside world, there are ways to give external resources access to resources inside the perimeter through auditable policies. Here are some examples:

  • You can use VPC SC Ingress policies to allow admins access to the Cloud Run Admin API, so they can continue to manage and update the service from outside the perimeter (e.g. from their company-issued laptops). 

  • You can set up VPC Firewall rules to allow access from the Cloud Run service to specific resources outside the perimeter. This is useful if, for example, our service needs to access a resource outside GCP as an input for its data processing. 

  • If you  need to give someone outside of the parameter access to the service while ensuring protection,  you can set up Cloud Load Balancing for the service and then use Cloud Armor and Cloud IAP to selectively allow access to the service. This is useful, for example, to give developers access to a dashboard exported by your service.

Enhanced enterprise security

VPC SC enhances the picture for your enterprise serverless needs. With Cloud Run, Google Cloud manages your server infrastructure for you. This enables you to benefit from Google’s sophisticated approach to multi-project API security perimeters for Google APIs. This extends existing serverless security benefits such as host level patches and network infrastructure security, freeing up your team’s time for strategic work. 

Earlier this year we announced four new features to secure your Cloud Run services, including Secret Manager integration, Binary Authorization, customer managed encryption keys, and recommendations for permissions based on the principle of least privilege in Recommendation Hub.

Cloud Run also has a complete set of network ingress and egress controls.

With the addition of VPC SC, Cloud Run now has a fully featured set of security controls, enabling easier network governance and greater peace of mind. 

Learn how to set up and use VPC SC for Cloud Run today.

Posted in