Sela. | Cloud Better.

Cloud Armor - a cloud security overview

Google Cloud Armor is meant to protect against DDoS attacks in the era of cloud-based services. However, since it’s a built-in security framework with general settings, it requires adjusting rules specific to the client's needs to provide sufficient protection. The existing solutions are either a manual change in WAF rules, using external add-ons or using the native protection from Google, which includes forming Adaptive rules for threat recognition and Managed solutions if the attack blocking fails. Together, this turns Google Cloud Armor into a more efficient form of protection without unnecessary traffic loss.

Dmitriy Medvedev, Software Programmer

Introduction

Humanity's dependency on in-situ data storage has diminished for over two decades. Instead of local servers and data processing, users on most levels of security choose to rely on a public cloud utility and manage the content through a command API (1). Currently, there are over 100 products offered by Google Cloud alone, including computing, storage, AI, Big Data, networking, and other services (2). However, the current Cloud architecture has several vulnerabilities which put the user command execution at risk (1).

As the extent and value of cloud-stored services grow, especially in the era where COVID-19 increased the dependency on remote work, so does the frequency of attacks on those who use those services. The initial attitude towards defending from such attacks was preferring to pay a ransom once over maintaining proper and up-to-date security practices. However, currently, there’s a growing paradigm shift over cloud-based protection for cloud services (3). Google, being one of the major players in the cloud technology field, offers several security solutions, one of which is the Google Cloud Armor.

This paper is set to provide a short overview of Cloud Armor security, including settings and improved protection services.

Description of the existing system

CLOUD ARMOR is a security framework built into the Google Cloud Platform, which protects hostile traffic before it reaches the designated cloud target. The basic form of CGA offers the following protection:

  • IP-based access control
  • Testing mode before implementation of the security control (preview)
  • Logging support through Stackdriver Service Monitoring
  • Geo-based access control
  • Rich rules language (still un-betaed) (4)

Based on those options, Cloud Armor is meant to provide Layer 7 defense against DDoS volumetric attacks and enforce rules of IP/Geo whitelisting. This is meant to detect and mitigate attacks against Cloud Load Balancing, protect from frauds based on bot management and reCAPTCHA, and deal with OWASP top 10 security risks (4). However, two things must be taken into consideration. One is that Cloud Armor is a framework, not a solution. Thus, it doesn’t provide a robust web solution (5). The other is that to provide better security, some changes are required, manually customized or automatized.

WAF settings - a manual solution

A web Application Firewall (WAF) is a set of rules meant to apply to HTTP application conversations. As opposed to proxies, WAF rules are meant to protect a single web application or a group of web applications on servers, which makes them reverse proxies. (6).

The WAF comes in the form of appliances or plugins, enabling pre-set rules, including rules for SQL injection, cross-site scripting, security command center integration, geo-based access control, and a list of custom Layer 7 (application level) filtering rules (7). However, since one-fit-all settings are known for being less-than-perfect, and even matching too much traffic, some of those settings can be removed, and other rules can be added, such as repetitive non-word characters, exceeding the number of characters or SQL sensitivity levels (8).

However, applying too many rules or the wrong rules might create a situation where too much traffic is blocked, including such that should be permitted.

Automatized solution

Some companies, such as Reblaze, offer added security options that provide clearer detection options for attacks, allowing Cloud Armor to block the attack. While this solution also requires manual adjustment, in the beginning, it applies machine learning at later stages for more automatic, clear threat recognition (5).

Adaptive and managed protection

In addition to the basic settings of Cloud Armor, Google offers tiers of added protection for paying subscribers: the Adaptive and the managed protection.

Adaptive protection is an extended Layer 7 of defense. It uses machine learning models to detect anomalous activity, alert against it, generate a signature describing the attack, and form a customized rule to protect against it. The difference from the basic setting is that the basic level provides only alerting and requires manual adjustment to the possible new threat. At the same time, Adaptive protection works against each attack specifically (9).

The baseline from which the Adaptive protection is built is during the first hour or more after it’s activation, during which the system develops a baseline and begins monitoring traffic. The Adaptive protection baseline is specific for each backend service, with alerts issued on high-frequency or high-volume anomalies (9).

As opposed to the baseline Cloud Armor, which sends alerts whether an attack happened or not, the Adaptive protection alert includes the probability that the detected event was indeed a malicious one, the proportion of the attribute in the attack, meaning how many percent of the attack traffic included a specific attribute and the proportion of the same attribute in baseline traffic.

After the report is generated, it creates a CEL (common expression language) expression, which can be copied into Cloud Armor settings as a rule. After this rule is applied, the alert allows tracking the impact in traffic created by implementing the rule (9).

Managed protection is a form to protect the user during the DDoS attack- 24/7 access to help and possible ways to reduce the DDoS attack by using custom settings. Also, considering the increased data use during DDoS attacks, the managed protection allows receiving some credits for the billing in Cloud Load Balancing (10).

Together the two forms of extended protection allow better identification of the threats, adjusting through specific rules, as opposed to general ones, and receiving compensation if a DDoS attack still happened.

Summary

Cloud Armor is a security framework that protects backend applications from DDoS attacks. Its basic form requires automatic or manual adjustment of firewall rules to make the defense more specific and prevent blocking too much traffic. However, using Adaptive technology to make more precise rules and with the possibility of Managed protection if harm is done can become a friendly solution in the era of cloud-stored everything.

References:

  1. Sun, Y., Petracca, G., Jaeger, T., Vijayakumar, H., & Schiffman, J. (2015, June). Cloud Armor: Protecting cloud commands from compromised cloud services. In 2015 IEEE 8th International Conference on Cloud Computing (pp. 253-260). IEEE.
  2. Google Cloud (2021). Google Cloud Products. Accessed November 24, 2021, at https://cloud.google.com/products/
  3. Goodison, D. (July 20, 2021). 8 top announcements from the Google Cloud Security Summit. CRN.com. Retrieved from https://www.crn.com/slide-shows/security/8-top-announcements-from-the-google-cloud-security-summit
  4. Reblaze (2021). Turn-key security for Web apps on Google Cloud Platform. Retrieved from
    https://www.reblaze.com/cloud-platform-integration/google-cloud-platform/
  5. Yatziv, I. (January 28, 2019). Google Cloud Armor: How to convert it into a full-web security solution. Retrieved from: https://www.reblaze.com/blog/google-cloud-armor-convert-full-web-security-solution/
  6. OWASP (2021). Web Application Firewall. Accessed November 24, 2021, at https://owasp.org/www-community/Web_Application_Firewall
  7. Kilner, E. (May 13, 2020). New WAF capabilities in Cloud Armor for on-prem and cloud workloads. Retrieved from:
    https://cloud.google.com/blog/products/identity-security/new-waf-capabilities-in-cloud-armor
  8. Google Cloud (2021). Tuning Google Cloud Armor WAF rules. Accessed November 24, 2021 at https://cloud.google.com/armor/docs/rule-tuning
  9. Google Cloud (2021). Google Cloud Armor Adaptive Protection overview. Accessed November 24, 2021, at https://cloud.google.com/armor/docs/adaptive-protection-overview
  10. Google Cloud (2021). Google Cloud Armor Managed Protection overview. Accessed November 24, 2021, at https://cloud.google.com/armor/docs/managed-protection-overview

Sela cloud security experts can ease the burden on your team by managing certain SecOps functions on your behalf.

Want to hear more about our services? Check out our cloud security solutions