Continuous Security Assessment for Google Cloud Platform

Configure Google Cloud Platform for Continuous Security Assessment

To configure Google Cloud Platform for continuous security assessment, you need Netskope as a web application client to access your Google Cloud Platform instance. A summary of the steps that are required:

  1. Configure the following items in the Google Could Platform console:

    1. Create a service account and assign roles.

    2. Add the service account under the project ID.

    3. Enable APIs.

  2. Configure a Google Cloud Platform instance in the Netskope UI.

Note

Netskope normalizes the term "Account" to help with cross CSP summaries. Netskope normalized “Account” field maps to GCP Project.

Create a Service Account and Assign Roles

For Netskope to ingest data from the Google Cloud Platform, you need to create a service account in the Google Cloud Platform. You should set one of the projects as the default project for the service account since a service account is required to be associated with a project.

To create a service account, follow the steps below:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should either have the Service Account Admin or Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop down list and select the appropriate project under which the service account will be created.

  3. Click the top-left hamburger navigation menu and navigate to IAM & admin > Service accounts.

    The Service accounts page opens.

  4. Click + CREATE SERVICE ACCOUNT.

    The Create service account right pane opens.

  5. In the Service account details section, enter the following details:

    1. In the Service account name field, enter the name of the service account.

    2. The service account ID mirrors the service account name. Optionally, you can edit the service account ID.

    3. In the Service account description field, enter a short description.

  6. Click CREATE.

  7. In the Service account permissions section, select the following roles:

    • Project > Browser - This role allows Netskope to list the Google Console projects when you set up the Google Cloud Platform instance in the Netskope UI.

    • IAM > Security Reviewer - This role allows Netskope to scan the list of resources in Google Cloud Platform.

    • BigQuery > BigQuery Metadata Viewer - This role allows Netskope to list the BigQuery dataset assets.

    • Organization Policy > Organization Policy Viewer - This role allows Netskope to list the organization policies.

    Alternatively, you can select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer, and create a custom role with the permissions, compute.projects.get and compute.regions.list. For more information on permissions required for GCP CSA, see Custom role permissions for GCP CSA.

  8. Click CONTINUE.

  9. Leave the Grant users access to this service account section unchanged. In the Create key section, click + CREATE KEY.

    1. Select the JSON key type.

    2. Click CREATE.

      The UI prompts you to download the private key JSON file on your local computer. Once downloaded, the UI displays the Private key saved to your computer message. Click CLOSE.

      Note

      The private key JSON file will be required when you set up the Google Cloud Platform instance in the Netskope UI.

  10. In the Create service account section, click DONE.

Add Service Account under Project ID

You should add the service account as an IAM user to those project IDs that require Continuous Security Assessment. You can add the service account to multiple project IDs. If you have a requirement to list (in the Netskope UI) all the projects under your folder or organization, you should add the service account at the folder or organization level.

The procedure below explains how to add the service account to a project ID:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should either have the Service Account Admin or Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project where you have created the service account.

  3. Click the top-left hamburger navigation menu and navigate to IAM & admin > Service accounts.

    The Service accounts page opens.

  4. In the Service account page, locate the service account you created in the previous procedure and note down the email address.

  5. Click the top-left hamburger navigation menu and navigate to IAM & admin > IAM.

    The IAM page opens.

  6. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project ID that requires Continuous Security Assessment.

    Note

    If you have a requirement to list (in the Netskope UI) all the projects under your folder or organization, you should select the folder ID or organization ID instead of a project ID.

  7. On the IAM page, click + ADD to add the service account user.

    The Add members right pane opens.

  8. In the New members field, enter the email address that you noted in step 4.

  9. Under Select a role, select the following roles:

    • Project > Browser - This role allows Netskope to list the Google Console projects when you set up the Google Cloud Platform instance in the Netskope UI.

    • IAM > Security Reviewer - This role allows Netskope to scan the list of resources in Google Cloud Platform.

    • BigQuery > BigQuery Metadata Viewer - This role allows Netskope to list BigQuery dataset assets.

    Alternatively, you can select the inbuilt role, Project > Browser and create a custom role with the permissions, compute.projects.get and compute.regions.list. For more information on permissions required for GCP CSA, see Custom role permissions for GCP CSA.

  10. Click SAVE.

Repeat the above procedure to add the service account to other project IDs.

Enable APIs

You should enable a set of Google Cloud Platform APIs in the project where you have created the service account. To do so, follow the steps below:

  1. Log in to console.cloud.google.com.

    Note

    The logged in user should have the Organization Administrator role.

  2. On the top left of the Google Cloud Platform home page, click the drop-down list and select the project where you have created the service account.

  3. Click the top-left hamburger navigation menu and navigate to APIs & Services > Dashboard.

    The Dashboard page opens.

  4. Click + ENABLE APIS AND SERVICES.

    The API library page opens.

  5. In the Search for APIs & Services field, search for the following APIs and enable them:

    • Cloud Resource Manager API

    • Compute Engine API

    • Identity and Access Management (IAM) API

Configure Google Cloud Platform Instance in Netskope UI

After you have set up the service account, you need to authorize Netskope to ingest data from the Google Cloud Platform. To do so, follow the steps below:

  1. Log in to the Netskope tenant UI and navigate to Settings > API Data Protection > IaaS.

  2. Click the Google Cloud Platform icon and then click SETUP.

    The New Setup window opens.

  3. Under the GCP Service Account section, enter the following details:

    1. Instance Name: Enter a name for the Google Cloud Platform instance.

    2. Admin Email: Enter the email address of the Google Cloud Platform account owner.

      Note

      You can enter any email address here. Netskope sends notifications to this email address.

    3. Connection Type: Select the following Security Posture option to periodically assess the configuration of Google Cloud Platform services to monitor risks in your infrastructure. You have the option to run the policy at intervals - 30 minutes, 60 minutes, 2 hours, 6 hours, or 24 hours. You can view the Google Cloud Platform dashboard by navigating to the IaaS page.

      Note

      Netskope recommends setting the interval to 60 minutes or more.

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

  4. In the Cloud Provider Information section, enter the following details:

    1. Under the Upload section, click SELECT FILE and upload the private key JSON file (that you downloaded in Create a Service Account and Assign Roles).

  5. Click SAVE.

  6. On the API Data Protection > IaaS page, click the Google Cloud Platform icon.

  7. Click Grant Access beside the newly created instance.

    Refresh your browser, and you will see a green check icon next to the Google Cloud Platform instance name.

This completes the Google Cloud Platform instance setup for Continuous Security Assessment.

Custom role permissions for GCP CSA

When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options.

  • Select the following inbuild roles,

    • Project > Browser

    • IAM > Security Reviewer

    • BigQuery > BigQuery Metadata Viewer

    • Organization Policy > Organization Policy Viewer

    Or,

  • Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.

    The following table provides a mapping of GCP service to custom role permissions.

    GCP service

    Permission required

    Purpose

    Compute Image

    compute.images.list

    Retrieves the list

    of custom images available to the specified project.

    DNS Managed zone

    dns.managedZoneOperations.list

    Enumerates Operations for a given ManagedZone.

    dns.managedZones.list

    View the list of all your managed zones

    dns.resourceRecordSets.list

    Enumerates ResourceRecordSets that you have created but not yet deleted.

    Kubernetes Cluster

    container.clusterRoleBindings.list

    List the role bindings of a kubernetes cluster.

    container.clusterRoles.list

    List the roles of a kubernetes cluster

    container.clusters.list

    List existing clusters for running containers

    Service Account

    iam.serviceAccounts.get

    Get a service account

    iam.serviceAccounts.getIamPolicy

    Get the IAM policy for a service account

    iam.serviceAccountKeys.list

    Lists every ServiceAccountKey for a service account.

    iam.serviceAccounts.list

    List every service account

    VPC

    compute.networks.list

    List Google Compute Engine networks

    Compute Instance

    compute.zones.list

    List Google Compute Engine zones

    compute.instances.list

    List Google Compute Engine instances

    Firewall

    compute.firewalls.list

    Retrieves the list of firewall rules available to the specified project

    IAM Policy

    NA

    NA

    Log Metric

    logging.logMetrics.list

    Lists logs-based metrics.

    monitoring.alertPolicies.list

    Lists the existing alerting policies for the workspace.

    Roles

    iam.roles.list

    List the roles defined at a parent organization or a project

    SQL Instance

    cloudsql.instances.list

    Lists Cloud SQL instances in a given project

    cloudsql.users.list

    Lists Cloud SQL users in a given instance

    Access Policy

    accesscontextmanager.accessLevels.list (custom role at org level)

    List all access levels

    accesscontextmanager.accessPolicies.list (custom role at org level)

    List all AccessPolicies under a container.

    accesscontextmanager.servicePerimeters.list (custom role at org level)

    List all Service Perimeters for an access policy.

    Storage

    storage.buckets.getIamPolicy

    Returns an Identity and Access Management (IAM) policy for the specified bucket.

    storage.buckets.list

    Retrieves a list of buckets for a given project

    ForwardingRules

    compute.regions.get

    Returns the specified Region resource

    compute.globalAddresses.get

    Returns the specified address resource

    compute.addresses.get

    Returns the specified address resource

    compute.forwardingRules.list

    List Google Compute Engine forwarding rules

    IAM Policy User

    NA

    NA

    Logging Sinks

    logging.sinks.list

    Lists the defined sinks

    Route

    compute.routes.list

    List non-dynamic Google Compute Engine routes

    Subnetwork

    compute.subnetworks.list

    Retrieves a list of subnetworks available to the specified project.

    Alert Policy

    monitoring.alertPolicies.list

    Lists the existing alerting policies for the workspace.

    Disks

    compute.disks.list

    List Google Compute Engine disks

    compute.zones.list

    Retrieves the list of Zone resources available to the specified project.

    DataprocCluster

    dataproc.clusters.list

    View a list of clusters in a project

    CloudFunction

    cloudfunctions.functions.list

    List the CloudFunctions of a specified project

    cloudfunctions.locations.list

    List the location of a specified CloudFunction

    KMS

    cloudkms.cryptoKeyVersions.list

    Lists CryptoKeyVersions.

    cloudkms.cryptoKeys.list

    Lists CryptoKeys.

    cloudkms.keyRings.list

    Lists KeyRings.

    Organization

    NA

    NA

    API Services

    serviceusage.services.list

    List all services available to the specified project, and the current state of those services with respect to the project

    Bigquery Datasets

    bigquery.datasets.get

    Returns the dataset specified by datasetID.