Google Cloud may have some troubling security flaws that could allow threat actors to steal data from the cloud storage platform without being detected.
These findings come courtesy of cybersecurity researchers Mitiga, who have found that Google Cloud Platform (GCP) logs, which are typically used to identify attacks and understand what actors managed to achieve, are substandard, leaving a lot to be desired.
In their current case, they do not provide the level of visibility to allow “any effective forensic investigation,” the researchers said, and concluded that organizations using GCP are “blind” to potential data theft attacks.
Blind to attacks
However, Google did not classify the results as a security vulnerability, so no patch has been released – although it has published a list of mitigations that users can deploy if they fear their current configuration might bring risks.
Thus, companies cannot effectively respond to incidents, and have no way to accurately determine what data was stolen in the attack.
Typically, an attacker takes control of the identity and access management (IAM) entity, grants it the required permissions, and uses it to copy sensitive data. The researchers concluded that because GCP does not provide the necessary transparency regarding the permissions granted, companies will have a real hard time monitoring access to data and potential data theft.
> Oracle Cloud recognizes that users have access to other customer data
> Looks like Google Cloud has a security issue that even firewalls can’t stop
> These are the best endpoint protection services out there
While Google offers its customers the ability to turn on storage access logs, the feature is turned off by default. By turning it on, organizations can get better at detecting and responding to attacks, but the feature can be more expensive to use. Even if triggered, the researchers added, the system is “inadequate” and creates “forensic loopholes,” saying the system chooses to group “a wide range of possible file access and read activities under one type of event —” the acquisition of an object. “
This is a problem because the same event is used to read a file, download it, or even just read the file’s metadata.
In response to Mitiga’s findings, Google said it appreciated Mitiga’s feedback but did not consider it a security vulnerability. Instead, the company made mitigation recommendations that include the use of VPC service controls, enterprise restriction headers, and restricted access to storage resources.
- Keep your devices safe with the best malware protection