Google Cloud may have some vulnerabilities that could allow cybercriminals to exfiltrate data from cloud storage (opens in a new tab) platform without being noticed.
The findings come courtesy of cybersecurity researchers Mitiga (opens in a new tab)who said that Google Cloud Platform (GCP) logs, which are typically used to identify attacks and understand what attackers have achieved, are below par and leave much to be desired.
As it stands, they do not provide a level of visibility that allows “any effective forensic investigation,” the researchers said, concluding that organizations using GCP are “blind” to potential data exfiltration attacks.
Blind to attacks
However, Google didn’t classify the results as a security vulnerability, so no patch was issued – although it has published a list of mitigations that users can implement if they are concerned that their current setup poses a risk.
As a result, companies cannot effectively respond to incidents and have no way of knowing exactly what data was stolen in an attack.
Typically, an attacker gains control of an Identity and Access Management (IAM) entity, grants it the required permissions, and uses it to copy sensitive data. Because the GCP does not provide the necessary transparency about what permissions are granted, companies will have a real hard time monitoring data access and potential data theft, the researchers concluded.
While Google offers its customers the option to enable storage access logs, this feature is disabled by default. By enabling this feature, organizations can better detect and respond to attacks, but there may be additional charges for using this feature. Even when enabled, the system is “insufficient” and creates “gaps in forensic visibility,” the researchers added, saying that the system chooses to group “a wide range of potential file access and read activities into one type of event – ‘Acquire object.’ “
This is a problem because the same event is used to read a file, download it, and even read the metadata of the file.
Responding to Mitig’s findings, Google said it appreciated Mitig’s feedback but did not consider it a security vulnerability. Instead, the company provided recommendations for countermeasures that include the use of VPC service controls, organization restriction headers, as well as limited access to storage resources.