Secure DevOps on Google Cloud: Reduce cloud and container risk

By Eric Carter - SEPTEMBER 28, 2021


Google Cloud is helping businesses build and deploy apps faster than ever before, but at the same time, cloud teams must consider how to implement secure DevOps practices to avoid risk. We’re partnering with Google Cloud to provide security solutions to cloud teams to simplify safeguarding cloud and containers. Securing Google Cloud Platform with Sysdig - watch video Today, we announced our collaboration with Google Cloud. With it, we’ve introduced a number of new cloud security and compliance controls, as well as our software-as-as-service (SaaS) platform that runs on Google Cloud. This article will highlight what’s new, and provide details on how you can take advantage of Sysdg capabilities to tackle the challenges of security for containers, Kubernetes, and cloud services on Google Cloud. Secure DevOps on Google Cloud: Reduce cloud and container risk

Preparing for cloud and container threats

Protecting your cloud infrastructure and workloads from mishaps and attacks ​​is not a one-size-fits-all proposition. There are a wide range of tactics and techniques employed today by threat actors. Beyond malicious activity, you can also face risk from the actions of well-meaning employees who simply don’t know to follow best practices. Your best defense is to ensure you’ve buttoned down your detection and security practices from development through production. By working with Google Cloud, Sysdig is helping DevOps, cybersecurity, and risk teams follow cloud security best practices to meet their organizational goals.

Unifying configuration management and threat detection for Google Cloud and containers

Threat detection for Google Cloud requires visibility into all of your cloud services, GKE, Anthos, containers and more. There is a lot to secure! App delivery requires a number of elements, including hosts, virtual machines, containers, clusters, stored information, and input/output data streams. How can you ensure you are properly securing it all? The good news is that Google Cloud takes responsibility for the security and maintenance of its cloud services. This goes a long way to ensuring you can operate confidently in the cloud. However, the reality is that you, as a user, also must put the right protections in place. By pairing the Sysdig cloud security capabilities announced today with our container security features, you’ll be able to more effectively follow security best practices for your Google Cloud accounts, apps, and services.

Cloud security posture management and compliance

To help you keep up with your use of Google Cloud services, Sysdig Secure allows you to perform static configuration analysis of your cloud infrastructure based on benchmarks like CIS. This helps you see where things are misconfigured. Plus, we provide guided remediation steps within the user interface to help you take action to achieve compliance. CIS benchmarks for Google Cloud
Cloud Configuration and Compliance Checks
By checking the configuration of your environment, you will know if your IAM policies are secure, see what cloud storage buckets in your account are exposed to the public, and understand things like which VPCs allow ingress traffic, etc.

Cloud threat detection using Cloud Audit Logs

As your use of Google Cloud services grows, the amount of activity can reach a point where manual analysis isn’t manageable. Failure to react to a threat in a short time can have major consequences. Cloud Audit Logs provide an always-on audit trail for Google Cloud that records both administrative events and user access to your cloud data. Sysdig performs threat detection for Google Cloud by analyzing this log data against a rich set of security rules based on open source Falco. This provides real-time analysis of activity so you can respond to threats faster. Sysdig provides out-of-the-box rules to help you secure your environment. This includes, for example, the following detections:
  • Command Executed on Unused Region
  • Operation by a Non-Corporate Account
  • Invitation Sent to Non-Corporate Account
  • Super Admin Executing Command
  • Suspected Disable of OS Login in a VM Instance
  • Shield Disabled for a VM Instance
  • Create or Delete Bucket
  • Create Cloud Function Not Using Latest Runtime
  • Create or Patch DNS Zone without DNSSEC
  • Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance
  • Disable Automatic Backups for a Cloud SQL Instance
  • Disable Subnet Flow Logs
  • Update, Disable, or Delete Sink
  • Enable Project-wide SSH keys for a VM Instance
  • Enable Connecting to Serial Ports for a VM Instance
  • Monitoring Alert Deleted
Google Cloud threat detection with Sysdig
Real-Time Google Cloud Threat Detection with Falco Rules

Enabling advanced threat hunting with Google Cloud’s Chronicle

Sysdig supports sending different types of security data to third-party SIEM platforms and logging tools. We’ve previously extended this capability to deliver events to Google Cloud’s security and risk management platform, Security Command Center. Now, you also can leverage this event forwarding capability to send Sysdig-detected security events directly to Google Cloud’s Chronicle security analytics platform. The Chronicle cloud service enables you to privately retain, analyze, and search massive amounts of security and network telemetry data. Chronicle normalizes, indexes, correlates, and analyzes data to provide instant analysis and context on risky activity. With this integration, you can extend Chronicle’s capabilities with the unique data available from Sysdig. This includes Kubernetes security, container, and process-level events. Incorporating this event information helps you perform advanced threat hunting and security analytics to reduce mean time to detect (MTTD) and accelerate response for your cloud-native workloads. Sysdig event forwarding to Google Cloud's Chronicle

Sysdig SaaS on Google Cloud

To meet the demands of dynamic cloud-native environments, visibility and security solutions are increasingly moving to the cloud. Cloud-based software-as-a-service (SaaS) enables enterprises to break free from hardware dependency and instantiate services wherever required. Now that Sysdig SaaS is available on Google Cloud, customers who prefer Google Cloud can get started quickly and grow without worrying about backend data management. Sysdig SaaS has many benefits:
  • Fast startup: Get up and running in minutes and plug into your DevOps tools (i.e., embed scanning in CI/CD pipelines).
  • Easy-to-scale: Monitor and secure a few images or cloud services, and scale up as your footprint grows without worrying about backend data management.
  • No infrastructure costs: Avoid paying for in-house hardware and software licenses with perpetual ownership to run security and monitoring.
  • Simple maintenance: Remove the overhead of maintenance and support. Sysdig handles rollouts of new SaaS feature updates and patches without disruption.
With this launch, the Sysdig Secure DevOps Platform is also now available on Google Cloud Marketplace. This means you can purchase and get started right from Google Cloud.

Free Tier for Cloud Security

Finally, what’s also new for Google Cloud is our continuous cloud security free tier. You can use it to get started with managing cloud security posture free, forever, for one of your Google Cloud accounts. This includes a daily check against CIS benchmarks, cloud threat detection together with Cloud Audit Logs, and inline container image scanning for up to 250 images a month. You can get the free tier from the Google Cloud Marketplace, or click here to learn more and get started.


We’re excited to partner with Google Cloud in helping our joint users more effectively secure their cloud services and containers. The new cloud security capabilities highlighted here build on our previous work to enable visibility, security, and compliance for Google Cloud container services. This includes image scanning, runtime security, compliance, and forensics for GKE, Anthos, Cloud Run, Cloud Build, Google Container Registry, and Artifact Registry. Having a single view across cloud, workloads, and containers will help you speed the time it takes to detect and respond to attacks. For a deeper look at best practices for Google Cloud security, check out the blog GCP Security Best Practices to Adopt in Production.

Subscribe and get the latest updates