Image Hardening and CI/CD Security

In this chapter, we will look at Google’s approach to Compute Engine image hardening and DevOps pipeline security. One of the most critical issues facing industries today is software supply chain attacks. To address this matter in the cloud, we need to be able to build secure infrastructure, monitor operations, and fix vulnerabilities. This is a very broad topic. We will only cover the topics required for the exam in this chapter.

In this chapter, we will cover the following topics:

• Overview of image management
• Custom images for Compute Engine
• Image management pipeline
• Controlling access to images
• Image lifecycle
• Enforcing lifecycle policies
• Secure CI/CD pipeline
• Best practices for a CI/CD pipeline
• Shielded VMs
• Confidential computing

A Google Compute Engine image is a pre-configured virtual machine (VM) image that can be used to quickly deploy applications and services to Google Compute Engine. An image includes the operating system, configuration settings, and any other software required for the application or service to run. Securing a Google Compute Engine image is important to be able to prevent unauthorized users and malicious software from accessing applications and services. This can be done by setting up strong access control measures with identity and Access Management (IAM) tools, creating secure user accounts, and using encryption and authentication measures. Regularly updating the image with the latest security patches and using intrusion detection and prevention systems can also help protect the image from potential security threats. Let’s understand the concept of image management used for hardening a Compute Engine image.

An image in Compute Engine refers to...

It is possible to customize your Compute Engine instance by way of a startup script, which allows you to install the necessary software components and harden the image. An efficient method is to create a custom image with your specific needs of security configurations and image standards. There are three ways you can customize an image. The process of customization is generally referred to as image baking:

• Manual baking
• Automated baking
• Import an existing image

The images needs to be encrypted and that can be achieved either by using Google’s default encryption keys or by using your own encryptions keys (customer-managed encryption keys).

Changing or baking images offers the following benefits:

• Shorter boot time for applications to be ready
• A more stable environment for applications to be installed
• Easier to go back to older versions of the image
• During application startup, there are fewer...

In this section, we will look at the process of creating an image management pipeline. The process involves a few procedures, and we will look at the high-level steps, including prerequisites that you need to meet before you build your image factory. Let’s now look at the steps:

1. Create a strategy for managing image lifecycles, such as golden image promotion, versioning, deprecation, and deletion.
2. Bake a golden image, and use an automated compliance check, such as Chef InSpec.
3. Ensure that an organization policy is in place to limit the compute images available to individuals working on specific projects.

You will also need to meet a couple of prerequisites:

• Ensure you have a Google Cloud account.
• You either need to have Project Editor access for an existing project, or you need organization permissions to be able to create a new project under the organization.

The process of creating an image is quite similar...

To split workloads, environments, and user access, you will usually need different Google Cloud projects. Although most cloud workloads do not require sharing between projects, images are an excellent choice for doing so. You can follow a consistent approach to distributing images with best practices for security, permission, package management, and operations pre-configured for the rest of the company by using a shared collection of images.

Figure 13.3 – Sharing images between projects

You can share images by giving different IAM roles to different projects inside an organization. Image Creation Project, represented in Figure 13.3, is the project that holds the images that you want to share with other projects, and it must have the following IAM roles and policies applied to it:

• Allow users of Image User Group to create instances from these images by granting them the compute.imageUser role
• Allow Image...

After you’ve built up an image build pipeline, you’ll need to keep the images up to date. While the pipeline creates the images, you must make sure that your deployment techniques use the most recent versions. You’ll also need a method for curating images so that no outdated or obsolete images are accidentally used. With the image lifecycle, you can achieve that. Next, we will look at image families, which we covered earlier, in the Overview of image management section, that is, public image families and custom image families.

Image families

With Compute Engine’s image families, you can rest assured that your automation systems will always be able to make use of the most up-to-date images. An image collection can be organized into a family by the administrator. Then, instead of remembering specific image names, users will just need to remember the name of the image family. Since every image must have a distinct name, image-build pipelines...

Lifecycle policies for VM images are necessary to ensure that images are updated regularly with the latest security patches and features. By enforcing lifecycle policies, organizations can ensure that their VMs remain secure and up to date, thereby reducing the risk of security breaches and other problems due to outdated software. Additionally, regular updates can help improve the performance and reliability of VMs, thus increasing their overall efficiency and cost-effectiveness.

Google Cloud VM lifecycle policies allow administrators to define a set of rules for how their VMs should be handled over time. These policies are important for ensuring that images are regularly updated, properly configured, and can be easily identified for deletion or obsolescence.

The most basic policy is the image deletion policy, which sets the time frame for when an image should be deleted. This helps to keep images up to date and avoid any potential security vulnerabilities...

The Continuous Integration and Continuous Delivery (CI/CD) pipeline is a set of procedures that software developers follow in order to work on smaller chunks of code and increase overall productivity and efficiency. Its goal is to expose errors as early as possible in the process, allowing for faster failures. Developers typically activate CI processes by pushing code changes. Linting, testing, and building are all processes in the pipeline that validate the modifications. Typically, a CI pipeline produces an artifact that may be deployed later in the deployment process. The CI/CD pipeline is the DevOps processes’ foundational infrastructure. It is critical to secure the CI/CD pipeline at every step to ensure that the applications, services, and data in the cloud are secure and protected. Securing your CI/CD pipeline helps to reduce the risk of malicious attacks, data breaches, and other security vulnerabilities. Additionally, it can help organizations...

The foundation of DevOps is CI/CD. Through automated monitoring and processes throughout the development cycle, CI/CD provides value to software production. In this rapidly evolving, technology-driven environment, security must be balanced with the need for flexibility. To prevent data breaches, the best approach is to build security into the development process.

Here are some of the best practices for securing CI/CD pipelines:

• Use IaC to manage and provision IT resources on Google Cloud. IaC uses configuration files and automation tools to manage resources to ensure that resources are set up correctly and efficiently.
• Automate builds and deployments with tools such as Jenkins, CircleCI, and Spinnaker to define and execute the necessary steps in the process. These automation tools make it easy to quickly deploy code changes and reduce the risk of potential bugs and are essential for a successful CI/CD pipeline.
• Using Git for version...

Shielded VMs on Google Cloud are protected against rootkits and bootkits by a set of security safeguards. Shielded VMs safeguard company workloads from dangers such as remote attacks, privilege escalation, and hostile insiders.

Shielded VMs’ verifiable integrity is achieved using the following features:

• Secure Boot
• Virtual trusted platform module (vTPM)-enabled Measured Boot
• Integrity monitoring

Let us look at each of them in more detail.

Secure Boot

Secure Boot checks all boot components’ digital signatures and stops the booting process if the signature verification fails. Let’s look at how Secure Boot for Shielded VMs works.

Shielded VM instances run software that has been certified and confirmed by Google’s Certificate Authority Service. This makes sure that the firmware of the instance hasn’t been changed and gives Secure Boot its foundation of trust. The UEFI 2.3.1 firmware protects the certificates...

Confidential computing involves the use of hardware-based Trusted Execution Environments (TEEs) to protect data while it is being used. TEEs are secure and isolated environments that keep applications and data from being accessed or changed while they are in use. A group called the Confidential Computing Consortium came up with this security standard.

The three states of end-to-end encryption are as follows:

• Encryption at rest: This protects your data while it is being stored
• Encryption in transit: This protects your data when it is moving between two points
• Encryption in use: This protects your data while it is being processed

Confidential computing gives you the last piece of end-to-end encryption: encryption in use.

Key features of Google Cloud Confidential Computing

When you use a Confidential VM, your data and applications stay private and encrypted even when they are being used. This is a type of Compute Engine VM. It runs...

This chapter highlights the need for hardening images for both VMs and containers. It outlines the steps for managing images, securing and hardening them, and building image management pipelines. In addition, we discussed the use of cloud-native tools on Google Cloud to build security scanning of the CI/CD pipeline. To further secure applications running in the cloud environment, we explored Google Compute Engine security capabilities such as Shielded VMs, vTPMs, and Confidential Computing. Finally, we discussed various measures for securing containers and applications running inside them, such as network policies to control traffic flow and key management systems for encryption key security and management.

In the next chapter, we will cover Security Command Center, which is used to monitor the security posture of your Google Cloud organization.

For more information on Google Cloud image hardening and CI/CD security, refer to the following links:

• Creating a Cloud Build image factory using Packer: https://packt.link/tr8ks
• Shifting left on security: https://packt.link/BWbBN
• vTPMs: https://packt.link/JiQqG
• AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More: https://packt.link/28XiO
• Default encryption at rest: https://packt.link/jcUlr