Kivera and Google Cloud

Comparing Kivera to Google Cloud's Native Offering

Kivera and VPC Service Controls to Prevent Data Loss

VPC Service Controls

VPC Service Controls (VPC SC) is a powerful security offering which implements logical perimeters around Google Cloud Projects. A common use case of VPC SC is to address the control “ensure data remains within my defined perimeter which contains only my Organizations projects.”

While VPC SC provides a solid security layer, there are some limitations worth noting:

  • VPC SC supports 142 (including beta support) of the 289 Google Cloud services. This gap presents a data exfiltration risk.
  • The introduction of perimeters through VPC SC requires substantial planning and analysis to prevent disruption to existing workloads.
  • The VPC SC's scopes are confined to the project level, and can't be scoped to resources within the project.
  • For environments with cross-cloud connectivity, the VPC SC has no effect on AWS or Azure tenants and resources.

Kivera's Extended Capabilities

Kivera provides extensive preventive capabilities across all 289 Google Cloud services. Kivera’s scope for for prevention goes deeper than just a Project and Kivera can enable controls down to the resource, the action taken against that resource and even the parameters within a request.

Compared to VPC SC for data perimeters, Kivera offers more flexibility, greater coverage and the ability to scope data boundaries to specific resources.

Benefits Include:

  • Complete coverage of all 289 services in Google Cloud.
  • Flexibility when setting up data boundaries, supporting both alert and block enforcement modes.
  • Scoping capabilities to folders, projects, or specific resources.
  • The ability to enforce data boundaries between different cloud provider resources in environments with cross-cloud connectivity.

Kivera's coverage includes both Google Cloud APIs and coverage for additional G-Suite APIs. A full list of supported services is available here.

Kivera and Google Cloud IAM

IAM and Kivera

Google's IAM allows you to grant specific identities permissions to cloud resources. It's a fundamental part of any cloud service provider and an essential component of your security posture. However, the scope of IAM policies is limited to the IAM Action of a resource, and it does not control resource configurations. For instance, IAM can allow a user to create a virtual machine, but it can't control the machine's configuration.

Consider the following controls for GKE:

  • Allow users to create a a GKE cluster (IAM)
  • Ensure logging is enabled for new clusters (Kivera)
  • Ensure appropriate labels are attached to new clusters (Kivera)
  • Ensure ensure cluster master is private (Kivera)
  • Ensure auto-scaling min is set to 3 (Kivera)
  • Allow deletion of clusters (IAM)

As illustrated above, while IAM enables broad actions like CreateCluster and DeleteCluster, Kivera provides granular control over parameter-level configurations within those actions.

Kivera and Organization Policies in Google Cloud

While IAM manages broader resource permissions, Org Policies provides some control over the configuration of resources within Google Cloud projects. However, the enforcement of Org Policies can only be broadly scoped to folders or projects but not to the resources within your projects i.e. all resources within a project are subject to conditions of an Org Policy.

Org Policies support 22 of the 289 services in Google Cloud with 92 controls available as of writing. In addition to the 92 pre-defined policies, Google also offers Custom Org Policies for five services however, these remain in ‘Preview’ status limiting their applicability to production workloads.

Organization Policies are similar to Kivera in that they can both control individual parameters of an action however, in practice, offer different security outcomes.

Kivera offers a more extensive version of custom Organization Policies that can be scoped to folders, projects and the resources within them. Additionally, Kivera supports all 289 services with custom policy support for each one with tens of thousands of controllable parameters. The Kivera platform also provides capabilities to secure cloud data, simplify compliance, gain visibility and improve cloud agility.

Summary Table

FeatureVPC Service ControlsKiveraOrganization PoliciesIAM
Enforce preventive data boundaries in Google Cloud
Supports every available Google Cloud service❌ (142/289)✅^^❌**
Enforce data perimeters cross-cloud data perimeters e.g. Google Cloud project to AWS S3 bucket or Azure Blob
Scope to resource level❌^❌^
Apply preventive controls to resource configurationsPartial ✅*

* 92 canned policies across 22 services since release
^ Project level only
** 22/289 services supported by canned policies 5/289 supported by Custom Org Policies in ‘Preview’ status
^^ Every service supported with zero-lag support for new services