FFF Enterprises Selects ScaleSec as Trusted GCP Security Partner

FFF Enterprises engaged ScaleSec seeking support to elevate their GCP security approach in a way that aligned with their business objectives. As a GCP Security Partner, ScaleSec is ideally suited to bring industry expertise and best practices tailored to FFF’s cloud environment. Over 14 weeks, ScaleSec performed a detailed assessment of Google Cloud, and then continued to support their effort to elevate their Cloud Security Posture.

This project followed 3 Phases: Assess, Recommend, Elevate.

Assess

The cloud security assessment was driven by benchmarks and security best practices uniquely available to GCP Security Partners. Consultants ran discovery and assessment workshops, and performed detailed analysis on their current posture based on environment data available in Google Cloud Asset Inventory. This assessment provided a lens into their existing GCP environment across eight Security Domains:

• Resource Management
• Identity & Access Management
• Network Security
• VM Security
• Data Security
• Security Operations
• Google Kubernetes Engine (GKE) Security
• Kubernetes Security

Recommend

Following the Assessment, FFF received a tailored and prioritized report guiding them through how to elevate their posture across all domains to the risk tolerance desired by their business. The report is organized and prioritized based on risk impact, and delivery effort required to act on recommendations. ScaleSec Consultants walked through the report and left no stone unturned in discussing relevant best practices and elevation opportunities, tailored to their business and environment.

Elevate

In close partnership with FFF leadership and boots on the ground engineers, ScaleSec continued to work with FFF following the assessment to support delivery of priority security objectives, including verifying least privilege permissions for users and applications across the environment. With the goal of assuring security best practices while enabling innovation, ScaleSec focused on implementing Guardrails through the use of GCP Organization Policies.

Insight

Managing your environment through code is a key part of a well managed environment. Our consultants delivered all of the changes to the environment as Infrastructure as Code (IaC) using Terraform. Among the many benefits of using Infrastructure as Code to manage cloud configurations, FFF can reference what configuration is present in the environment at any time, clearly declared in code. A code-driven change management practice reduces time to market for product teams, reduces operating costs, accelerates onboarding of new hires, and simplifies audits.

While Guardrails are a critical part of any approach to elevating your Cloud Security posture, not all security best practices can be achieved through centrally applied controls. Many security best practices must be followed by cloud users, and security best practice must be followed by end users. Driving change in cloud user behavior is always a cultural transformation as well as a technical one. Our consultants provided a tailored adoption plan to uplift cloud users into following cloud security best practices.

GCP Cloud Services reviewed for this engagement include:

• Identity and Access Management (IAM)
• Workload Identity Federation
• Secret Manager
• BigQuery
• Cloud Asset Inventory
• Cloud Storage
• Cloud Logging
• Security Command Center (SCC)

Customer Voice

ScaleSec quickly assessed our Cloud Security Posture, and then stayed with us to help us elevate our operations to where we wanted them to go. Their technical know-how of the cloud helped us achieve our goals while following industry best practices.

– Billy Norwood, CISO

Assess Your Cloud

Regular assessments are a cornerstone of a robust cloud security program, and a common requirement for popular compliance frameworks. ScaleSec is a Premier Google Cloud Security Partner, with certified practitioners who can help you identify and prioritize improvements to maintain a robust security posture.