Full Report
New data from Google Cloud finds that basic security failures continue to drive the majority of cloud compromises,... The post Google Cloud warns cloud misconfigurations and identity security gaps pose growing risks to critical infrastructure systems appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Cloud Identity & Infrastructure Security
## Overview
Based on findings from Google Cloud’s *Cloud Threat Horizons Report H2 2025*, these practices address the primary drivers of cloud compromises: weak or absent credentials (47.1%), misconfigurations (29.4%), and API/UI vulnerabilities. These recommendations aim to harden critical infrastructure by addressing identity gaps and preventing lateral movement.
## Key Recommendations
### Immediate Actions
1. **Enforce Multi-Factor Authentication (MFA):** Implement MFA across all user accounts. Use hardware keys or phishing-resistant methods to prevent MFA bypass via session cookie theft.
2. **Audit Publicly Exposed Assets:** Identify and secure or close open APIs and administrative user interfaces that are currently accessible from the public internet.
3. **Remediate Known Vulnerabilities:** Prioritize patching for Remote Code Execution (RCE) flaws, specifically focusing on critical infrastructure utilities like `rsync`.
### Short-term Improvements (1-3 months)
1. **Implement Least Privilege Access:** Audit permissions for both human users and service accounts. Remove excessive privileges and unused credentials/tokens.
2. **Credential Monitoring:** Enable integrations (e.g., Google Cloud partner notifications) to detect "leaked credentials" on the dark web and automatically disable compromised keys.
3. **Harden Configuration Posture:** Conduct a comprehensive review of cloud storage (buckets) and developer repositories to ensure they are not hosting unintended public files or developer secrets.
### Long-term Strategy (3+ months)
1. **Zero Trust Architecture:** Transition to a defense-in-depth model that assumes the network is compromised, focusing on continuous verification of identity and device health.
2. **Automated Security Governance:** Deploy Cloud Security Posture Management (CSPM) tools to automatically detect and remediate misconfigurations in real-time.
3. **Supply Chain Security Program:** Develop a rigorous patch management and vendor risk assessment process to address vulnerabilities in third-party software and open-source components.
## Implementation Guidance
### For Small Organizations
- Focus on "Security Defaults" provided by cloud vendors.
- Use managed identity providers to offload the burden of credential security.
- Prioritize securing the highest-risk assets, such as admin accounts and public-facing APIs.
### For Medium Organizations
- Implement automated credential scanning to find secrets embedded in code repositories.
- Establish a formal "Internal Patching SLA" for critical RCE vulnerabilities.
- Use centralized logging to monitor for unusual lateral movement or access from unknown locations.
### For Large Enterprises
- Deploy a full **Defense-in-Depth strategy** involving specialized teams for Identity Governance and Cloud Security Engineering.
- Implement automated kill-switches to revoke session cookies or disable accounts when credential theft is detected.
- Participate in information-sharing communities (ISACs) to stay ahead of evolving threat actor tactics targeting critical infrastructure.
## Configuration Examples
*While specific code was not provided in the source, the report emphasizes these technical triggers:*
- **Auto-Disable Policy:** Configure cloud IAM to automatically revoke service account keys if they are detected in public GitHub repositories.
- **Session Duration Limits:** Shorten the lifespan of session cookies to mitigate the risk of "stolen session cookie" bypass attacks.
- **Credential Rotation:** Enforce 90-day (or shorter) rotation cycles for all API keys and access tokens.
## Compliance Alignment
- **NIST Cybersecurity Framework:** Alignment with "Identify" (Asset Management) and "Protect" (Identity Management and Access Control).
- **CIS Benchmarks:** Specific alignment with Cloud Foundations benchmarks for identity and storage configuration.
- **Cyber Resilience Act (CRA):** Ensuring software and hardware in industrial settings meet security-by-design standards.
## Common Pitfalls to Avoid
- **Over-privileged Service Accounts:** Treating service accounts as "set and forget," allowing them broad access that attackers exploit for lateral movement.
- **MFA Fatigue:** Assuming standard MFA is unhackable; attackers often use social engineering or session theft to bypass basic MFA.
- **Orphaned Credentials:** Failing to delete keys, access tokens, or private keys after a project is completed or a user departs.
## Resources
- **Google Cloud Threat Horizons Report:** [https://cloud.google[.]com/solutions/security/leaders]
- **CISA Identity and Access Management Best Practices:** [https://www.cisa[.]gov/resources-tools/resources/iam-recommended-best-practices]
- **Industrial Cyber News:** [https://industrialcyber[.]co]
- **Defanged Rsync Vulnerability Docs:** [https://github[.]com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj]