Google Cloud may be more vulnerable than its competitors to unnoticed data theft, thanks to logs that are not as helpful as they should be.
Cybersecurity firm Mitiga analyzed Google Cloud’s online storage and found that the platform’s logging mechanism comes up woefully short in terms of providing useful information. This is especially concerning since these logs are used by security professionals and law enforcement to identify the scope of a potential breach.
According to Mitiga, Google’s current logging system cannot effectively differentiate between a threat actor viewing data versus exfiltrating it:
Even with the detailed logging constraint applied, Google logs events of reading Metadata of an object in a bucket the same way it logs events of downloading the exact same object. This lack of coverage means that when a threat actor downloads your data or, even worse, exfiltrates it to an external bucket, the only logs you would see will be the same as if the TA just viewed the metadata of the object.
While this issue doesn’t inherently make Google Cloud any more insecure than the next cloud provider, it does mean that customers impacted by a data breach on Google Cloud may have a much harder time taking the appropriate investigative action.
Mitiga reached out to Google Cloud and received the following response:
“The Mitiga blog highlights how Google’s Cloud Storage logging can be improved upon for forensics analysis in an exfiltration scenario with multiple organizations. We appreciate Mitiga’s feedback, and although we don’t consider it a vulnerability, have provided mitigation recommendations.”
