It is a challenge to keep up with the free HTTPS-enabled data exfiltration tools available. As security professionals in global Financial Services enterprise, we have obligations to exhibit risk-reasonable behaviors. Resisting easy, “invisible” data theft is a core deliverable in our layered security services.
Google is offering a cool “Cloud Shell” that falls into the category I was thinking of when I wrote the paragraph above. It is a highly-functional Linux shell that is available to anyone with https access to the Internet. There are lots of good reasons for Google to offer this service. And they require an active credit card for initial on-boarding — allowing some to argue that there are limits to the anonymity this service might deliver. There are also lots of global Financial Services enterprise misuse cases. Quick, easy, difficult-to-understand data exfiltration being the first that came to mind. Hosting “trustworthy” command and control applications is another. With Internet access, sudo, and persistent storage the only limitations seem to be the creativity of any given hostile party.
Financial Services brands managing trillions of dollars for others need to protect against the misuse of tooling like this. The challenge is that some of us use Google Cloud services for one or another subset of our business activities. And in those approved contexts, that represents risk-reasonable behavior.
This situation is just another example of external forces driving our internal priorities in ways that will require a quick response, and will also induce ongoing risk management workload.
So it goes.
Google Cloud Shell: https://cloud.google.com/shell/