Players in online games can pretend to be superheroes or supervillains, however, real-life villains are constantly popping up with new threats to the security of gaming platforms. Maurice Ko, VP of engineering at Kabam, shares how the mobile gaming leader shored up its defenses to safeguard games and players.Â
Almost no company can say they have the best security environment ever. There are always hackers who can find ways to make problems. But, focusing on security is just part of my job as VP of engineering at Kabam,in our aim to keep leading in developing entertaining, immersive mobile games. I’d really rather perfect the art of game design to entertain millions of players around the globe.It’s always exciting to work on games that can raise the bar for mobile gaming with high-quality graphics, next-generation technology, and revolutionary gameplay.Â
That also means our profile as a target for hackers has risen, making tightened security essential. I knew we had to bring the same focus of game design to safeguarding our actual games and those playing them. We have been running on Google Cloud since 2017 and, until recently, only worked internally to protect our games and gamers from security threats.Â
Security is a domain where we always want to have different points of view and opinions from multiple third parties. A multi-angle approach proves beneficial in most cases and allows better preparation against attacks. Over the years, we’ve followed the best practices of many external vendors. They all seem to make sense, and we haven’t had any major incidents to date, thankfully. But, as we all know, security is one of those moving targets where someone is always finding unique ways to break into your computing resources, so we didn’t want to take any chances.
We needed a fresh perspective on our secure use of Google Cloud products for peace of mind to make sure we had been following the absolute best practice, and if not, what else could we be observing. Our is a world that is constantly changing, and our industry, specifically, is undergoing rapid evolution. With any tech evolution, there is always the risk of more evolved security threats. It’s necessary to be aware and protected, especially when the safety and privacy of our gamers are in question.
To get additional security expertise, Google Cloud recommended that we engage with SADA, a Google Cloud Reseller Partner, to conduct a thorough Cloud Security AssessmentOpens a new window .Â
Security is a wide-open topic, which is one of the reasons we wanted to conduct a security assessment with them. Their Cloud Security Assessment presented an opportunity to have another type of evaluation to ensure we were as close to foolproof as possible with our Google Cloud implementation.Â
See More: Hyper-Casual Games: What Advertisers Need to Know About This Growing Opportunity
Assessing Our Vulnerabilities
As a result of working with the experts at SADA, Kabam has obtained an unbiased, third-party opinion as to our current cloud security capability. Across ten domains of security, our strategy was assessed, results documented and recommendations made and shared.Â
The assessment team evaluated our environment based on their deep knowledge of Google Cloud foundations, starting with an automated Google Cloud Security Posture Review. After that, the team, including a senior cloud security engineer and a project manager, evaluated our existing configurations and platform controls to reduce risk and confront common threats.Â
From a user point of view, they made it a very low-effort process because they were so well prepared and experienced. We just made the high-level ask for what we wanted, and SADA and Google Cloud worked out all the details of the project.
The assessment consisted of three phases:
- Resource planning and understanding our security requirements: In addition to identifying necessary internal technical and personnel, this phase consisted of reviewing the security environment, looking at things like compliance requirements, security challenges, previous technical design documents, and an overview of our current and future Google Cloud plans
- Cloud security maturity score assessment: The team spent two weeks conducting a highly detailed review of our security posture, evaluating and scoring ten different areas:
- Identity and Access Management (IAM) strategy
- Secrets management and data security
- Organization policy strategy
- DevSecOps pipeline
- Virtual private cloud (VPC) service controls and private Google access with DNS for isolation
- Logging and monitoring strategy
- Asset threat management
- Google Compute Engine (GCE) and virtual machine (VM) security
- Google Kubernetes Engine (GKE) and container security
- Incident response.
- Threat hunting:Â In this final phase, the team reviewed our activity logs for suspicious activity and patterns. These logs are important sources of information, and while there are automated tools to analyze these audit records, The assessment team also understood that there is no replacement for a skilled expert evaluating them as well. Engineers looked through these logs and asked questions about the contents to dig into them and identify potential threats.Â
Winning with a Secure Action Plan
We are now able to leverage the final assessment report we received and use it as a roadmap for how to mature our security model on Google Cloud further and develop an action plan to address the findings and any gaps.
Back to my earlier point, engaging with a third party allowed me and my team to really continue to focus on the art of game design. We left it to our assessment partners to serve as the voice of authority as to whether our Google Cloud implementation had been set up correctly, walk through our infrastructure, and of course, validate our security. The report was exhaustive and gave us a good baseline on our security and where we stand compared to the rest of the software industry.Â
For those wondering, we received two action items that immediately improved our security. Based on the recommendations, we became aware of separate port and network segmentation vulnerabilities that we were able to remediate quickly.
I know that for so many, gaming can be a great escape from reality. Players can pretend to be superheroes, supervillains, giant, shape-shifting robots, or defenders of the universe. Whatever role they decide to play, their avatars can become nearly invincible. Unfortunately, the same is not true of their devices and the games themselves. Real-life villains will continue to pose new threats to our security and other gaming platforms. We know those threats won’t stop, but we’re in a much better position to prepare for and manage them.
Have you conducted any security threat assessments lately? Share your learnings with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!