Back
StrataPrime’s focus and expertise on IT security enables our customers to strengthen their overall security posture to better protect sensitive data and users. We leverage Google solutions to mitigate a variety of risks and a fundamental part of our strategy is ensuring a solid identity and access management (IAM) strategy.
The number of organizations and users within an organization who leverage Google Cloud Platform (GCP) is continuously increasing. An often underappreciated and overlooked set of IAM features is the ability to secure access to the GCP Console and Google Cloud APIs.
When building an effective policy, there are three key principles to consider:
1. Your entire organization likely does not require access to the GCP Console (and APIs)
2. Users should meet a minimum set of criteria in order to access the GCP Console (and APIs)
3. Users should have least-privilege access based on Roles assigned
By default, GCP is enabled at the Organization-level. This means that all users in an organization are able to authenticate to, and access, the GCP Console. Depending on organizational controls and roles assigned, it may be possible for users to create their own projects, billing accounts, and resources. This can quickly develop into a Shadow IT problem.
It’s likely that only a small subset of users actually require access to the GCP Console and APIs. These are typically your Developers, DevOps, SREs, Networking, and Security folks — each group with varying degrees of access, limited to specific Projects, individual resources, or Folder structures within your Organization’s hierarchy. Access should employ the Principle of Least Privilege (PoLP), meaning users must only be given access privileges that are necessary to perform their intended functions, and no more. When assigning roles and permissions, carefully consider if that IAM Principal really needs Administrator-level access, when Viewer or Editor would suffice (or maybe none of those Roles are necessary at all).
Lastly, you want to control the circumstances that allow users to access GCP. We are not only validating their identity and level of access, but also the contextual signals when access is requested, including geographical location and device type/status. Some examples are:
1. Is the user connecting from a company-owned or company-managed device?
2. Is the user connecting from a trusted network, or specific geographic area?
3. Does the user’s device have disk encryption enabled?
4. Does the user’s device have the latest policy synchronized?
5. Does the user’s device have a screen lock?
There are a few components to consider, and it always starts with a great foundation. Having an understanding of your organization’s resource hierarchy and organizational structure are paramount in evaluating and defining your next steps to secure access to GCP.
A feature provided by BeyondCorp Enterprise at the Organization Level allows you to restrict access to only include authorized users based on Group membership and when defined context-aware access levels are met.
StrataPrime can help you implement GCP Foundations to set up your organization for success, as well as perform a comprehensive GCP Security Review to help you plan and implement controls on your GCP journey. Contact us using the form below to learn more.
