This document addresses another important aspect of cloud security – Identity Management. As the concepts and terms might be different between cloud providers, this document concentrates on Google Cloud Platform (GCP) and provides an overview of some of the key security services and resources it provides to cloud architects.
Cloud Identity and Access Management (IAM) is a web service that helps you securely control access to GCP resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
The following topics outline some of the key concepts for implementing IAM in Google Cloud Platform.
Google Cloud IAM
Identities in GCP are managed using a service called Cloud IAM (Identity and Access Management).
This service is available globally across all GCP regions, so that each user/group/policy/role are configured once and applied from any region around the world.
Cloud IAM Role (or role)
An identity with specific permissions and policies. The Role can be assigned to a user or a group.
Resource
A Resource is an asset, such as a computer or hard disk drive, or a virtual asset, such as a virtual machine (VM)
Service Account
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.
MFA (Multi-Factor Authentication)
Cloud IAM supports the ability to configure strong authentication using either a virtual or software device (Google Authenticator app) or using a hardware OTP (One time password generator) device, supported by Fast Identity Online (FIDO) Alliance.
For best practice, it is strongly recommended to enable MFA for any privileged identity inside a Cloud IAM account.
References:
Cloud Identity and Access Management documentation
https://cloud.google.com/iam/docs/
IAM best practice guides available now
https://cloud.google.com/blog/products/gcp/iam-best-practice-guides-available-now?hl=ko
Using IAM securely
https://cloud.google.com/iam/docs/using-iam-securely
Best practices for enterprise organizations
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
Access Control for Organizations using IAM
https://cloud.google.com/resource-manager/docs/access-control-org
Best Practices for Using Cloud IAM and Cloud Billing in Higher Education
https://cloud.google.com/solutions/best-practices-for-iam-and-billing-in-higher-education
Securing Google Cloud Platform – Ten best practices
How to make your Google Cloud Platform project more secure: IAM
About the author
Eyal Estrin, cloud architect.
