This document addresses another important aspect of cloud security – Identity Management. As the concepts and terms might be different between cloud providers, this document concentrates on Google Cloud Platform (GCP) and provides an overview of some of the key security services and resources it provides to cloud architects.
Cloud Identity and Access Management (IAM) is a web service that helps you securely control access to GCP resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
The following topics outline some of the key concepts for implementing IAM in Google Cloud Platform.
Google Cloud IAM
Identities in GCP are managed using a service called Cloud IAM (Identity and Access Management).
This service is available globally across all GCP regions, so that each user/group/policy/role are configured once and applied from any region around the world.
Cloud IAM Role (or role)
An identity with specific permissions and policies. The Role can be assigned to a user or a group.
A Resource is an asset, such as a computer or hard disk drive, or a virtual asset, such as a virtual machine (VM)
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.
MFA (Multi-Factor Authentication)
Cloud IAM supports the ability to configure strong authentication using either a virtual or software device (Google Authenticator app) or using a hardware OTP (One time password generator) device, supported by Fast Identity Online (FIDO) Alliance.
For best practice, it is strongly recommended to enable MFA for any privileged identity inside a Cloud IAM account.
Cloud Identity and Access Management documentation
IAM best practice guides available now
Using IAM securely
Best practices for enterprise organizations
Access Control for Organizations using IAM
Best Practices for Using Cloud IAM and Cloud Billing in Higher Education
Securing Google Cloud Platform – Ten best practices
How to make your Google Cloud Platform project more secure: IAM
About the author
Eyal Estrin is a cloud architect, working in the Inter-University Computation Center (IUCC) in Israel. He has more than 20 years of experience in infrastructure, information security and public cloud services. He is a public columnist and shares knowledge about cloud services. You can follow him on Twitter at @eyalestrin