{"id":21126,"date":"2024-04-02T14:12:58","date_gmt":"2024-04-02T08:42:58","guid":{"rendered":"https:\/\/ivaluegroup.com\/en-in\/?p=21126"},"modified":"2025-04-25T13:12:19","modified_gmt":"2025-04-25T07:42:19","slug":"identity-access-management-in-gcp-environments","status":"publish","type":"post","link":"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/identity-access-management-in-gcp-environments\/","title":{"rendered":"Identity &#038; Access Management in GCP Environments"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">A significant portion of the world&#8217;s corporate data now resides in the cloud. According to experts, over 60% of corporate data is stored on cloud platforms. <\/span><span style=\"font-size: 16px; font-weight: 400;\">And 65% of that cloud data is stored in either an Amazon Web Services (AWS), Microsoft Azure or <\/span><strong style=\"font-size: 16px;\">Google Cloud Platform<\/strong><span style=\"font-size: 16px; font-weight: 400;\"> (GCP) server. <\/span>Despite being third in market share (11%), Google Cloud Platform (GCP) demonstrates impressive growth potential (48%).<\/p>\n<p><span style=\"font-weight: 400;\">What\u2019s the reason behind this extremely high growth rate? Why have established behemoths like Target, Deloitte, Facebook, Intel, Bloomberg and Spotify decided to make GCP their cloud provider? <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Well, GCP offers cloud services that can do anything requiring a remote server &#8211; run apps, configure &amp; monitor IoT devices, host web servers, power ML apps, manage big data, and much more. And while other cloud services also provide these services, what sets GCP apart is its reasonable payment model backed by servers powerful enough to drive some of the world\u2019s most prevalent applications (Google Search, Maps, YouTube). It has a pay-as-you-go payment model where you pay only for the resources you use, and comes with $300 in free credits. Should you decide to go with GCP, your organizational data will be stored in highly trusted servers that host more than 1.42 million websites.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What also sets GCP apart is its highly effective <strong>Identity &amp; Access Management<\/strong> (<strong>IAM<\/strong>) infrastructure, something we\u2019ll be discussing in-depth here. On-premises IAM is far different from IAM in cloud, because you\u2019re dealing with both humans and machines in the latter &#8211; more on that in a bit.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A good place to start off is to highlight why IAM forms a key part of your cloud security posture. <\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">The reality is, today\u2019s attackers don\u2019t hack in, they login. <\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">And IAM permissions stop bad actors from coming into your cloud and accessing resources ranging from servers on VMs to databases full of sensitive data. Essentially, it lets you determine <\/span><i><span style=\"font-weight: 400;\">who<\/span><\/i><span style=\"font-weight: 400;\"> has <\/span><i><span style=\"font-weight: 400;\">what <\/span><\/i><span style=\"font-weight: 400;\">access to <\/span><i><span style=\"font-weight: 400;\">which <\/span><\/i><span style=\"font-weight: 400;\">resources. If your IAM measures aren\u2019t strong, eventually somebody will gain access to something they shouldn\u2019t.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Before getting into GCP IAM best practices, it\u2019s important to understand the lay of the land (even though we\u2019re talking cloud). Here are the core components of GCP\u2019s IAM:<\/span><\/p>\n<ul>\n<li aria-level=\"1\"><b>Member:<\/b><span style=\"font-weight: 400;\"> This can be a Google account, a service account, a Google group or any domain that can be granted access to a GCP resource.<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>Role:<\/b><span style=\"font-weight: 400;\"> This is a collection of permissions &#8211; instead of granting permissions individually, GCP bundles them into roles that can be granted to members.<\/span><\/li>\n<li aria-level=\"1\"><b>Policy:<\/b><span style=\"font-weight: 400;\"> These are the tenets that bind a member to their role, and dictate which actions a member can perform on what resources.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Let\u2019s spend some time here to discuss <\/span><i><span style=\"font-weight: 400;\">service accounts<\/span><\/i><span style=\"font-weight: 400;\">. They are machine accounts that access data &amp; execute instructions based on their programming, and play a role in every single VM, server and database in your projects. They are used for functions like authorizing movement &amp; access of data, modifying infrastructure and building services. Considering their importance in your cloud infrastructure, it is imperative to have roles for them too &#8211; if a service account has too much access to cloud projects, that situation can cause as much chaos as a normal account. This facet makes IAM in cloud drastically different to other IAMs.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are two types of service accounts offered by GCP:<\/span><\/p>\n<ul>\n<li aria-level=\"1\"><b>Google-managed service accounts <\/b><span style=\"font-weight: 400;\">are created &amp; managed by Google. For example, when you create a VM in GCP, a supplementary service account automatically gets created with specific roles and permissions.<\/span><\/li>\n<li aria-level=\"1\"><b>User-managed service accounts<\/b><span style=\"font-weight: 400;\">, which are created &amp; managed by you. For example, if you want to give your apps access to specific resources like the cloud storage bucket, you can create an account and assign it a specific role.<\/span><\/li>\n<\/ul>\n<p>We&#8217;ve understood the different types of accounts involved in Google Cloud Platform (GCP) identity and access management. Now, let&#8217;s explore the various roles available:<\/p>\n<ul>\n<li aria-level=\"1\"><b>Primitive<\/b><span style=\"font-weight: 400;\"> roles are basic roles like owner, editor and viewer, that have broad access and apply across all GCP servers.<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>Predefined <\/b><span style=\"font-weight: 400;\">roles are service-specific roles that are more granular in nature than primitive ones. For example, roles\/pubsub.publisher only provides access to publish messages in a Pub\/Sub topic.<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><b>Custom <\/b><span style=\"font-weight: 400;\">roles are roles that the user defines when predefined roles don\u2019t match their requirements.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Here\u2019s a list of all the primitive roles and their permissions: (some of which you may already be familiar with if you make Google Docs on a daily basis)<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Role<\/b><\/td>\n<td><b>Permissions<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Viewer<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Read-only actions like viewing existing resources<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Editor<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Viewing + actions that modify state, like changing existing resources<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Owner<\/span><\/td>\n<td><span style=\"font-weight: 400;\">All editor permissions for managing roles &amp; permissions for all resources within the project<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Browser<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Read access to browse hierarchy for a project, including folder, organization and policy, without seeing the actual files<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">This segues brilliantly into the type of hierarchies seen in secure access GCP environments:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It starts at the <\/span><b>organization level<\/b><span style=\"font-weight: 400;\">, where roles granted cascade down.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Then, it\u2019s the <\/span><b>folder level<\/b><span style=\"font-weight: 400;\">, which can contain multiple projects and is useful for grouping projects by category.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Below is the <\/span><b>project level<\/b><span style=\"font-weight: 400;\">, which contains &amp; isolates resources, and is ideal for creating different environments like development or production.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Finally, we end at the <\/span><b>resource level<\/b><span style=\"font-weight: 400;\">, which deals with granular access control on individual resources within a project.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Great, so we have a grip of GCP\u2019s IAM infrastructure &#8211; accounts (Google account, service account) given roles (roles\/owner, roles\/viewer) to access certain resources (Compute Engine, Cloud Function, Kubernetes Engine). Here\u2019s get right into the best practices when devising and implementing your GCP IAM strategy:<\/span><\/p>\n<h4><strong>Avoid primitive roles<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">Primitive roles are too broad and heavy-handed, whereas predefined roles are more specific to individual GCP services &amp; products like BigQuery and Cloud Storage. That makes predefined roles finer and granular than primitive ones.<\/span><\/p>\n<h4><strong>Utilize all the value-added services<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">GCP\u2019s IAM infrastructure has multiple services that allow you to properly customize your strategy. <\/span><b>IAM Role Recommendations <\/b><span style=\"font-weight: 400;\">help fine-tune access based on past usage patterns. <\/span><b>IAM Conditions<\/b><span style=\"font-weight: 400;\"> help set fine-grained conditions on roles, like limiting access to specific IP ranges or times of the day. And <\/span><b>IAM Troubleshooter<\/b><span style=\"font-weight: 400;\"> diagnoses &amp; resolves access issues in GCP, so that if a particular user encounters an access-denied error, the troubleshooter can provide the relevant insights.<\/span><\/p>\n<h4><strong>Principle of Least Privilege<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">This is becoming an increasingly popular approach when it comes to identity access, as it perfectly balances and handles the two risks of external attacks and insider threats. Essentially, this principle is all about granting the minimum necessary access to all users. The individual user is provided with only the permissions &amp; access they require to complete their given task. If they need more permissions, they will request, and all this will be logged. This principle works brilliantly when combined with the next point.<\/span><\/p>\n<h4><strong>Separation of duties<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">This is a subset of the aforementioned principle, but at a project level. This is when access is structured in a way where one person isn\u2019t able to complete a given project on their own. Therefore, if a particular user\u2019s credentials is to be attained by attackers, they will not gain access to the entire project, just one part of it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This approach can also be translated across hierarchies. A top level network engineer may have the power to create folders for projects, yet not be able to access the exact contents of them. All this goes a long way in mitigating the fallout of a breach.<\/span><\/p>\n<h4><strong>Regular audits<\/strong><\/h4>\n<p><span style=\"font-weight: 400;\">Finally, this entire ecosystem doesn\u2019t work if you don\u2019t continuously monitor and improve upon it. Regularly review all your logs, and audit your IAM roles &amp; permissions every 3 months or so.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By taking full advantage of GCP\u2019s IAM ecosystem and all its myriad parts, you are setting yourself up for improved security through a simplified, centralized access control platform that also keeps in mind all your compliance requirements. However, do understand that cloud is a relatively new technology and there may be teething problems in trying to assimilate to it, so <\/span><span style=\"font-weight: 400;\">contact us<\/span><span style=\"font-weight: 400;\"> today if you need someone to guide you through it!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A significant portion of the world&#8217;s corporate data now resides in the cloud. According to experts, over 60% of corporate data is stored on cloud platforms. And 65% of that cloud data is stored in either an Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP) server. Despite being third in market share &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/ivaluegroup.com\/en-in\/resources\/blogs\/identity-access-management-in-gcp-environments\/\"> <span class=\"screen-reader-text\">Identity &#038; Access Management in GCP Environments<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":20191,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[131],"tags":[139,194,208],"whitepapers":[],"case_studies":[],"acf":[],"_links":{"self":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21126"}],"collection":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/comments?post=21126"}],"version-history":[{"count":1,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21126\/revisions"}],"predecessor-version":[{"id":21127,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/posts\/21126\/revisions\/21127"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/media\/20191"}],"wp:attachment":[{"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/media?parent=21126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/categories?post=21126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/tags?post=21126"},{"taxonomy":"whitepapers","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/whitepapers?post=21126"},{"taxonomy":"case_studies","embeddable":true,"href":"https:\/\/ivaluegroup.com\/en-in\/wp-json\/wp\/v2\/case_studies?post=21126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}