New developments in Access Risk, Cloud Governance And IAM

Google Cloud's mission is to assist you meet shifting policy, regulatory, and commercial goals. It routinely releases new cloud platform security features and controls to strengthen your cloud environment.

Google Cloud Next introduced IAM, Cloud Governance, and Access Risk capabilities. Google Cloud launched numerous new features and security upgrades, including:

Access and Identity Management

Context-Aware Access,

Identity Threat Detection and Response, and VPC Service Controls mitigate access risk.

Using Organisation Policy Service for Cloud Governance and Resource Management

It also introduced new AI technologies to enable cloud operators and developers throughout the application lifecycle. New Gemini Code Assist and Gemini Cloud Assist functionalities provide application-centered AI help throughout the application development lifecycle.

Identity and Access Management updates

Workforce Identity Federation

Workforce Identity Federation extends Google Cloud's identity capabilities with syncless, attribute-based single sign-on. Over 95% of Google Cloud products support Workforce Identity Federation. FedRAMP High government standards were supported to help manage compliance.

Increased non-human identity security

Due to microservices and multicloud deployments, workload and non-human identities are growing faster than human identities. Many large organisations contain 10 to 45 times more non-human identities than human identities, which often have wide rights and privileges.

Google Cloud is announcing two new features to strengthen access control and authorisation to secure non-human identities:

X.509 certificates provide keyless Google Cloud API access, enhancing workload authentication.

Managed Workload Identities allow workload-to-workload communication using SPIFFE-based mutual TLS (mTLS) encryption, secure identification, and authentication.

CIEM for multicloud infrastructure

Google Cloud is fighting excessive and unjustified security permissions. Google Cloud offers comprehensive protection across all tiers and tools to manage permissions to proactively address the permission issue.

Cloud Infrastructure Entitlement Management (CIEM), its main authorisation solution, is currently available for Azure and broadly available for Google Cloud and AWS.

IAM Admin Centre

It also included IAM Admin Centre, a role-specific single pane of glass for tasks, recommendations, and notifications. Additional services are accessible from the console.

IAM Admin Centre lets organisation and project administrators discover, learn, test, and use IAM functionalities from one place. It provides contextual feature discovery, daily work focus, continuing learning tools, and well designed beginning instructions.

IAM functionality enhancements

Other IAM features expanded and became more robust.

Google Cloud previously unveiled the Principal Access Boundary (PAB) and IAM Deny policies, which are effective resource access limitations. As these important controls gain service coverage and acceptance, planning and visualisation tools are needed.

It previewed Deny, PAB, and troubleshooters to fix this.

Privileged Access Manager (PAM) now has two authorisation levels with several principals. Scope entitlement grants may now be customised to apply just to the relevant resources, roles, projects, and folders.

Updates on Access Risk

Comprehensive security requires ongoing monitoring and control, even with authenticated users and workloads with the necessary privileges and active session participation. Google Cloud's access risk portfolio protects people, workloads, and data with dynamic features.

Improved session and access security

CAA protects Google Cloud access based on user identification, network, location, and corporate-managed devices, among other things.

CAA will soon include Identity Threat Detection and Response (ITDR) capabilities using activity signals like questionable source activity or new geolocations. These features automatically detect problematic conduct and initiate security validations like MFA, re-authentication, or rejections.

Automatic re-authentication sends a request when users change billing accounts or perform other sensitive tasks. Although you may disable it, Google Cloud recommends leaving it on by default.

Increased VPC Service Control coverage

You can protect your data, resources, and designated services using VPC Service Controls. It introduced Violation Analyser and Violation Dashboard to help diagnose and debug access denial events using VPC Service Controls.

Changes to Cloud Governance with Organisation Policy Service Increased Custom Organisation Policy coverage

Google Cloud's Organisation Policy Service allows programmatic, centralised resource management. Organisation policy provides constraints, but you may create custom policies for additional control. With 62 services, custom organisation policy covers more.

Increased Custom Organisation Policy coverage

Google Cloud promises to simplify high-security outcomes. Google Cloud launched its Google Cloud Security Baseline, a stronger set of security settings, as part of this effort. Due to positive response, it is now advertising them to all current consumers. Last year, all new customers received them by default.

Users' consoles have seen Google Cloud Security Baseline implementation recommendations since this year. You may also use a simulator to mimic how these restrictions affect your environment.

Updates on resource management

Resource Manager app capability

The Google Cloud Resource Manager was likewise application-centric. App-enabled folders, presently in preview, simplify administration, organise services and workloads into a single manageable unit, centralise monitoring and management, and show an application-centric perspective.

Google VPC Service Controls: Private IPs for Data Security

Introducing VPC Service Controls with Private IPs to increase the protection against data exfiltration

GCP VPC service controls

Organisations may reduce the risk of data exfiltration from their Google Cloud managed services by utilising Google  Cloud’s VPC Service Controls. In order to assist you restrict access to your sensitive data, Google  Cloud’s VPC Service Controls (VPC-SC) build isolation perimeters around networks and cloud services.

Google Cloud VPC service controls

Google cloud is thrilled to announce support for private IP addresses in VPC Service Controls today. This new feature allows protected resources to be accessed by traffic from particular internal networks.

Expanding the use of VPC-SC to safeguard resources within private IP address space With specified perimeters accessible only by authorised users and resources, VPC-SC aids in preventing data exfiltration to unauthorised Cloud organisations, folders, projects, and resources. Clients using VPC-SC can enforce least privilege access to Google Cloud managed services by utilising its extensive access rule features. Our customers can now grant access from specific on-premise settings to resources within a service perimeter thanks to this new feature.

Enterprise security teams can specify fine-grained perimeter restrictions and enforce that security posture across many Google Cloud services and projects using VPC Service Controls. To readily scale their security controls, users can create, update, and remove resources inside service boundaries.

Crucially, clients can designate private IP address ranges for a VPC network using basic access levels. Customers are able to extend perimeters into private address space by attaching these access levels to ingress and egress access rules, which impose granular access controls for Google services.

The usage of a macro, or “mega,” perimeter is advised by Google Cloud as best practice since it is simple to scale and administer. Private IP now gives you more options for clients with particular use cases that call for finer-grained segmentation.

Here are a few use cases where the private IP functionality offered by VPC Service Controls might help you create a more secure infrastructure.

Apply scenario: extending your on-site setup to a safe cloud boundary

For access-related reasons, VPC Service Controls views a customer’s on-premise environment as a single network. Consequently, the entire on-premise environment is subject to the enforcement of network-based access controls. Because only certain on-premise clients need access to the VPC-SC border, some customers are worried about overprovisioning access. Private address-based ingress and egress rules can be applied to on-premise systems to enable more granular access control from on-premise workloads to perimeter resources.

Apply scenario: dividing up your cloud projects in a shared VPC

VPC-SC verifies whether the source network is a part of a project within the trusted perimeter as part of the evaluation process for requests. The network in shared virtual private cloud settings is owned by the host project and shared with the service project. Customers were thus unable to divide the host and service projects into distinct perimeters. The host and service projects can be situated in distinct perimeters, with access being enabled by the rules, thanks to support for private address-based entry and egress rules. This also restricts the amount of unapproved services that can access resources.

Examining cases: Increasing security at MSCI with VPC Service Controls

MSCI, a well-known provider of vital services and tools for the international investment industry, leverages  cloud computing for more than simply infrastructure; it is their fundamental underpinning for fostering innovation.

In their pursuit of safe, scalable, and agile computing, MSCI and Google Cloud have been working together since 2022. Built on their dedication to cutting edge technology is their Google  Cloud environment, a well planned jumble of services that includes Compute Engine, BigQuery, and Kubernetes Engine.

MSCI looked to VPC-SC to protect sensitive data while taking advantage of the scalability offered by the cloud. The need for a defense-in-depth strategy that could secure data at several levels and the sensitivity of the data were the driving forces behind this choice. On top of Google’s cloud-first controls, such IAM and firewall, VPC Service Controls gave MSCI an extra line of protection with its strict egress and ingress restrictions. On the other hand, MSCI has stipulated precise specifications for private IP-based subnetwork granular access.

“Access to protected resources for particular private IP ranges within the VPC network is made possible by the newly added VPC private address support feature, which gives MSCI the ability to establish precise constraints. Better detailing in MSCI’s security configurations is the outcome of this breakthrough. According to Sandesh D’Souza, executive director of  Cloud Engineering at MSCI, “the bespoke solution has emerged as a key addition in the organization’s security repository,Particularly for its support of private IP management, which demonstrates the immense potential of cloud technology when combined with planning and collaborative solution-building.”

Next actions

For the majority of Google Cloud users, VPC Service Controls are a fundamental security measure. They can provide clients with more precise controls to better suit their needs by supporting private IPs. Before going live in production, you can verify your configurations using their newly released VPC Service Controls Dry Run mode.

Read more on govndhtech.com