Everyone is looking for the Holy Grail of cloud security. While this Holy Grail is just as elusive as the original, privilege right-sizing comes close. When users are granted access only to the resources required to complete their work, organizations narrow their attack surface considerably.
Google Cloud Platform Identity and Access Management (GCP IAM) was designed to help companies apply the principle of least privilege to their cloud-based assets. Although GCP IAM roles can be incredibly useful, they can also be complex and cumbersome to implement — especially for organizations with numerous human and synthetic users working across multiple projects. In this post, we’ll examine how GCP IAM roles can be used for privilege right-sizing, including their strengths and weaknesses. We’ll also explore an alternative approach that results in better protection.
Understanding GCP IAM Roles
IAM allows cloud network administrators to define which groups of users have access to which digital resources and the functions they can complete on those resources. When a user attempts to access a resource, IAM compares the user’s requests to the applicable resource policy, either granting or refusing access.
IAM allows three types of roles: basic, predefined, and custom. Each role represents a collection of permissions that can be applied to a group of principals. Principals include human users or non-human identities such as an app that requires access to cloud resources. Policies control what access should be granted to each resource based on the role of the principal attempting to access them.
What Are the GCP IAM Roles?
GCP lacks the functionality to assign specific permissions to individual users. Instead, admins must use roles, assigning individual users or groups of users a role or multiple roles. Each role is associated with a specific set of permissions, which are conferred on the users assigned to the role. Below, we’ll discuss each of the three GCP IAM roles, how they work, and the benefits and drawbacks of each.
Basic
As the name implies, the basic role is very simple and has few applications for GCP business users. The basic roles include three levels of users: viewer, editor, and owner. Viewers can access, but not modify, content. Editors can both view, make edits to, or delete resources. Owners can do all of the above in addition to adding and removing viewers and editors as well as managing permissions and project resources.
All basic roles provide users assigned to this role with access to a variety of permissions all across the platform (not limited to the relevant projects). For example, editors can create, modify, or delete resources in many areas of the Google Cloud beyond their assigned projects. This indiscriminate permissioning presents a significant security threat since it opens up extensive vulnerabilities. Although basic roles are easy to set up, they’re best avoided in nearly all business applications.
Predefined
Predefined roles allow cloud network admins to assign fine-grained access to defined resources. Google creates, maintains, and updates a large number of predefined roles that admins can choose from. When an individual user requires access to a resource, admins can select the most appropriate predefined role and assign it to them.
Unlike basic roles, predefined roles do not grant blanket-level access across GCP. Instead, they grant users limited access to a set of defined resources and govern what actions can be taken on those resources. Since predefined roles are created and maintained by Google, updates are handled automatically.
Although predefined roles offer a more targeted way to control access to resources, the sheer number of them is difficult for most admins to keep track of and may result in providing incidental access to unneeded resources. The level of complexity often challenges admins who are already juggling users with dozens or more predefined roles, making it nearly impossible to ensure that the principle of least privilege is being maintained.
Custom
Custom roles make it possible for admins to create organization-specific roles with permissions tailored to meet a specific need. This type of GCP IAM role is especially useful when assigning one or more predefined roles would provide unnecessary access to certain resources. Custom roles only apply to resources within the context they were created, either at the project or organizational level.
This feature supports the principle of least privilege, but it also prevents roles from being reapplied in other contexts, where users may require similar access across multiple projects. Since custom roles are created and maintained in-house, updates must be completed manually. Custom roles offer much-needed flexibility, but require additional resources to manage and maintain.
A Better Approach for Right-Sizing Permissioning
In general, GCP IAM roles support least-privilege, preventing users from accessing resources not essential to their job functions. But the complexity of managing these roles and the time required to ensure their proper use can create dangerous blind spots. As cloud environments grow increasingly complex and distributed, a more straightforward and comprehensive approach is needed. Here are five strategies that companies can implement for right-sized permissioning.
Least privilege enforcement
Users with access to resources not required to complete their work present an unnecessary security vulnerability. Without the help of a privileged access management (PAM) platform, discovering and eliminating these excess privileges is a complex and time-consuming task. Right-sizing employee privileges is an essential part of minimizing the size of your organization’s attack surface.
Zero Standing Privileges (ZSP)
Many organizations provide static access to resources 24/7, regardless of whether the user is actively using those resources. Providing round-the-clock access to networks creates round-the-clock opportunities for hackers, increasing risk. With a Zero Standing Privileges approach, there are no always-on privileged access rights.
Just-In-Time (JIT) permissioning
Just-in-time (JIT) permissioning is a tool that supports ZSP. With JIT permissioning, access is granted to a user for only the minimum time required to complete a task, ensuring that inactive users don’t retain access to resources they’re not using.
Secrets governance with dynamically-generated secrets
The compromise of digital authentication credentials (secrets) creates a significant security risk. Secrets include user passwords, keys, APIs, and tokens used by cloud apps and services. One strategy for ensuring secrets remain secure is to dynamically grant and revoke them. Dynamically generated secrets are created on-demand and then expire automatically. Their ephemeral nature greatly reduces risk.
Enhanced monitoring for multi-cloud environments
Getting a unified view of who has access to what resources has become increasingly difficult, especially when those resources are spread across multiple cloud providers and applications. A cloud-native PAM platform provides a clear view, helping security teams identify and resolve security vulnerabilities such as misconfigurations, high-risk permissions, and suspicious activity across all of your SaaS, IaaS, PaaS, and DaaS solutions. In addition, data gathered from the platform can be fed into your UEBA or SIEM systems to help identify questionable user behavior and assist in post-incident, identity-based security investigations.
Moving Beyond GCP IAM
GCP IAM is a good tool for applying targeted permissions to groups of users. But for many organizations, it can be difficult to manage, and it’s nearly impossible to easily see who has what permissions, at what level, and for which projects. As businesses move more of their critical operations to the cloud, monitoring and controlling access at a granular level has become essential. This requires tools specially designed to seamlessly facilitate dynamic permissioning and least privilege enforcement, ensuring digital assets remain protected from unauthorized users.
Download “Data-Driven GCP Security Strategies for Multi-Cloud Landscapes” to learn more security strategies GCP users can implement to improve cloud security.
