The purpose of Identify and Access Management (IAM) permissions is to reduce security risk by limiting users’ access to only the resources they should have access to. But although Google Cloud Platform’s IAM (GCP IAM) permissions are a valuable tool for some organizations, any standing privileges open up risk. And when configured incorrectly, GCP IAM permissions can create cloud security blind spots that are easy to exploit. Let’s take a bird’s eye view of what GCP IAM permissions are and then look at the best practices you can implement for IAM and how to fill in security gaps.
The Fundamentals of GCP IAM Permissions
IAM permissions govern who or what has access to certain resources and the types of actions they can take on those resources. Users can be human or non-human, such as service accounts. In GCP, admins can assign users to one or more roles, which are associated with a collection of predefined permissions.
In GCP, there are three types of roles that can be used: basic, predefined, and custom. Each has its pros and cons and when to use them really depends on the situation.
Basic
Basic roles include viewer, editor, and owner. Basic roles grant broad access across the platform, enabling those with editor and owner permissions to work on organizational resources well outside of their job responsibilities. This weakness alone makes the use of basic roles a non-starter for nearly all business use cases.
Predefined
Google offers a large collection of roles that have been preconfigured to meet specific needs. These predefined roles are more fine-grained and are automatically updated and maintained, providing admins with a hassle-free, low-maintenance solution for limiting access. Although predefined roles are convenient, they can’t be modified to meet a business’s specific needs and can result in the overprovisioning of privileges.
Custom
A custom role can be set up for a particular use case. This type of permissioning prevents users from inadvertently being assigned unnecessary permissions. But custom roles come with their own set of challenges. Since they can only be applied to the project or organization in which they were created, they can’t be repurposed. For individual users or teams working in more than one context, an individual custom role must be created in each. Custom roles must also be manually maintained and updated, creating additional work for admins.
Best Practices for Using GCP IAM Permissions Securely
Because GCP users are responsible for implementing GCP IAM permissions appropriately, it’s important to follow certain best practices. Here are three that are essential.
Maintain the principle of least privilege
By carefully assigning predefined roles and crafting custom ones, admins can avoid overprovisioning privileges, ensuring that each user has access to only the resources required to fulfill their job responsibilities.
Proactively manage service accounts and secure service account keys
Service accounts provide access to virtual machines rather than human users and are used to manage connections to APIs and Google Cloud services. Rather than a password, service accounts use an account key. These keys function like a password and can be compromised like one too, providing hackers with the credentials needed to breach the system. Carefully monitoring, controlling, and protecting the service account keys in circulation reduces the likelihood that a service account will be used as a point of entry.
Closely monitor access policies and regularly audit access logs
Protectively monitoring access policies helps admins spot and correct policy drift. It can also provide valuable context for determining how and when to make policy adjustments. Regularly auditing access logs can be useful for spotting suspicious behavior that could indicate a security breach.
Why GCP IAM Best Practices Are Not Enough
Best practices are useful for reducing the risk associated with incorrectly implementing GCP IAM permissions. But ultimately, they’re not enough because the permissions IAM grants are standing — users have 24/7 access to privileged resources, making it easier for attackers to exploit these resources if credentials are compromised. Here’s why GCP IAM permissions aren’t enough to protect your environment.
Lacks comprehensive least privilege enforcement capabilities
GCP IAM provides a limited view into who has what privileges. Without a comprehensive view, cloud security admins struggle to appropriately assign and manage privileges.
No way to dynamically grant and revoke credentials
User passwords and service account keys are two of the weakest links in any organization’s cloud security efforts. When these credentials remain static, they create a much larger security risk than those created and revoked on an as-needed basis. Dynamically generating credentials is a much more secure approach.
Inability to track and organize all security-relevant data
Understanding how users are accessing and interacting with cloud resources is essential to maintaining a proactive security stance. To gain this understanding, you must integrate this data for a centralized view of cloud privileges and activity. Identifying and addressing misconfigurations, high-risk permissions, and unusual user behavior requires bringing all security-relevant data together.
Minimize Your Blast Radius
Dynamic permissioning and least privilege enforcement are two powerful strategies for reducing an organization’s attack surface.
Dynamic permissioning
Standing privileges are problematic since they can be exploited 24/7. With a Zero Standing Privileges (ZSP) approach, users are granted permissions on an as-needed basis. Just-in-time (JIT) permissioning enables this approach since it provides each user with access to specific resources for just the amount of time required to complete a task — and permissions automatically expire. Credentials are rotated after the session ends, keeping them unknown, even to the authorized user. When permissioning is handled as a single-use, time-limited instance, compromised user credentials are much less valuable to malicious actors.
Least privilege enforcement
Right-sizing user privileges minimizes the consequences if a user account becomes compromised or if the user represents an insider threat. But discovering and eliminating excess privilege requires using a cloud-native privileged access management platform that centralizes insight into access changes, policy drift, and high-risk identities and privileges.
Eliminate Standing Privileges
Today’s organizations need a comprehensive approach that right-sizes permissioning to strengthen their security stance. Any standing privileges, by nature, introduce unnecessary risk.
Download “Data-Driven GCP Security Strategies for Multi-Cloud Landscapes” to learn more security strategies GCP users can implement to improve cloud security.
