Cloud Architecting with GCP: Part5 - IAM and Security Practices

1. Introduction to IAM and Security in GCP

Security is a critical aspect of cloud architecture, ensuring that applications, data, and resources remain protected from unauthorized access and threats. Google Cloud Platform (GCP) provides a robust security framework built on a zero-trust security model and a shared responsibility approach, where Google secures the infrastructure while customers are responsible for securing their workloads.

This article explores IAM and security best practices in GCP, covering identity management, authentication, network security, data protection, and compliance.

2. Understanding GCP IAM

GCP’s Identity and Access Management (IAM) allows administrators to define who can access which resources and what actions they can perform.

IAM Components:

Principals:

Entities that can access GCP resources (users, groups, service accounts):

A Google account represents a developer, an administrator, or any other person who interacts with Google Cloud. Any email address that is associated with a Google account can be an identity, including gmail.com or other domains.

A service account is an account that belongs to your application instead of to an individual end user.

A Google group is a named collection of Google accounts and service accounts. Every group has a unique email address that is associated with the group.

A Workspace domain represents a virtual group of all the Google accounts that have been created in an organization's Workspace account. Workspace domains represent your organization's internet domain name, such as example.com, and when you add a user to your Workspace domain, a new Google account is created for the user inside this virtual group, such as [email protected]. Google Cloud customers who are not Workspace customers can get these same capabilities through Cloud Identity. Cloud Identity lets you manage users and groups using the Google Admin Console, but you do not pay for or receive Workspace’s collaboration products such as Gmail, Docs, Drive, and Calendar. A Cloud Identity domain is like a Google Workspace account, because it represents a virtual group of all Google Accounts in an organization. However, Cloud Identity domain users don't have access to Google Workspace applications and features.

Roles:

A role is a named list of permissions defined by IAM. Kinds are:

• Basic: broad roles.
• Predefined: specific predefined roles such as instanceAdmin on Compute Engine resources.
• Custom: roles you specify for minimal privileges. Can only by applied to either the project level or organization level, can’t be applied to a folder level.

IAM Policies:

A policy is a collection of access statements attached to a resource. Each policy contains a set of roles and role members, with resources inheriting policies from their parent. Resource policies are a union of parent and resource, where a less restrictive parent policy will always override a more restrictive resource policy. Also, child policies cannot restrict access granted at the parent level. For example, if we grant you the Editor role for Department X, and we grant you the Viewer role at the bookshelf project level, you still have the Editor role for that project. Therefore, it is a best practice is to follow the principle of least privilege.

A policy consists of a list of bindings. A binding binds a list of members to a role, where the members can be user accounts, Google groups, Google domains, and service accounts.

IAM always checks for deny policies before checking for allow policies.

Cloud Identity Aware Proxy (IAP)

Identity-Aware Proxy (IAP) is a security feature in Google Cloud Platform (GCP) that helps control access to applications and resources without requiring a VPN or exposing them to the public internet.

It acts as a gatekeeper that verifies users’ identity and authorization before allowing them to access a resource.

How Does IAP Work?

1. A user tries to access a web application or a cloud resource (e.g., Compute Engine, App Engine).
2. IAP intercepts the request before it reaches the backend service.
3. IAP checks IAM policies to verify whether the user is allowed to access the resource.
4. If the user is authorized, IAP allows access; otherwise, access is denied.

? IAP enforces access based on identity, not just network location.

Example Use Case: A company wants employees to access an internal web app securely without exposing it to the internet. IAP ensures only authenticated, authorized users can access it.

3. Service Accounts and Workload Identity

Service accounts allow applications and workloads to authenticate securely within GCP. A service account is an account that belongs to your application instead of to an individual end user. This provides an identity for carrying out service-to-service interactions in a project without supplying user credentials. You can enable service accounts and grant read-write access to the account on the instance where you plan to run your application. Your application authenticates seamlessly to the API without embedding any secret keys or credentials in your instance, image, or application code.

There are three types of service accounts: user-created or custom, built-in, and Google APIs service accounts. By default, all projects come with the built-in Compute Engine default service account. Apart from the default service account, all projects come with a Google Cloud APIs service account, identifiable by the email: [email protected]. This is a service account designed specifically to run internal Google processes on your behalf, and it is automatically granted the Editor role on the project. Alternatively, you can also start an instance with a custom service account.

Service accounts are authenticated by using an RSA private/public key pair. There is no password associated with a service account, so you can't use a service account to log in with a browser. The private key for a service account can be downloaded as a service account JSON file.

Best Practices for Service Accounts:

• Least Privilege Principle: Assign the minimum required permissions.
• Use Separate Service Accounts: Different services should have their own accounts.
• Disable Unused Accounts: Prevent potential security breaches.
• Workload Identity Federation: Authenticate workloads using external identity providers (e.g., Azure AD, AWS IAM).

4. Authentication and Identity Management

GCP provides multiple authentication mechanisms to strengthen security.

• Google Cloud Identity: Manage users, enforce security policies, and integrate with third-party identity providers.
• Multi-Factor Authentication (MFA): Requires additional verification, reducing phishing risks.
• Single Sign-On (SSO): Simplifies authentication across multiple services.
• Identity Federation: Allows non-Google identities (e.g., Okta, Active Directory) to access GCP securely.

5. Security Best Practices for IAM

IAM misconfigurations can lead to security breaches. Follow these best practices:

• Follow the Least Privilege Principle: Avoid assigning overly permissive roles.
• Regularly Audit IAM Policies: Use IAM Recommender to analyze and remove unnecessary permissions.
• Avoid Using Wildcard (‘*’) Permissions: Grant access only to required users or service accounts.
• Use IAM Conditions: Define policies that apply under specific conditions (e.g., access allowed only from a specific IP range).

6. Network Security in GCP

Protecting network traffic is essential for preventing unauthorized access.

Key GCP Network Security Features:

• VPC Firewalls: Define rules to control inbound and outbound traffic.
• Private Google Access: Allows instances to access Google APIs securely without external IPs.
• Cloud Armor: Protects applications from DDoS attacks and web threats.

7. Data Security and Encryption

GCP offers multiple encryption mechanisms to protect data at rest and in transit.

• Customer-Managed Encryption Keys (CMEK): Control encryption keys instead of using Google-managed keys.
• Data Loss Prevention (DLP): Detect and protect sensitive information (e.g., PII, credit card numbers).
• Cloud HSM (Hardware Security Module): Provides secure cryptographic key storage.
• TLS and HTTPS Enforcement: Ensure secure communication between clients and services.

8. Security Logging and Monitoring

Continuous monitoring helps detect security threats and anomalies.

Essential GCP Monitoring Tools:

• Cloud Logging & Cloud Monitoring: Collect and analyze security events.
• VPC Flow Logs: Monitor network traffic for unusual activity.
• Cloud Audit Logs: Track IAM policy changes and API calls.
• Security Command Center: A centralized platform for threat detection and compliance monitoring.

9. Compliance and Regulatory Considerations

Many organizations must comply with regulatory requirements such as GDPR, HIPAA, ISO 27001, and PCI DSS.

GCP Security Features for Compliance:

• Organization Policies: Define security restrictions at the organizational level.
• Access Transparency Logs: Monitor Google support and engineering access to your resources.
• Confidential Computing: Encrypts data during processing for added security.

10. Conclusion

GCP provides powerful IAM and security features, but proper implementation and best practices are essential to minimize risks. Key takeaways:

• Follow the least privilege model to restrict unnecessary access.
• Use multi-factor authentication and single sign-on for enhanced security.
• Monitor IAM and network security logs to detect unauthorized activity.
• Encrypt sensitive data and use customer-managed keys when needed.
• Leverage Security Command Center for proactive threat detection.

By implementing these best practices, organizations can build a secure, scalable, and compliant cloud environment on GCP.