LatestBest Practices for Identifying and Securing Non-Human Identities
  • Canada
    • United States
    • India
    • Canada

    Resource / Online Journal

    Comprehensive Guide to Google Cloud Operations, IAM

    Learn how to manage identities and access in Google Cloud with GCP IAM. Discover best practices for policy management, user administration, authentication, and leveraging external tools like SailPoint and CyberArk for enhanced security and compliance.

    Published on Feb 28, 2025

    Access Management
    null

    Executive Summary

    GCP IAM is important for managing identities and access in Google Cloud, enabling fine-grained controls for secure operations. This guide covers policy management, user and service account administration, authentication, monitoring, and privileged access.

    It’s recommended to use Workload Identity Federation to avoid static credentials, implement IAM Conditions and Tags for more granular access control, and apply Org Policies to enforce security guardrails. Additionally, external tools like SailPoint, Saviynt, and CyberArk can enhance GCP’s native features for better governance, compliance, and monitoring.

    By integrating GCP’s features with external solutions, organizations can enable scalable identity governance, dynamic authentication, and proactive threat detection, ensuring secure and efficient cloud operations.

    GCP IAM Concepts

    Account Attributes

    1.GCP IAM Concepts

    • An organization is the highest level in GCP's hierarchy, representing the company or entity that manages resources. For example, a bank would manage all its business operations under a single organization in GCP.
       
    • A folder is a logical grouping of projects that helps organize resources and policies. For example, a bank might create folders for Insurance, Retail Banking, and Investment Banking to manage its various divisions.
       
    • A project is the smallest resource container in GCP, holding services and resources. For instance, a KYC Analytics project under the Insurance folder is used to analyze customer data.
       
    • A tenant in GCP is often represented by a project, acting as an isolated unit for resources, billing, and permissions. For example, the KYC Analytics project can be considered a tenant within the Insurance folder.
       
    • An account is an identity used for authentication and authorization to access resources. For example, a bank employee's account (e.g., john.doe@bank.com) provides access to the KYC Analytics project.
       
    • In GCP, a tenant is typically represented by a project, acting as an isolated unit for resources, billing, and permissions. For example, the KYC Analytics project can be considered a tenant within the Insurance folder. GCP allows tenants to be defined at the project, folder, or organization level, depending on the customer's preference. Unlike AWS, where an account is a tenant and users belong to a single AWS account, GCP does not have a physical concept like an AWS account. Instead, users belong to organizations and can be assigned permissions at the organization, folder, project, or resource level.

    2. IAM User Attributes

    Unlike many corporate identity stores, GCP IAM does not natively store first names, last names, or personal emails for each user. Instead, each IAM user is identified by their Email Address, which serves as a unique identifier (e.g., jdoe@gmail.com or jdoe@yourdomain.com) and is used as the primary reference in GCP. 

    Google Account ID: A unique, automatically generated numerical ID tied to the user’s Google account.

    • Service Account ID (for NHIs): A unique identifier for service accounts, formatted as service-account-name@project-id.iam.gserviceaccount.com.
    • Creation Time: The timestamp indicating when the user or service account was created.
    • Tags (Optional): Key-value pairs defined to store additional metadata (e.g., FirstName=John, LastName=Doe, Team=Finance). Tags provide contextual details for accounts.
    • Authentication Factors: These are attributes used if authentication is not externalized to an identity provider (IdP) like Okta or Azure AD:
    • Password: If set, password policies (e.g., complexity, expiration) and the last-used timestamp are tracked.
    • OAuth Tokens: Temporary tokens used for programmatic access to resources.
    • MFA Configuration: Configured through tools like Google Authenticator, hardware tokens (e.g., YubiKey), or other supported MFA options.
    • Last Activity Time: Tracks the most recent activity (e.g., API calls or console logins), helping to identify dormant accounts.
    • Organization Membership: Reflects the user’s placement within the GCP hierarchy, such as the organization or folder. Users are not directly "assigned" to an organization or folder in GCP IAM but are granted access via role assignments. For example, a user, john.doe@yourdomain.com, is part of the organization mycompany.com because their account is managed by the linked Google Workspace domain.
    • Credential Type (Service Accounts): Includes private keys or Workload Identity Federation credentials for programmatic authentication. These credentials should be securely stored in a secret manager or equivalent service. 

    3. Entitlement Types & Their Attributes

    Entitlement Type 

    Key Attributes 

    Description and Example 

    Role Assignment 

    Role Name, Principal (Google Account/Service Account/Group), Resource

    A role in GCP IAM is a collection of permissions that defines actions on resources (e.g., roles/sql.admin). Roles are assigned to users, groups, or service accounts to grant specific permissions. For example, you can create a custom role called DBA_Backup with permissions like sql.backupRuns.create and sql.backupRuns.list, then assign it to a group, such as DBA_Backup_Group.

    While roles do not directly support conditions, IAM Conditions can be applied when assigning a role to restrict its use. For example, you can require that backups initiated by users in the DBA_Backup_Group must originate from a specific bastion host by applying an IP-based condition during role binding.

    Group Membership Group Name, Group Email, Assigned Roles 

    A group in GCP is a logical grouping of users or service accounts for collective role assignments. For example, you can add john.doe@yourdomain.com to the group finance-team@yourdomain.com and assign the group the roles/bigquery.dataViewer role to access BigQuery datasets.

    In GCP, a group represents a business role, grouping users based on job duties, while a role defines the IT function, specifying the technical permissions needed to perform tasks on resources. Groups simplify permission management by aligning organizational roles with access needs.

    For example, the Backup Operators Group (backup-operators@yourdomain.com) includes all users responsible for database backups. Assigning the roles/sql.admin role to this group ensures all members can perform backup operations without individually managing their permissions.

    Identity-Based Policy Role (Predefined/Custom), Principal (Google Account/Service Account/Group), Scope 

    In GCP, IAM roles define the actions that an identity (user, service account, or group) can perform at the project or folder level. For example, you can grant the roles/viewer role to a service account analytics-sa@project.iam.gserviceaccount.com to allow it to access project-wide resources.

    The scope of role assignments can be at the resource level, the project that the resource belongs to, or the rolled-up aggregation entities of a folder and organization. The scope allows you to define the specific range for permissions, such as determining which databases to back up. For example, by defining the scope, you can specify which set of databases a service account or user can back up, making it easier to manage access at different levels of the hierarchy.

    Resource-Based Policy Resource (e.g., BigQuery Dataset, Pub/Sub Topic), Principal, Role 

    In GCP, you can attach permissions directly to a resource, allowing cross-project or cross-account access. For example, you can grant a service account in Project A the roles/pubsub.subscriber role for a Pub/Sub topic in Project B.

    While this provides convenience and flexibility, it is generally not recommended in GCP. Instead, it is better to use scoped role grants constrained by IAM conditions, as this approach ensures more secure, manageable, and precise control over access within the cloud environment.

    Organization Policies (Org Policies) Constraints (e.g., Regions, Services, Network Configurations) 

    Global guardrails in GCP are policies that define overarching rules for projects and resources within an organization to ensure consistent security, compliance, and operational standards.

    For example, you can enforce a policy that disallows the creation of VMs with external IPs for security reasons. This policy ensures that all virtual machines within the organization are not exposed to the public internet, reducing the risk of unauthorized access and improving overall security.

    IAM Conditions Attribute-Based Conditions (Time, IP, Resource Tag, Device) 

    You can add granular conditions to roles or policies in GCP to implement fine-grained access control.

    For example, you can allow access to Cloud Storage buckets only during business hours (9 AM - 6 PM) and from trusted IP ranges (e.g., 192.168.1.0/24). 

    Service Account Permissions Service Account, IAM Role, Conditions 

    You can assign roles to service accounts for workload-specific operations to ensure that the service account has the necessary permissions to perform its tasks.

    For example, you can grant the roles/compute.instanceAdmin role to a service account used by an application, allowing it to manage virtual machines in Compute Engine.

    Workload Identity Federation Identity Provider (IdP), Service Account, Scope 

    To allow external workloads (e.g., AWS Lambda, on-prem apps) to securely access GCP resources without using long-lived service account keys.

    For example, you can enable an external AWS Lambda function to impersonate a GCP service account to access Pub/Sub resources.

    Tags and Labels Tags (Key-Value Pairs), Scope (Resource/Project) 

    You can use tags and labels in GCP for managing metadata and enforcing policy.

    For example, you can apply the tag Environment=Production to restrict access to production workloads or enforce billing segregation.

    It's important to note that IAM Conditions and Tags/Labels both serve to restrict policy assignments, but they differ in focus. IAM Conditions are based on authentication or login context, such as the time of day, the IP address, or other environmental factors. In contrast, Tags and Labels are tied to resource attributes, such as the resource type, name, or metadata.
    For example, if you want to restrict access to development resources and limit it to working hours, Tags/Labels would enforce the "environment type=development" constraint, while the IAM Condition would enforce the "time between 9 AM and 4 PM" constraint. 

    Recommendations 

    Policy Recommendations

    Policies Included: Identity-Based Policies, Resource-Based Policies, IAM Conditions, Tags and Labels, Organization Policies, Role Definitions. 

    Options for Configuration:

    GCP Native ToolsDescription
    GCP Console, gcloud CLI, REST API, or Infrastructure-as-Code (Terraform/Deployment Manager)These tools come with built-in features that ensure scalability, automation, and auditability for efficient cloud resource management.

     

    External Products

    Description

    IGA Tools (e.g., SailPoint, Saviynt, Okta)These tools centralize governance for role definitions, identity-based policies, and facilitate periodic reviews to ensure secure identity management across cloud environments.
    CNAPP Tools (e.g., Palo Alto Prisma Cloud, Wiz, Orca Security)These tools focus on resource-based policy management and enforcement to secure cloud-native workloads, offering comprehensive cloud security across multiple platforms.
    CSPM Tools (e.g., Check Point CloudGuard, Lacework, Rapid7 InsightCloudSec)These tools help monitor, audit, and enforce organization policies and IAM conditions to ensure compliance and governance in cloud environments.
    CWPP Tools (e.g., CrowdStrike Falcon, Trend Micro Cloud One, McAfee MVISION Cloud)These tools specialize in managing IAM conditions and resource-based policies to secure containerized workloads and cloud infrastructure, providing layered protection for modern cloud applications.

    Aggregation Entities Administration Recommendations

    Scope: Organization, Project, Folder, Tenancy Definitions, Org-Level Guardrails (Org Policies).

    Policy Recommendations

    Options for Configuration:

    GCP Native ToolsDescription
    GCP ConsoleThe GCP Console allows you to directly create and manage organizations, projects, folders, and roles. It is best suited for smaller-scale setups or one-off configurations where a graphical interface is preferred for quick management.
    gcloud CLIThe gcloud CLI is ideal for scripting and programmatically creating organizations, projects, folders, and roles. It is well-suited for automation and handling repetitive tasks, offering flexibility for users who prefer command-line interfaces.
    GCP APIWith the GCP API, you can integrate API calls into custom workflows or automation systems to dynamically create and manage organizations, projects, folders, and roles. This provides a programmatic approach for complex or highly automated environments.
    Terraform or Deployment ManagerThese tools allow you to define and deploy organizations, projects, folders, and roles as Infrastructure-as-Code (IaC). Using IaC enables version control, auditability, and smooth integration into CI/CD pipelines for scalable and repeatable infrastructure deployments.

     

    External ProductsDescription
    IGA Tools (e.g., SailPoint, Saviynt, Okta)These tools provide centralized governance over identity roles, projects, and policies, supporting workflows for folder/project management and periodic role reviews.
    CNAPP Tools (e.g., Palo Alto Prisma Cloud, Wiz, Orca Security)These tools offer resource-level policy enforcement, monitoring, and configurations specifically for GCP workloads. They ensure compliance across projects and folders.
    CSPM Tools (e.g., Check Point CloudGuard, Lacework, Rapid7 InsightCloudSec)These tools focus on monitoring and enforcing organization policies at the organizational level, including configuration checks and compliance enforcement for cloud security guardrails.

    User Administration  

    Scope: User Account Creation, User Group Assignments, and Identity Policy Assignments to Users. 

    Options for Configuration: 

    Scope: User Group Assignments and Identity Policy Assignments to Users (if direct assignment is supported). 

    GCP Native ToolsDescription
    GCP Console, gcloud CLI, REST API, or Infrastructure-as-Code (Terraform/Deployment Manager)They create and manage groups, roles, and policy assignments for human users. These tools provide flexibility for scalability, automation, and auditability.

     

    External ProductsDescription
    IGA Tools (e.g., SailPoint, Saviynt, Okta)These tools support centralized governance for creating and managing groups, assigning IAM roles to users or groups, and implementing workflows for identity policy assignments with periodic reviews.
    CNAPP Tools (e.g., Palo Alto Prisma Cloud, Wiz, Orca Security)These tools provide insights into misconfigured IAM roles and facilitate role and policy assignment audits for cloud-native environments.
    CSPM Tools (e.g., Check Point CloudGuard, Lacework, Rapid7 InsightCloudSec)These tools monitor and enforce compliance of user group assignments and role configurations, helping organizations maintain alignment with organizational policies and regulatory requirements.

    PAM (Privileged Account Monitoring)

    Scope: Monitor and manage Break The Glass Activities, Emergency Assignments, Privileged Session Recording, Shared Accounts Administration, and Break The Glass Account Administration

    Options for Configuration:

    GCP Native ToolsDescription
    GCP IAM, Cloud Logging, Cloud Monitoring, and Cloud Audit LogsThese tools offer basic privileged activity monitoring, emergency privilege escalation tracking, and anomaly detection.

     

    External ProductsDescription
    PAM Tools (e.g., CyberArk, BeyondTrust, Delinea)These tools provide advanced features like privileged session recording, just-in-time privilege escalation, shared account governance, and workflows for break-glass account management.
    IGA Tools with PAM Capabilities (e.g., SailPoint, Saviynt)These tools enable the integration of privileged account management workflows with emergency privilege escalation, periodic reviews, and centralized management of privileged identities.
    CNAPP Tools (e.g., Palo Alto Prisma Cloud, Wiz)These tools monitor GCP environments for privileged misconfigurations, excessive permissions, and privilege-related security risks. While they offer valuable insights into cloud security, session recording capabilities may be limited.
    CSPM Tools (e.g., Check Point CloudGuard, Lacework, Rapid7 InsightCloudSec)These tools audit and alert on privileged access risks, focusing on compliance and excessive privilege detection in GCP environments.

    Note

    Determining which GCP accounts should be scoped for PAM involves the following considerations:

    • Policies and Permissions: Privileged accounts with high-risk permissions (e.g., resource provisioning or administrative tasks) require PAM, while low-risk, read-only accounts may not.
    • Assessing the compliance needs, risk severity, and business criticality of the applications accessed helps guide the necessity of PAM.
    • Nature of the Account: Evaluate different types of accounts, such as named, shared, break-glass, and service accounts, based on their usage and associated risks.
    • Frequency and Scope: Rare, high-impact activities (such as emergency administrative access) warrant PAM, while frequent, low-risk actions (like regular data viewing) may not.

    This approach ensures that PAM is applied effectively, where it provides the most value in terms of security and compliance, while avoiding unnecessary complexity.

    NHI Administration

    Scope: Service Account Permissions. 

    Options for Configuration:

    GCP Native Tools

    Description

    GCP IAM, gcloud CLI, REST API, or Infrastructure-as-Code (Terraform/Deployment Manager)These tools help you define and assign roles, policies, and permissions to service accounts with scalability, consistency, and auditability.

     

    External ProductsDescription
    NHI Governance Tools (e.g., Natoma, Veza, Astrix)

    NHI Governance tools, automate service account permission governance by handling fine-grained role assignments, secure credential storage, credential rotation, and enforcing Zero Trust principles.

     

    IGA Tools (e.g., SailPoint, Saviynt)IGA tools facilitate governance workflows for service account entitlements by incorporating features like approval processes, periodic permission reviews, and compliance tracking to ensure alignment with GCP IAM.

    A Note on Role vs NHI

    Navigating workload security and NHI (Service Accounts) in GCP offers a great opportunity for threat modeling and developing best practices. There are several ways to secure machine interactions within GCP IAM:

    1. Service Account-Based Approach (Static Credentials): Create a Service Account (NHI) and provide its private key to the consuming program. The program then uses the Service Account credentials to directly perform operations in GCP.
    2. Workload Identity Federation-Based Approach: Create a Service Account without using its credentials. Instead, configure Workload Identity Federation to enable an external identity (e.g., AWS IAM role or Azure AD identity) to authenticate and impersonate the Service Account. This approach eliminates the need for static credentials.
    3. Hybrid Defense-In-Depth Approach
    1. Implement multiple layers of defense based on Zero Trust Architecture principles. Here’s how it works:
    • Create the Service Account: Assign the Service Account the necessary permissions and securely store its credentials in a credential store like Secret Manager.
    • Use Workload Identity Federation: Configure federation for a separate Service Account with limited permissions, allowing the consuming program to access the credential store.
    • Retrieve Credentials Securely: Use the federated Service Account to securely retrieve the high-privilege Service Account credentials from the credential store.
    • Credential Rotation: Leverage GCP’s automation tools to periodically rotate credentials, reducing the risk of misuse or compromise.

    Authentication

    Scope: Enable secure access through Federation, Single Sign-On (SSO), and Multi-Factor Authentication (MFA) for robust and scalable identity authentication, incorporating passwordless authentication options.

    Options for Configuration:

    GCP Native Tools

    Description

    Identity-Aware Proxy (IAP)

    This tool helps secure application access with identity-based controls, enabling federation and Single Sign-On (SSO) for a streamlined and secure user authentication process.

     

    Cloud Identity (e.g., Okta or Azure AD). These tools helps manage users, groups, and federated authentication with external Identity Providers (IdPs), ensuring secure and seamless access control across applications.
    Google Workspace or Cloud IdentityConfigure MFA for Google Workspace or Cloud Identity accounts using built-in features such as Google Authenticator, hardware tokens, or push notifications for enhanced security.
    gcloud CLI, REST API, or TerraformAutomate configurations with gcloud CLI, REST API, or Terraform to enforce MFA, federated access, and SSO for consistent and scalable identity management.

     

    External ProductsDescription
    SSO and Federation Tools (e.g., Okta, Ping Identity, Microsoft Entra ID)These tools provide centralized identity federation and SSO capabilities, enabling secure access to GCP and third-party applications.
    MFA Tools (e.g., Duo Security, YubiKey, Microsoft Authenticator)Enforce MFA to strengthen security, supporting push notifications, biometrics, hardware tokens, and passwordless authentication.
    Passwordless Authentication Tools (e.g., Beyond Identity, Ping Identity, HYPR)Facilitate secure, password-free authentication by utilizing biometrics, device trust, and cryptographic methods to access GCP resources without the need for traditional passwords.

    Monitoring, Detection, and Response Recommendations

    Scope: Log storage, event and incident detection, and incident response for cloud security and governance.

    Options for Configuration:

    GCP Native ToolsDescription
    Cloud LoggingCentralize log storage and monitoring, enabling efficient troubleshooting and analysis across your GCP environment.
    Cloud MonitoringMonitor the performance of your GCP resources and configure alerts for unusual activity across your projects, ensuring proactive issue detection and resolution.
    Cloud Audit LogsEnsure auditability and compliance by tracking all identity-related actions, such as service account activities and role changes, across your GCP environment.
    gcloud CLI, REST API, or TerraformAchieve scalable and consistent deployment of logging and monitoring policies across your GCP environment using automation tools like gcloud CLI, REST API, or Terraform.

     

    External ProductsDescription
    NHI Governance Tools (e.g., Natoma, Veza, Astrix)Ensure secure credential storage, automate credential rotation, and enforce Zero Trust principles for Service Accounts, streamlining the management and security of identities within GCP.
    IGA Tools (e.g., SailPoint, Saviynt)Facilitate periodic reviews, compliance checks, and seamless integration with GCP IAM policies, ensuring consistent and secure management of Service Account permissions across the environment.
    ITDR Tools (e.g., Microsoft Defender for Identity, CrowdStrike Falcon, SentinelOne Singularity Identity)Detect compromised Service Account credentials, unauthorized access, and privilege escalations within GCP, enabling quick responses to potential security incidents and minimizing risks.
    NHITDR Tools (e.g., Entro, Astrix)Monitor for abnormal behaviors, unauthorized API calls, and potential compromises of machine identities within GCP, providing proactive threat detection and response for Service Accounts.

    Decision Making

    How to Make the Right Decision

    Building a secure and efficient strategy for Non-Human Identity (NHI) Governance, Activity Monitoring, and Detect and Respond requires a holistic approach that balances risk, compliance, security, tools, and processes. These decisions are complex by nature, and TechDemocracy leverages its proven Cloud Security Decision Framework, trusted by many Fortune 100 companies, to help guide you in making tailored and well-informed choices.

    Factors to Consider:

    1.Risk, Compliance, and Security Context

    • Risk Tolerance and Appetite: 
      • Understand your organization's risk tolerance to ensure the security strategy aligns with operational goals and acceptable risk levels.
    • Audit and Compliance Needs: 
      • Assess regulatory requirements for vulnerability management, change management, and monitoring to ensure compliance with industry standards.
      • Identify gaps in your current compliance efforts and create a plan for improvement.
    • Risk Classification of Cloud-Deployed Applications
      • Classify workloads based on their sensitivity (e.g., critical, high-risk, or low-risk) to effectively prioritize security investments and monitoring efforts.

    2.Landscape and Roadmap for Tools

    • Current Landscape for Cloud Security and Detect & Respond: 
      • Evaluate currently deployed tools, including CWAPP, CNAPP, CSPM, and other security platforms, in terms of:
        1. Maturity: How effectively the tools are integrated and utilized within the organization.
        2. Skillsets: The expertise available to manage and optimize these tools efficiently.
        3. Ownership and Responsibilities: Clear accountability for the governance, maintenance, and operation of the tools.
        4. Roadmap and Priorities: Plans for upgrading, expanding, or replacing tools to address evolving security needs.
    • Current Detect and Response Tools: 
      • Assess your existing DR solutions (e.g., EDR, XDR, CDR) and SIEM tools for their effectiveness and integration capabilities.
      • Identify opportunities to enhance detection by incorporating ITDR and NHITDR solutions for improved threat monitoring and response.
    • CIDM Landscape:
      • Analyze deployments of IGA, PAM, NHI, and SSO/MFA tools to ensure seamless integration and effective governance across your identity and access management ecosystem.
    • Complexity and Effort in Data Synchronization and Integrations:
      • Evaluate the effort required to integrate GCP IAM with external tools (e.g., IGA, CNAPP, CSPM, ITDR), while identifying automation opportunities to minimize manual overhead and streamline workflows.

    3.Processes, Budget, and Ownership:

    • DevOps Maturity:
      • Assess the level of automation, scalability, and integration in your DevOps processes to determine their readiness for implementing identity and security management solutions.
    • Organizational Structure and Responsibilities:
      • Understand ownership, budgets, and accountability for:
        1. Cloud Infrastructure: Who is responsible for managing infrastructure setup and operations?
        2. Cloud Security: Who governs the tools and processes related to cloud security?
        3. Security in DevOps: Who ensures security in the CI/CD pipeline and secure workload deployment?
        4. Cloud Security Tools Deployment: Who oversees the selection, deployment, and maintenance of security tools such as CNAPP, CSPM, CWPP, and ITDR?

    Conclusion:

    The successful implementation of GCP IAM requires a strategic approach to managing policies, users, and non-human identities, while integrating with external tools to strengthen security and compliance. Key decisions must take into account factors such as organizational risk tolerance, DevOps maturity, and the current landscape of tools.

    Why TechDemocracy?

    At TechDemocracy, we specialize in designing and implementing secure, scalable cloud architectures customized for your unique environment. By leveraging our proven Cloud Security Decision Framework, we help you:

    • Align risk, compliance, and security goals with your organization’s operational needs.
    • Evaluate your tool landscape and create a roadmap for optimization.
    • Streamline integrations, improve governance, and enhance organizational processes to ensure seamless security management.

    Contact TechDemocracy today to refresh your cloud security architecture, develop a comprehensive strategy, and implement cutting-edge solutions for identity governance, cloud security, and threat detection. Let us help you build a secure foundation for your cloud journey, so you can confidently scale and protect your organization’s digital assets!

     

    Recommended articles

    Decentralized Identity: Is Blockchain the Future of IAM?

    Comprehensive Guide to AWS IAM: Policy Management, Authentication, & Access Strategy

    Decentralized Identity: Is Blockchain the Future of IAM?

    Decentralized Identity: Is Blockchain the Future of IAM?

    Take Your Identity Strategy
    to the Next Level

    Strengthen your organization's digital identity for a secure and worry-free tomorrow. Kickstart the journey with a complimentary consultation to explore personalized solutions.