Google’s Cloud Platform (GCP) group has rolled out a new feature that the company says gives organizations a better way to enforce the principle of least privilege on users accessing enterprise data and services in the cloud.
Google has been beta testing the new custom roles feature for Google Cloud Identity and Access Management (IAM) for the past several months. It is now generally available and gives enterprise administrators a way to more narrowly tailor the rights that specific users have for accessing enterprise data and services, the company said in a blog Jan 31.
The custom roles feature expands on the broader role-based access control capabilities that Google already has been offering via its Cloud IAM. Like other identity and access management technology, Google Cloud IAM offers a choice of hundreds of predefined roles that administrators can pick from and assign to cloud users and services. Each role comes with its own set of permissions and access rights.
Some roles, like that of an “owner” or “administrator” can have significantly greater access rights and more permissions to carry out actions in the cloud compared to an ordinary user
In addition to users, administrators can assign roles to cloud tools and services as well to ensure they only have the right access to the right resources at all times. For example some tools might have roles that give them the ability to access multiple services on Google’s cloud and do things like starting up virtual machines or decrypting data, while others are more restricted in what they can do.
The IAM roles that are assigned to a user or tool controls access to every application, service and API Google’s cloud. Such role-based control to enterprise assets has long been considered a security best practice for ensuring that users only have access to the services they need to perform their jobs.
The new custom roles capability gives administrators more granular ways to enforce this principle of least privilege in the cloud, said Rohit Khare, a Google product manager and Pradeep Madhavarapu an engineering manager at the company.
It gives administrators the power to pick the precise permissions required for people to do their jobs or to remix permissions for specific tasks, the two managers said in the Jan 31 blog.
“For example, one regulation may state that a privacy auditor should be able to inspect all the personally identifiable information (PII) stored about your customers,” they noted. But another might stipulate that only full-time employees should process such data, Khare and Madhavarapu said.
Without a customization capability, administrators in such situations can end up offering either too much access or too little of it. With custom roles, an administrator in this instance could create a customized role that ensures the auditors have the ability to inspect the data as required but not to modify or erase it.
With custom roles, “Almost all permissions are available for customization today, with the exception of a few that are only tested and supported in predefined role combinations,” Khare and Madhavarapu noted.