In today's digital age, data security has become more important than ever. The vast amount of personal and sensitive information stored online has made it a prime target for cyber attacks. That's why companies must prioritise keeping their data protected at all times. A critical aspect of data security is Identity and Access Management (IAM).
In this blog, we will delve into the world of IAM and how it's implemented in Google Cloud Platform (GCP). We will explore its benefits and its impact on data security.
🔐 The Importance of Data Security
Security is a massive deal in cloud technology and so, data that you store on the cloud is secured both at rest and in transit in many different ways (check out this tour of a Google data centre to have your mind blown). When you have engineers working on your cloud resources, you have to be able to grant them the correct permissions to do the work. IAM is exactly that - Identity and Access Management. Let’s delve further into what that actually means.
🔎 IAM at a Glance
IAM (Identity and Access Management) is a feature on GCP which enables you to give individual people permission and access to do things within your GCP environment.
For example, if you start working at ACME Corp. and they ask you to spool up a new virtual machine, you won’t be able to do it without the necessary IAM permissions. IAM permissions stop bad actors from coming into your environment and deleting or accessing things without permission. This could be anything from servers on VMs to databases full of sensitive data. If you don’t take care of IAM permissions when using the cloud, eventually somebody will have access to something that they shouldn’t - and they might take advantage of it.
🤝 Separation of Duties
Separation of duties is a concept of cybersecurity where, essentially, one person isn’t able to complete a given task on their own. This essentially stops an individual going rogue and tampering with things that they’re not supposed to. By separating people’s responsibilities in a project, we can correspond that with the permissions which they have applied, and hence what they are and are not able to do.
In practice, this can save your organisation from malicious users or hackers who gain access to staff accounts or API keys. If your network engineer doesn’t have access to your databases, then their account being compromised will not lead to a data breach. In short, separating duties in your organisation helps prevent bad actors from causing damage to your business. For high compliance sectors, it's not just recommended, it’s essential.
🔑 The Principle of Least Privilege
Having spoken about the separation of duties, the need for the principle of least privilege becomes clear.
The principle of Least Privilege is described as a given user being provided with only the permissions and access they require to complete a given task. Separation of Duties is great to practice, but what’s actually stopping a bad actor in your organisation from wrecking your cloud environment and making off with a database of credit cards? This is where we actually apply IAM rules and roles to specific users and groups.
This means that if you ask someone to do something, you can give them the permissions they require and rest easy knowing that they won’t be able to access anything other than what they need. If they do need more permissions, then they’ll have to ask for them - and the logs will keep up with who did what and when. Whereas, if you grant someone too many permissions at once, it will be more difficult to track the events as they happened.
🤖 Service Accounts and their role in IAM
Service accounts are one of the most important parts of IAM. They play a role in every single VM, server, database etc. in your GCP project. They act as entities which access data and execute instructions based on their programming.
Naturally, you’ll have to set up their Identity and Access Management settings as though they were an actual human being. This is because service accounts are basically used to automate processes on the cloud and authorise the movement and access of data in the cloud, as well as modifying infrastructure, building services… you name it. If a service account has too much access to your cloud project, it can cause just as much chaos as a normal account.
Hopefully you can see how IAM makes your cloud infrastructure and data safe and sound. Is your head in the clouds? Get in touch about GCP and see where it can take your organisation.
❓ FAQ - Sometimes, you just need answers
- What is the difference between IAM primitive roles and IAM predefined roles in GCP?
IAM primitive roles are the basic roles which apply to the whole scope, whether that’s an organisation, folder, or project. Predefined roles are more specific to individual services and products in GCP, such as Compute Engine, BigQuery and Cloud Storage. Primitive roles are more heavy-handed, predefined roles are finer and more specific. - How do you create an IAM user in GCP?
Just head to the ‘IAM and Admin’ panel in your GCP console and click ‘GRANT ACCESS’. Provide an email address for the identity, and then add some permissions. - How do you see what resources an IAM service account is assigned to in GCP?
Go to the ‘Service Accounts’ page in your ‘IAM and Admin’ console in GCP. Click on the service account that you’re interested in, click ‘Permissions’, then click ‘View Access’. - How do you view IAM permission changes in GCP?
All changes that are made to IAM will appear in the Cloud Logging page in GCP. You can filter the logs to just display IAM entries using the ‘Find in results’ search bar above the displayed logs.
Simply put, IAM is the practice of ensuring the right people have access to the right information at the right time. By implementing IAM, you can effectively manage and control users' access to data, reducing the risk of unauthorised access and data breaches.
To learn more about IAM and Data Security, read our blog: "Data Warehouse Security: A Comprehensive Guide".