At Google Cloud, helping you achieve your changing policy, compliance, and business goals is a fundamental aspect of purpose. It continue to regularly release new security features and controls on cloud platform to assist further bolster the security of your cloud environment.
At Google Cloud Next, It unveiled a number of new features in portfolio related to IAM, Cloud Governance, and Access Risk. Among the many new product features and security improvements it announced for Google Cloud were:
- Identity and Access Management (IAM)
- Context-Aware Access, Identity Threat Detection and Response, and VPC Service Controls are examples of access risk solutions.
- Using Organisation Policy Service for Cloud Governance
- Management of Resources
Additionally, it revealed new Artificial Intelligence features that will support cloud operators and developers across the whole application lifetime. Driven by new features in Gemini Code Assist and Gemini Cloud Assist, these new capabilities adopt an application-centered approach and integrate AI support across the application development lifecycle.
What’s new in Identity and Access Management
Workforce Identity Federation
Syncless, attribute-based single sign-on is supported by Workforce Identity Federation, which expands Google Cloud’s identity capabilities. Workforce Identity Federation is currently supported by more than 95% of Google Cloud products. Support for FedRAMP High government requirements was also made available to assist in managing and meeting compliance needs.
Enhanced security for non-human identities
Workload and non-human identities are expanding far more quickly than human identities due to the popularity of microservices and multicloud deployments. Non-human identities, which frequently have broad permissions and privileges, currently outnumber human identities by a factor of 10 to 45 in many big organizations.
Google Cloud is committed to protecting non-human identities, and it is launching two new features to improve access control and authorization:
- X.509 certificates are used to provide keyless access to Google Cloud APIs, strengthening workload authentication even more.
- Based on the Secure Production Identity Framework For Everyone (SPIFFE) standard, Managed Workload Identities allow for mutual TLS (mTLS) encryption, secure identification, and authentication for workload-to-workload communication (e.g. with Google Compute Engine and Google Kubernetes Engine).
Cloud Infrastructure Entitlement Management (CIEM) for multicloud
Google Cloud is battling the issue of widely issued permissions that are excessive and frequently unwarranted across the security environment. At Google Cloud, it strive to proactively tackle the permission issue by offering complete defence across all tiers and tools that can assist you in managing the proliferation of permissions.
Its primary solution for handling authorization concerns, Cloud Infrastructure Entitlement Management (CIEM), is now available for Azure and is widely accessible for Google Cloud and AWS.
IAM Admin Center
Additionally, it unveiled IAM Admin Center, a role-specific single pane of glass interface that displays ongoing tasks, suggestions, and notifications. From the console, you may also access additional services.
Organization and project administrators will have a single perspective to explore, learn, test, and utilize IAM features with IAM Admin Center. It will allow for contextual feature discovery, allow one to concentrate on daily work, and give resources for ongoing learning as well as carefully chosen starting guidelines.
Enhancements to existing IAM features
The breadth and feature richness of other IAM features also increased.
- Google Cloud previously revealed the Principal Access Boundary (PAB) and IAM Deny policies, which are effective tools for establishing policy-based restrictions on resource access. Tooling is now required to streamline planning and visualise effect as these crucial controls continue to expand in service coverage and adoption.
In order to solve this, it made a Deny simulator, a PAB simulator, and a troubleshooter available in preview.
- There are now up to two levels of permission for Privileged Access Manager (PAM), with numerous principals at each level. Additionally, it introduced grant customisation to scope entitlement grants that only apply to the necessary subset of resources, roles, projects, and folders.
What’s new with Access Risk
Even with verified users and workloads that have the appropriate rights and are actively participating in sessions, comprehensive security necessitates constant monitoring and management. The access risk portfolio offered by Google Cloud offers dynamic features that encase people, workloads, and data in extra security measures.
Enhanced access and session security
Context-Aware Access (CAA) allows you to protect access to Google Cloud based on user identification, network, location, and corporate-managed devices, among other features.
Using a variety of activity signals, such as activity from a suspicious source or a new geolocation, CAA will soon be further improved with Identity Threat Detection and Response (ITDR) capabilities. These capabilities will automatically identify risky behaviour and initiate additional security validations using mechanisms like multi-factor authentication (MFA), re-authentication, or denials.
Additionally, it included automatic re-authentication, which causes a re-authentication request to be sent when users update billing accounts or take other extremely sensitive activities. Although you have the option to disable it, Google Cloud highly advise you to leave it enabled by default.
Expanded coverage for VPC Service Controls
With the help of VPC Service Controls, you can establish boundaries that safeguard your data and resources as well as services that you specifically designate. It introduced Violation Analyser and Violation Dashboard to assist you in diagnosing an access denial event and to expedite diagnosis and troubleshooting while utilising VPC Service Controls.
What’s new in Cloud Governance with Organization Policy Service
Expanded coverage for Custom Organization Policy
You may have programmatic, centralized control over the resources in your company using Google Cloud’s Organization Policy Service. Predefined limitations are already provided by organization policy, but you may establish bespoke organization policies for more control. With 62 services now available, the custom organization policy has increased service coverage.
Expanded coverage for Custom Organization Policy
Google Cloud aims to make it simpler for users to attain high security results. Google Cloud launching its Google Cloud Security Baseline, an enhanced and more robust set of security defaults, as part of this ongoing endeavour. Due to great feedback, it is now promoting them to all current clients, as they were made available by default to all new customers last year.
Recommendations to implement the Google Cloud Security Baseline have been displayed in the consoles of current users since this year. A simulator that simulates the effects of these limitations on your existing surroundings is also available to you.
What’s new with resource management
App-enablement with Resource Manager
Google Cloud also applied application-centric methodology to the Resource Manager in Google Cloud. App-enabled folders, which are currently in preview, simplify administration, arrange services and workloads into a single manageable unit, offer centralized monitoring and management, and present an application-centric perspective, all of which simplify application management.
Thank you for your Interest in Cloud Computing. Please Reply