GCP – Move from always-on privileges to on-demand access with new Privileged Access Manager
We are continually enhancing Google Cloud’s Identity and Access Management (IAM) capabilities to help our customers strengthen their security posture. To help mitigate the risks associated with excessive privileges and misuses of elevated access, we are excited to announce Google Cloud’s built-in Privileged Access Manager (PAM).
Now available in preview, PAM helps you achieve the principle of least privilege by ensuring your principals or other high-privilege users have an easy way to obtain precisely the access they need, only when required, and for no longer than required. PAM helps mitigate risks by allowing you to shift always-on standing privileges to on-demand privileged access with just-in-time (JIT), time-bound, and approval-based access elevations.
Excessive privilege is a growing problem in the cloud. These always-on, persistent permissions may seem harmless, but could become vulnerabilities and lead to abuse and misuse of privileges.
Balancing toil and risk with principle of least privilege.
Proactive organizations actively seek to implement least-privilege models to protect their data and resources, but need to be mindful of overly-restrictive privilege controls that can hinder employee productivity or increase administrative burden. The principle of least privilege, when applied in a practical way, can help effectively balance security and operational efficiency.
PAM allows your IAM admins to create entitlements, principals or users to self-serve and request access, and approvers to make informed decisions. Streamlined workflows facilitated by using PAM can support various use cases, including emergency access for incident responders, time-boxed access for developers for critical deployment or maintenance, temporary access for operators for data ingestion and audits, JIT access to service accounts for automated tasks, and many more.
“Identity and Access Management is crucial for cloud security, in our industry often combined with least privilege. When additional just-in-time access to specific resources by certain identities is needed, time-bound conditional access elevation becomes essential. With Google Cloud’s Privileged Access Manager there exists now an efficient service providing the functionality we need, including approval process and audit logging. This not only simplifies security scenarios, but also enables new opportunities such as adhoc insights into data, infrastructure knowledge sharing, or penetration testing support,” said Christian Gorke, vice president and head of Commerzbank’s Cyber Center of Excellence.
When combined with our new Cloud Infrastructure Entitlement Management (CIEM) offering in Security Command Center Enterprise, PAM can help strengthen your identity posture. PAM can augment CIEM alerts on identity findings and help remediate excessive permissions by converting the always-on, critical privileges into on-demand, time-bound access.
How PAM works
PAM allows your IAM administrators to create entitlements, eligible licenses, that can grant just-in-time, temporary access to any resource scope. Your admins can customize the entitlements by defining who is eligible to obtain access, what access should be granted (through predefined and custom IAM roles), the duration of the access, and if access requires approvals and business justification.
Entitlements for privileged resources and roles.
Your requesters can explore eligible entitlements and request the access needed for their task. While requesting access, they can tailor the duration and add justifications as needed. Access is granted immediately for requests that do not require approvals and revoked automatically once the designated time duration lapses. Additionally, requesters and other users are kept informed via timely alerts for important updates regarding their grants.
Time-bound privileged access request.
Approvers are notified when approvals await their decision. They have access to entitlement and request specifics, providing them the required information to approve or deny requests. Additionally, they get to see their approval history to aid decision-making or for retrospective analysis.
Admin approval workflow for privileged access.
Learn more
With Privileged Access Manager, you now have a powerful new capability to manage risks associated with privilege misuse and abuse. PAM enables you to grant access intentionally — just-in-time, time-bound, with necessary oversight. PAM is now available in preview to customers using Google Cloud. For a deeper dive into PAM’s capabilities, visit our product documentation or give the product a try in the Console.
Resources:
PAM overview
PAM permissions and set up
Create entitlements
Request temporary access
Approve and deny access requests
Read More for the details.