 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
When following the principle of least privilege, admins grant users just enough access so that they can carry out everyday activities, but can do nothing more. Following this principle helps reduce risk, but it can create friction for users when they need to perform a privileged action.
In these scenarios, granting the appropriate permissions is hard and is especially challenging with Google Cloud Platform (GCP) for several reasons:
Let’s discuss the three ways you can build just-in-time access to GCP to streamline privileged operations across your DevOps team.
A handful of companies have already built internal solutions for requesting access. One such company, Mednition, even published an article about it.
Mednition had a few goals:
Here’s the solution the company created:
“We decided to create a Slackbot that runs within GCP Cloud Run and logs the audit trail to GCP Cloud Logging. We will leverage Google Groups for provisioning access and Cloud Identity as the mechanism for managing temporary membership. Cloud Identity will add and remove the user from the group for us, so we don’t have to manage any state (which is amazing to avoid sync issues and edge cases). This is particularly interesting because now we can provide temporary access to third-party applications if they can map access to Google Groups (outside of our use case but maybe in the future).”
Google’s Just-In-Time Access is an open source application that lets you implement just-in-time privileged access to Google Cloud resources. The application lets administrators, users and auditors do the following tasks:
👁 Image
They can then activate one or more roles and provide a justification for getting access:
After a user has activated a role, Just-In-Time Access grants the user temporary access to the project.
Auditors can use Cloud Logging to review when and why eligible roles have been activated by users.
To protect the application against unauthorized access, the Just-In-Time Access application can be accessed only over Identity-Aware Proxy (IAP). Using IAP, an administrator can control which users should be allowed to access Just-In-Time Access, and which additional conditions those users must satisfy to get access.
Free solutions such as Apono provide plug-and-play authorization workflows so companies don’t need to start from scratch. Apono serves as the intermediary that connects identities with entitlements, enabling access on a just-in-time, temporary basis. Apono’s privilege authorization capability provides a reliable and streamlined approach to permission management and mitigates the consequences of a GCP (or any other cloud application) permissions-related breach, without compromising user experience and productivity.
The image below features an access flow that allows developers to get temporary read-only access to production when needed:
Remember that managing access control effectively is a critical aspect of maintaining the security and integrity of your GCP resources. Regularly review and audit your roles and permissions to ensure they align with your evolving requirements.
Navigating on-demand access in GCP can be intricate, but with the right tools and strategies, organizations can strike a balance between security and efficiency. Whether you opt for a DIY approach, use Google’s open source solutions or try out-of-the-box tools, the goal remains consistent: to provide secure, streamlined and manageable access to resources.
Apono is a cloud native, centralized self-service access management platform that keeps organizations secure with simple and precise just-in-time permissions across the DevOps domain. Apono takes just minutes to deploy and integrates with your existing cloud services, Kubernetes, data repositories and other R&D applications. With Apono, view existing permissions and enable dynamic contextual access workflows directly from Slack, Teams or CLI.
Try it for yourself and check out the documentation page for in-depth information, use cases and more.
