Google Upgrades Cloud Access Controls
Public cloud vendors continue to roll out tweaks and other new features designed to differentiate their services. Among them are tools designed to give enterprise users greater control over cloud services as more applications and data are moved there.
With that in mind, Google is unveiling new identity and access management (IAM) features for handling customers' public permissions on Google Cloud Platform. The goal is to provide "fine-grained" access controls to nail down the privacy and security of the growing volumes of enterprise data in the cloud.
Google announced the beta release of its "custom roles for Cloud IAM" that provide users with control over more than 1,200 public permissions on Google Cloud Platform. The permissions range from top-level "owner", "editor" and "viewer" roles to pre-defined roles for specific services. The idea is to allow secure access to carry out a range of cloud-based tasks, the company said in a blog post on Tuesday (Oct. 3).
"This helps administrators grant users the permissions they need to do their jobs—and only those permissions," explained Rohit Khare, a Google product manager. "Fine-grained access controls help enforce the principle of least privilege for resources and data" hosted in the cloud.
In one example, a predefined role for accessing a cloud SQL database viewer combines more than a dozen permissions needed to sort and export databases. In another, the custom role feature grants an auditor database access to gather findings on what data is being collected without granting "read" access or the ability to export actual data, Khare explained.
The cloud feature also is being pitched as giving enterprise users the ability to add or remove permissions rather than relying on predefined roles. If new features are added to a cloud database service, for instance, the service allows users to add new permissions to an inventory roster as needed.
As custom roles are created, the service also includes the ability to deploy a "lifecycle stage" used to alert users about the status of a new role in production.
As more applications and data reside in hybrid clouds, Google and its public cloud rivals are steadily rolling out new hands-on access features as a way of securing cloud-based resources. "Security administrators now have the power to publish policies as precise as granting a single user just one permission on a resource," Google's Khare noted.
The latest version of the Google-developed Kubernetes application container orchestrator also includes a more stable access control approach used to restrict computing and network access to authorized users. The security mechanism known as role-based access control allows system administrators to monitor access to the Kubernetes API.
Google said the cloud access management tool is available on its public cloud platform and as a REST API.