Source URL: https://cloud.google.com/blog/products/identity-security/whats-new-in-iam-access-risk-and-cloud-governance/
Source: Cloud Blog
Title: What’s new in IAM, Access Risk, and Cloud Governance
Feedly Summary: It’s a core part of our mission at Google Cloud to help you meet your evolving policy, compliance, and business objectives. To help further strengthen the security of your cloud environment, we continue regular delivery of new security controls and capabilities on our cloud platform.
We announced at Google Cloud Next multiple new capabilities in our IAM, Access Risk, and Cloud Governance portfolio. Our announcements covered a wide range of new product capabilities and security enhancements in Google Cloud, including:
Identity and Access Management (IAM)
Access Risk products including VPC Service Controls, Context-Aware Access and Identity Threat Detection and Response
Cloud Governance with Organization Policy Service
Resource Management
We also announced new AI capabilities to help cloud developers and operators at every step of the application lifecycle. These new capabilities take an application-centered approach and embed AI assistance throughout the application development lifecycle, driven by new features in Gemini Code Assist and Gemini Cloud Assist.
IAM, Access Risk, and Cloud Governance portfolio.
What’s new in Identity and Access Management
Workforce Identity Federation
Workforce Identity Federation extends Google Cloud’s identity capabilities to support syncless, attribute-based single sign on. Over 95% of Google Cloud products now support Workforce Identity Federation.We also released support for FedRAMP High government requirements to help manage and satisfy compliance mandates.
Enhanced security for non-human identities
With the rise of microservices and the popularity of multicloud deployments, non-human and workload identities are growing rapidly, much faster than human identities. Many large enterprises now have between 10 and 45 times more non-human identities than human (user) identities, often with expansive permissions and privileges.
Securing non-human identities is a key goal for Google Cloud, and we are announcing two new capabilities to enhance authorization and access protection:
Keyless access to Google Cloud APIs using X.509 certificates, to further strengthen workload authentication.
Managed Workload Identities (in preview) based on the Secure Production Identity Framework For Everyone (SPIFFE) standard, enabling secure identification, authentication, and mutual TLS (mTLS) encryption for workload to workload communication (such as with Google Compute Engine and Google Kubernetes Engine).
Cloud Infrastructure Entitlement Management (CIEM) for multicloud
Across the security landscape, we are contending with the problem of excessive and often unnecessary widely-granted permissions. At Google Cloud, we work to proactively address the permission problem with tools that can help you control permission proliferation, while also providing comprehensive defense across all layers.
Cloud Infrastructure Entitlement Management (CIEM), our key tool for addressing permission issues, is now available for Azure (in preview) and generally available for Google Cloud and AWS.
IAM Admin Center
We also announced IAM Admin Center , a single pane of glass experience that is customized to your role, showcasing recommendations, notifications, and active tasks. You can also launch into other services directly from the console.
IAM Admin Center will provide organization administrators and project administrators a unified view to discover, learn, test, and use IAM capabilities. It’ll provide contextual discovery of features, enable focus on day to day tasks, and offer curated guides for getting started and resources for continuous learning.
You can sign-up here to request access.
Enhancements to existing IAM features
Additionally, other IAM features grew in coverage and in feature depth.
Previously, we announced IAM Deny and Principal access boundary (PAB) policies, powerful mechanisms to set policy-based guardrails on access to resources. As these important controls continue to grow in service coverage and adoption, now there is a need for tooling to simplify planning and visualize impact. To address this, we released in preview a Deny simulator, a PAB simulator and a troubleshooter (for both).
Privileged Access Manager (PAM) now has multi-level approval: up to two levels and multiple principals at each level. We also announced grant customization to scope entitlement grants only to the required subset of folders, projects, resources & roles.
aside_block
What’s new with Access Risk
Comprehensive security demands continuous monitoring and control even with authenticated users and workloads equipped with the right permissions and engaged in active sessions. Google Cloud’s access risk portfolio brings dynamic capabilities that layer additional security controls around users, workloads, and data.
Enhanced access and session security
Today, you can use Context-Aware Access (CAA) to secure access to Google Cloud based on attributes including user identity, network, location, and corporate-managed devices.
Coming soon, CAA will be further enhanced with Identity Threat Detection and Response (ITDR) capabilities, using numerous activity signals, such as activity from a suspicious source or a new geo location, to automatically identify risky behavior, and trigger further security validations using mechanisms such as multi-factor authentication (MFA), re-authentication, or denials.
We also announced automatic re-authentication, which triggers a re-authentication request when users perform highly-sensitive actions such as updating billing accounts. This will be enabled by default, and while you can opt-out we strongly recommend you keep it turned on.
Expanded coverage for VPC Service Controls
VPC Service Controls lets you create perimeters that protect your resources and data, and for services that you explicitly specify. To speed up diagnosis and troubleshooting when using VPC Service Controls, we launched Violation Analyzer and Violation Dashboard to help you diagnose an access denial event.
What’s new in Cloud Governance with Organization Policy Service
Expanded coverage for Custom Organization Policy
Google Cloud’s Organization Policy Service gives you centralized, programmatic control over your organization’s resources. Organization Policy already provides predefined constraints, but for greater control you can create custom organization policies. Custom organization policy has now expanded service coverage, with 62 services supported.
Google Cloud Security Baseline
Google Cloud strives to make good security outcomes easier for customers to achieve. As part of this continued effort, we are releasing an updated and stronger set of security defaults, our Google Cloud Security Baseline. These were rolled out to all new customers last year — enabled by default — and based on positive feedback, we are now recommending them to all existing customers.
Starting this year, existing customers are seeing recommendations in their console to adopt the Google Cloud Security Baseline. You also have access to a simulator that tests how these constraints will impact your current environment.
What’s new with resource management
App-enablement with Resource Manager
We also extended our application centric approach to Google Cloud’s Resource Manager. App-enabled folders, now in preview, streamline application management by organizing services and workloads into a single manageable unit, providing centralized monitoring and management, simplifying administration, and providing an application-centric view.
You can now enable application management on folders in a single step.
Learn more
To learn more, you can view the Next ‘25 session recording with an overview of these announcements.
What’s new with IAM and Org Policy: Access risk, at-scale governance and AI
Related Article
Delivering an application-centric, AI-powered cloud for developers and operators
At Google Cloud Next, we announced an application-centric development experience, and new Gemini Cloud Assist and Gemini Code Assist capa…
Read Article
AI Summary and Description: Yes
Summary: The text outlines significant announcements made by Google Cloud at Google Cloud Next regarding new security capabilities and features, particularly in the realms of Identity and Access Management (IAM), Access Risk, Cloud Governance, and the integration of AI into cloud development. These enhancements aim to bolster security and governance in cloud environments, especially for non-human identities and multi-cloud settings.
Detailed Description:
The text emphasizes Google Cloud’s commitment to evolving security measures and compliance capabilities to meet business needs and regulatory demands. Key points include:
– **Identity and Access Management (IAM)**:
– Introduction of **Workforce Identity Federation** to enhance single sign-on capabilities while supporting government compliance (e.g., FedRAMP High).
– Focus on securing **non-human identities** due to increasing popularity of microservices and multi-cloud deployments. This presents a challenge as enterprises often have exponentially more non-human identities than human users.
– **Access Risk**:
– Launch of new **Access Risk products** to reinforce security measures for users and workloads, incorporating continuous monitoring.
– Implementation of **Context-Aware Access** and plans for **Identity Threat Detection and Response (ITDR)**, which uses behavioral signals to identify and react to potential threats dynamically.
– Introduction of automatic re-authentication for sensitive operations, promoting stronger access control.
– **Cloud Governance**:
– New tools to enhance **Cloud Infrastructure Entitlement Management (CIEM)**, addressing issues of excessive permissions across multi-cloud environments.
– Expansion of the **Organization Policy Service** to allow custom policies across a wider range of services, increasing organizational control.
– **AI Integration**:
– Announcement of AI-powered features like **Gemini Cloud Assist** and **Gemini Code Assist**, which aim to support developers throughout the application lifecycle by embedding intelligence and automation into development processes.
– **Security Baseline Improvements**:
– Release of an updated **Google Cloud Security Baseline** aimed at simplifying security configurations for new and existing customers, ensuring better adherence to recommended security practices.
– **Resource Management**:
– Introduction of **app-enabled folders** within the Resource Manager to facilitate easier administration of services and workloads.
These advancements collectively enhance Google Cloud’s offerings in security, compliance, and application management, positioning it as a robust option for organizations navigating complex cloud environments. The focus on non-human identity management, continuous access risk assessment, and the integration of AI reflects a proactive approach to modern cloud security challenges.