Source URL: https://cloud.google.com/blog/products/identity-security/announcing-expanded-custom-org-policy-portfolio-of-supported-products/
Source: Cloud Blog
Title: Improve your security posture with expanded Custom Org Policy
Feedly Summary: When it comes to securing cloud resources, one of the most important tools for administrators is the ability to set guardrails for resource configurations that can be applied consistently across the environment, centrally managed, and safely rolled out.
Google Cloud’s custom Organization Policy is a powerful tool that can help organizations safeguard cloud resources. Administrators can use custom organization policies to set granular resource configurations in order to enhance security posture, address regulatory requirements, and increase operational efficiencies, all without impacting development velocity.
Today, we are excited to announce that custom Org Policy is now adding support for more than 30 additional Google Cloud services.
This expansion unlocks many new use cases and expands the scope of cloud governance.
aside_block
Securely scale access control management with custom Org Policies
As cloud deployments grow, security teams can struggle to manage all the new access requests from across their organization. To scale effectively, organizations must establish an operational model for access control that balances developer empowerment with security and compliance.
The integration of custom Organization Policy with IAM policies can enable restrictions on IAM Policies at any desired level of the Google Cloud resource hierarchy (organization, folder, or project) and delegate subsequent IAM Policy management to developers, knowing that all policy changes in these environments will not violate the restrictions that have been put in place.
Using this capability, administrators can enforce conditional restrictions such as, “Only allow specific roles to be granted against resources in this project” or “Only allow specific members to be granted access via policies against this folder” or “Deny “allUsers” grant for any resources in this organization.”
These more coarse-grained restrictive policies let you explicitly prohibit access to certain resources regardless of existing Allow rules. Here are few custom Org Policy examples governing IAM policies:
Restrict specific roles to be granted against resources in this project
code_block
<ListValue: [StructValue([(‘code’, “resource_types: iam.googleapis.com/AllowPolicy\r\nmethod_types:\r\n – CREATE\r\n – UPDATE\r\ncondition:\r\n resource.bindings.exists(binding,\r\n RoleNameMatches(binding.role, [‘OWNER’])\r\n )\r\naction_type: DENY"), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e995a6a6bb0>)])]>
Restrict “allUsers” grant for any resources in this organization
code_block
<ListValue: [StructValue([(‘code’, ‘resource_types: iam.googleapis.com/AllowPolicy\r\nmethod_types:\r\n – CREATE\r\n – UPDATE\r\ncondition:\r\n resource.bindings.exists(binding, \r\n RoleNameStartsWith(binding.role, ["roles/storage”]) && \r\n binding.members.exists(member, \r\n MemberSubjectMatches(member, [‘allUsers’, ‘allAuthenticatedUsers’])\r\n )\r\n )\r\naction_type: DENY’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e995a6cd6d0>)])]>
In addition, custom Organization Policy extends Domain Restricted Sharing by allowing for principal level granularity in the policy configuration. For example, you can set policies to allow all users of your organization as well as specific partner identities, service accounts, or service agents. This increased flexibility can help administrators more effectively manage policies without adding identities.
Only allow members from either specific organizations or specific members
code_block
<ListValue: [StructValue([(‘code’, ‘resource_types: iam.googleapis.com/AllowPolicy\r\nmethod_types:\r\n – CREATE\r\n – UPDATE\r\ncondition:\r\n resource.bindings.all(\r\n binding, \r\n binding.members.all(member,\r\n MemberInPrincipalSet(member, \r\n [“//cloudresourcemanager.googleapis.com/organizations/123”,\r\n “//cloudresourcemanager.googleapis.com/organizations/456”]) \r\n || MemberSubjectMatches(binding.member, \r\n ["user:abc@vendor.com”, \r\n "user:xyz@vendor.com”]))\r\n )\r\naction_type: Allow’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e995a6cd8b0>)])]>
Establish strong data governance for Cloud SQL
Data platform teams often want to ensure that each application team is adhering to security best practices when using various SQL products. Custom Org Policy support for Cloud SQL can help you establish strong guardrails around SQL resources and address data governance requirements. Here are some common use cases illustrating the power of custom org policy together with Cloud SQL:
Ensure that each application team is using the latest database version for SQL instances
code_block
<ListValue: [StructValue([(‘code’, "resource_types: sqladmin.googleapis.com/Instance\r\nmethod_types:\r\n – CREATE\r\n – UPDATE\r\ncondition:\r\n resource.databaseVersion == ‘MYSQL_8_4’ || \r\n resource.databaseVersion == ‘POSTGRES_16’ || \r\n resource.databaseVersion == ‘SQLSERVER_2022_EXPRESS’ ||\r\n resource.databaseVersion == ‘SQLSERVER_2022_WEB’ || \r\n resource.databaseVersion == ‘SQLSERVER_2022_STANDARD’ || \r\n resource.databaseVersion == ‘SQLSERVER_2022_ENTERPRISE’\r\naction_type: Allow"), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e995a6cd850>)])]>
Ensure that all the database instances require complex passwords requirements
code_block
<ListValue: [StructValue([(‘code’, "resource_types: sqladmin.googleapis.com/Instance\r\nmethod_types:\r\n – CREATE\r\n – UPDATE\r\ncondition:\r\n resource.settings.passwordValidationPolicy.enablePasswordPolicy == true && \r\n resource.settings.passwordValidationPolicy.complexity == ‘COMPLEX’ &&\r\n resource.settings.passwordValidationPolicy.minLength >= 8 &&\r\n resource.settings.passwordValidationPolicy.reuseInterval >= 10\r\naction_type: Allow"), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e995a6cdfd0>)])]>
Enhancing security posture with custom Org Policy at Yahoo
Yahoo serves hundreds of millions of people globally, and cloud security teams at Yahoo actively use predefined Org Policy controls to meet their security and compliance requirements. However, each Yahoo property has different needs and infrastructure, so Yahoo’s security team needed the flexibility to build custom guardrails.
Since March 2023, Yahoo’s platform engineers and company’s information security team, The Paranoids, have worked with Google Cloud to adopt custom Org Policies for Kubernetes and other cloud infrastructure.
“We’ve implemented 24 custom Org Policies to exceed industry-standard baselines, such as required secure boot for GKE nodes. In addition to taking advantage of the increased flexibility that custom Org Policy offers, these policies helped us scale security controls safely. Our engineers across the company didn’t have to actively worry about security requirements anymore, as these guardrails automatically took care of adhering to many of Yahoo’s Information Security policies. Our team is further enhancing these policies and planning to now cover Cloud SQL, CloudRun, and IAM. As new products and use cases roll out, Yahoo’s platforms team plans to lean into further adoption of custom organization policies. In short, this helped us to enhance our security posture at scale,” said Alex Verkhovtsev, senior software development engineer, Yahoo.
Get started with custom Org Policy
As Google Cloud continues to expand services that support custom Org Policy, you can expect greater control, flexibility, and efficiency to manage cloud resources.
To get started with custom Org Policies, check out our user guide and overview video. You can find more information on supported services by following the links here as well as a growing repository of ready to use samples here.
AI Summary and Description: Yes
Summary: The text discusses the enhancements in Google Cloud’s custom Organization Policy, which allows organizations to enforce stricter access control and security measures across their cloud resources. This update introduces support for over 30 additional Google Cloud services, significantly improving cloud governance and operational efficiency while maintaining compliance with security policies.
Detailed Description:
The provided text highlights significant advancements in Google Cloud’s custom Organization Policy, emphasizing its importance for security teams in managing cloud resource access and configurations. The enhancements facilitate better governance and security posture while allowing organizations to adhere to regulatory requirements without hindering development cycles. Here are the key points:
– **Custom Organization Policies**: A tool that enables administrators to apply granular security configurations across cloud resources. The ability to tailor these policies is crucial for maintaining a secure cloud environment.
– **Support Expansion**: The announcement of support for more than 30 additional Google Cloud services broadens the applications of custom Organization Policies, leading to more robust use cases and improved governance.
– **Access Control Management**: As cloud deployments scale, managing access requests becomes critical. Custom Organization Policies allow organizations to set conditions such as restricting specific roles or denying access to users universally, contingent on compliance needs.
– **Integration with IAM Policies**: The ability to integrate custom Organization Policy with Identity and Access Management (IAM) enhances the control administrators have over cloud resources. This includes setting restrictions at various organizational levels and ensuring that developers can manage IAM policies within established security constraints.
– **Data Governance**: For cloud SQL services, custom Organization Policy provides mechanisms for enforcing best practices, such as ensuring that applications use the latest database versions and require complex password policies.
– **Client Use Case – Yahoo**: Yahoo has successfully implemented custom Organization Policies to strengthen their security posture and compliance across diverse properties. The initiatives taken by Yahoo showcase the applicability and effectiveness of custom Org Policies in maintaining high security standards.
– **User Guidance**: Google Cloud encourages users to start implementing custom Org Policies to leverage the improved flexibility, control, and efficiency in managing cloud resources.
These insights are particularly relevant for professionals in security and compliance, as they underscore the evolving landscape of cloud security and the crucial role that policy customization plays in enhancing operational efficiencies and meeting regulatory demands.