| Last Updated | 01 March 2022 |
| Document Tag | tch-research-next-gen-authz |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization Technology |
Google Cloud Platform (GCP) break their security and identity capabilities into three categories:
Security, Identity and User Protection Service.
From an Identity perspective the following products and features are available:
| Product | Features |
| BeyondCorp Enterprise | Scalable zero trust platform with integrated threat and data protection. |
| Certificate Authority Service | Simplify the deployment and management of private CAs. |
| Cloud Identity | Unified platform for IT admins to manage user devices and apps. |
| Identity and Access Management | Permissions management system for Google Cloud resources. |
| Identity-Aware Proxy | Use identity and context to guard access to your applications and VMs. |
| Identity Platform | Add Google-grade identity and access management to your apps. |
| Managed Service for Microsoft Active Directory | Hardened service running Microsoft® Active Directory (AD). |
| Policy Intelligence | Smart access control for your Google Cloud resources.v |
| Resource Manager | Hierarchical management for organizing resources on Google Cloud. |
| Titan Security Key | Two-factor authentication device for user account protection. |
All GCP product release notes are listed here.
The following are specific GCP IAM related updates with an authorization related component:
| Date | Feature | Details |
| Dec 2021 | Improved Selected for Pre-Defined Roles | Identity and Access Management (IAM) provides multiple predefined roles for most Google Cloud services. Each predefined role contains the permissions that are needed to perform a task, or a group of related tasks. |
| Oct 2021 | Improved Credential Access Boundaries for OAuth2 Access Tokens | To downscope permissions, you define a Credential Access Boundary that specifies which resources the short-lived credential can access, as well as an upper bound on the permissions that are available on each resource. You can then create a short-lived credential, then exchange it for a new credential that respects the Credential Access Boundary. |
| Oct 2021 | Lateral Movement Insights | In addition to providing recommendations, Recommender uses machine learning (ML) to provide detailed insights. Insights are findings that highlight notable patterns in resource usage. For example, you can collect additional information about permission usage in your project, or identify unused service accounts. |
| Sept 2021 | Role Recommendations Generally Available | Role recommendations help you identify and remove excess permissions from your principals, improving your resources’ security configurations. |
| April 2021 | Policy Simulator Now Available | Policy Simulator lets you see how an IAM policy change might impact a principal’s access before you commit to making the change. You can use Policy Simulator to ensure that the changes you’re making won’t cause a principal to lose access that they need. |
| Feb 2021 | Limit Which Roles Sub-Admins Can Assign | In large organizations, it can be helpful to let teams independently manage the Identity and Access Management (IAM) policies for their resources. However, letting a principal grant or revoke all IAM roles can greatly increase your security risk. |
| Feb 2020 | IAM Conditions Now Generally Available | With IAM Conditions, you can choose to grant access to principals only if specified conditions are met. For example, you could grant temporary access to users so they can resolve a production issue, or you could grant access only to employees making requests from your corporate office. |
| Feb 2020 | IAM Recommender is Now Generally Available | Role recommendations are one of the types of recommendations that Recommender generates.Each role recommendation suggests that you remove or replace a role that gives your principals excess permissions. At scale, these recommendations help you enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need. |
The following are GCP Cloud Identity Aware Proxy related updates with an authorization related component:
| Date | Feature | Details |
| Feb 2020 | Programmatically Create OAuth2 Clients | OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client via the Cloud Console if you create it by using the API.Only 500 OAuth clients are allowed per project when using the API. |
| April 2019 | Context Aware Access Now Generally Available | With IAM Conditions, you can choose to grant access to principals only if specified conditions are met. For example, you could grant temporary access to users so they can resolve a production issue, or you could grant access only to employees making requests from your corporate office. |