Security Experts:

Google Adds Custom Roles Feature to Cloud IAM

The Identity & Access Management (IAM) service in the Google Cloud Platform (GCP) now includes a feature that allows users to assign custom roles for finer-grained security.

The custom roles feature was first announced back in October when the beta version was introduced. The tech giant announced on Wednesday that nearly all permissions can now be customized.

Granting users excessive privileges to services, applications and data can introduce serious security risks, which is why it’s crucial for administrators to ensure that users only have the permissions needed to perform their jobs.

Customers of Google’s cloud platform now have full control over more than 1,200 public permissions, providing them fine-grained access control for enforcing the principle of least privilege. The principle of least privilege is a concept that promotes minimal user profile privileges based on job necessities.

In the case of GCP, administrators can rely on the IAM service to assign a predefined role to users - for example, allow them to view or modify data stored in the cloud. However, these predefined roles are sometimes not enough for implementing the principle of least privilege.

Custom roles, on the other hand, can be used to remix permissions across all services to ensure that users do not receive privileges other than ones required to do their job.

“Consider a tool that needs access to multiple GCP services to inventory Cloud Storage buckets, BigQuery tables and Cloud Spanner databases. Enumerating data doesn’t require privileges to decrypt that data. While predefined roles to view an entire project may grant .query,.decrypt and .get as a set, custom roles make it possible to grant .get permission on its own,” Google’s Rohit Khare and Pradeep Madhavarapu explained in a blog post.

Except for certain permissions that are only supported in predefined roles, all permissions are now customizable. A list of all supported permissions has been made available and users can keep track of changes via a central change log.

In the future, Google wants to further enhance its IAM service, including by using research from the company’s Forseti open source initiative to help explain why a specific permission has been granted or denied.

Related: Stop Blaming Users and Get Serious About Your IAM Practices

Related: Google Announces New Cloud Key Management System

Related: Google Introduces App Engine Firewall

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.