What’s new in IAM, Access Risk, and Cloud Governance
Abhishek A Hemrajani
Senior Director, Product Management, Google Cloud Security
It’s a core part of our mission at Google Cloud to help you meet your evolving policy, compliance, and business objectives. To help further strengthen the security of your cloud environment, we continue regular delivery of new security controls and capabilities on our cloud platform.
We announced at Google Cloud Next multiple new capabilities in our IAM, Access Risk, and Cloud Governance portfolio. Our announcements covered a wide range of new product capabilities and security enhancements in Google Cloud, including:
-
Identity and Access Management (IAM)
-
Access Risk products including VPC Service Controls, Context-Aware Access and Identity Threat Detection and Response
-
Cloud Governance with Organization Policy Service
-
Resource Management
We also announced new AI capabilities to help cloud developers and operators at every step of the application lifecycle. These new capabilities take an application-centered approach and embed AI assistance throughout the application development lifecycle, driven by new features in Gemini Code Assist and Gemini Cloud Assist.
IAM, Access Risk, and Cloud Governance portfolio.
What’s new in Identity and Access Management
Workforce Identity Federation
Workforce Identity Federation extends Google Cloud's identity capabilities to support syncless, attribute-based single sign on. Over 95% of Google Cloud products now support Workforce Identity Federation.We also released support for FedRAMP High government requirements to help manage and satisfy compliance mandates.
Enhanced security for non-human identities
With the rise of microservices and the popularity of multicloud deployments, non-human and workload identities are growing rapidly, much faster than human identities. Many large enterprises now have between 10 and 45 times more non-human identities than human (user) identities, often with expansive permissions and privileges.
Securing non-human identities is a key goal for Google Cloud, and we are announcing two new capabilities to enhance authorization and access protection:
-
Keyless access to Google Cloud APIs using X.509 certificates, to further strengthen workload authentication.
-
Managed Workload Identities (in preview) based on the Secure Production Identity Framework For Everyone (SPIFFE) standard, enabling secure identification, authentication, and mutual TLS (mTLS) encryption for workload to workload communication (such as with Google Compute Engine and Google Kubernetes Engine).
Cloud Infrastructure Entitlement Management (CIEM) for multicloud
Across the security landscape, we are contending with the problem of excessive and often unnecessary widely-granted permissions. At Google Cloud, we work to proactively address the permission problem with tools that can help you control permission proliferation, while also providing comprehensive defense across all layers.
Cloud Infrastructure Entitlement Management (CIEM), our key tool for addressing permission issues, is now available for Azure (in preview) and generally available for Google Cloud and AWS.
IAM Admin Center
We also announced IAM Admin Center , a single pane of glass experience that is customized to your role, showcasing recommendations, notifications, and active tasks. You can also launch into other services directly from the console.
IAM Admin Center will provide organization administrators and project administrators a unified view to discover, learn, test, and use IAM capabilities. It’ll provide contextual discovery of features, enable focus on day to day tasks, and offer curated guides for getting started and resources for continuous learning.
You can sign-up here to request access.
Enhancements to existing IAM features
Additionally, other IAM features grew in coverage and in feature depth.
-
Previously, we announced IAM Deny and Principal access boundary (PAB) policies, powerful mechanisms to set policy-based guardrails on access to resources. As these important controls continue to grow in service coverage and adoption, now there is a need for tooling to simplify planning and visualize impact.
To address this, we released in preview a Deny simulator, a PAB simulator and a troubleshooter (for both). -
Privileged Access Manager (PAM) now has multi-level approval: up to two levels and multiple principals at each level. We also announced grant customization to scope entitlement grants only to the required subset of folders, projects, resources & roles.
What’s new with Access Risk
Comprehensive security demands continuous monitoring and control even with authenticated users and workloads equipped with the right permissions and engaged in active sessions. Google Cloud’s access risk portfolio brings dynamic capabilities that layer additional security controls around users, workloads, and data.
Enhanced access and session security
Today, you can use Context-Aware Access (CAA) to secure access to Google Cloud based on attributes including user identity, network, location, and corporate-managed devices.
Coming soon, CAA will be further enhanced with Identity Threat Detection and Response (ITDR) capabilities, using numerous activity signals, such as activity from a suspicious source or a new geo location, to automatically identify risky behavior, and trigger further security validations using mechanisms such as multi-factor authentication (MFA), re-authentication, or denials.
We also announced automatic re-authentication, which triggers a re-authentication request when users perform highly-sensitive actions such as updating billing accounts. This will be enabled by default, and while you can opt-out we strongly recommend you keep it turned on.
Expanded coverage for VPC Service Controls
VPC Service Controls lets you create perimeters that protect your resources and data, and for services that you explicitly specify. To speed up diagnosis and troubleshooting when using VPC Service Controls, we launched Violation Analyzer and Violation Dashboard to help you diagnose an access denial event.
What’s new in Cloud Governance with Organization Policy Service
Expanded coverage for Custom Organization Policy
Google Cloud’s Organization Policy Service gives you centralized, programmatic control over your organization's resources. Organization Policy already provides predefined constraints, but for greater control you can create custom organization policies. Custom organization policy has now expanded service coverage, with 62 services supported.
Google Cloud Security Baseline
Google Cloud strives to make good security outcomes easier for customers to achieve. As part of this continued effort, we are releasing an updated and stronger set of security defaults, our Google Cloud Security Baseline. These were rolled out to all new customers last year — enabled by default — and based on positive feedback, we are now recommending them to all existing customers.
Starting this year, existing customers are seeing recommendations in their console to adopt the Google Cloud Security Baseline. You also have access to a simulator that tests how these constraints will impact your current environment.
What’s new with resource management
App-enablement with Resource Manager
We also extended our application centric approach to Google Cloud’s Resource Manager. App-enabled folders, now in preview, streamline application management by organizing services and workloads into a single manageable unit, providing centralized monitoring and management, simplifying administration, and providing an application-centric view.
You can now enable application management on folders in a single step.
Learn more
To learn more, you can view the Next ‘25 session recording with an overview of these announcements.
