Designing for Security

 Designing for Security

Cloud Identity and Access Management (IAM)

IAM  provides the permission structure on who(use or group) can use what(resources)

The concept is based on the following:

Identities are user accounts and service or application accounts along with non-Google accounts.

Groups are identities grouped together for example job functions and permissioned as a group.

Resources are all google cloud systems that can be used developers or users. Entities like virtual machines, storage buckets, projects, etc.

Permissions are granted to users and groups to use resources.

Roles are created to ensure that the set of permissions needed to perform tasks can be granted in uniform.es:

Primitive roles are basic owner, editor and viewer broad permission granted.

Predefined roles for specific tasks like roles/bigquery.admin.

Custom roles designed to make specific security requirements. 

A Policy is the  configuration that identifies who has access to objects.

Security Design Principles are used when assigning cloud permissions.

Least Privilege is a design principle that states that only the minimum permissions necessary to complete a task should be granted.

Separation of Duties states that permissions should not be granted to users where they can affect sensitive processes. For example developers should not be able to deploy their own code.

Defense in Depth ensures that multiple security controls are in place like password and valid ip address for accessing to protect against one layer failure.