Passionate technical leader with over 16 years of experience, defining product vision, strategy, and delivering software used by millions of people every day.Communications › Deep understanding of messaging, communication and collaboration scenarios with extensive experiencing delivering business-critical software to meet those needs.Cloud Services › Proven track record of building highly-scalable, highly-available and performant cloud services.Product Development › I’m passionate about both the online consumer and corporate space, and have envisioned, driven and released products that have touched over 400M users in over 60 countries.View the profile
Breno has been interested in identity, authentication and authorization for a number of years. He has contributed to several standards (e.g. Open-Id connect, OAuth), and for several years he was a lead of the OAuth platform at Google, and now he's interested in helping cloud customers solve their most complex identity scenarios.View the profile
About the talk
GCP has a myriad of identity capabilities, but what are the best tools to use for specific scenarios? Come join us as we give guidance on common patterns and best practices for configuring identity and authorization with GCP.
My name is Naveen chant. I'm a product manager. I work on Google cloud and identity on gcp today. I'll be presenting with some of my esteemed colleagues Blake and Brenna will get to me in a few minutes. So, why are we here? TCP office a myriad of different identity capabilities, but what are the best identity features to use in specific scenarios today in this talk walk through a overview of many of the different capabilities. We won't be going super deep into them, but will give you a good end-to-end picture of what that would
look like and how you can stitches solution together will also linked you too. Many of the other talked it'll be taking place that'll keep diving too many of the technologies that we covered today. In order to walk through the scenarios today. We're going to be introducing a company names. Cakes, which is a fictitious company that is a multinational organization have a distribution sales team where they have sales people that are coming from many different locations. They have a customer-facing portal and one of their top of jectors for 2019 is really the notion of digital transformation.
So today some of the goals for dog cakes is really to get their users on word on to gcp make sure they're able to protect their sensitive accounts securely and scalable Eve manage access to gcp be able to seamlessly enabled or distributed Salesforce to get access to gcp in a quick and efficient manner making sure that they can administer authentication and authorization consistently across their environments and really they have a customer-facing portal as well that they wish to reduce the complexity on the identity aspect. Digging a little bit into their
architecture a few different types of identity. That's odd kick sandals, there's employees partners and services which are all represented in their active directory instance of those guys. They also have a homegrown CIA or customer identity and access management solution, which power is there portal page and that's where their end-user identities are actually story. So the first thing we're going to walk through is really How does Zack Hicks going Grand access into gcp? So we styling a few the identity types. So administrators granting access
developers and also groups that Encompass both of these different identity types. So after she is registered with gcp and created an organization, they need to give their admins and developers access to the platform. In order to Grant access to their developers, they use Google Cloud identity, which is a Google service that allows customers to create manage users and groups and how to have access to Cloud resources. In addition to granting access to GCT. Google Cloud identity is a complete ideas offering that is also available as a standalone product support through bus life
cycle management. device policies and provisioning across a multitude of applications Does docx Masters all their identities on Prime the first step is really to get those identities inside of cloud identity and they can leverage one of these few school is called Google Cloud directory sync, which is door gcds for short this tool allows you to go and select which users in your ADN stand spice doing either an ldap filter supposed selecting specific use but saying he's a good set of folks that I believe need to get access to my JCP resources. And so they can synchronize
those identities over. The next step is actually granting single sign-on for these people. So in addition to having representation, do you want them to be able to use the username and password that they use with your AT&T in order to get in? So in order to achieve this. Exe going configure of federation broker and use protocols like Samuel in order to go get single sign-on working with gcp. Is docx having to use one of these other identity platforms, they could have used some of the capabilities that are built into them that allowed these platforms to directly provision
into Google Cloud identity. We talked about employees. We talked about customers talk a little bit more of its service accounts for a second and service accounts are really an identity for your application that enable programmatic alsobrook access in many scenarios as well. We don't walk through one specific example in which you have an application that's running on Christmas that needs to get access into gcpd in this case of GCS bucket. Turn order to do this because you an application. You don't want to have a username and password stored
somewhere locally on your own from environment. So that's why you would create a service account and we got service account. You could take a service account key or create a key on it use that from the oncoming varmints in order to be able to authenticate up to Google Cloud. Some of the best practices with service accounts because the service accounts are robot accounts are usually fairly powerful. As always the principle of least privilege is extremely important. Also controlling your service accounts through policy will be talking about a few of the different policy types that
are possible and allow you to going to have much more granular control over where service accounts are used and how they're used. Using features like descriptions that allow you to go and specify this is the intent to buy the service account was actually created. And then the last one the most important part is really to protect those download of the keys. So developer Keys should not have access to prod resources. For example, making sure that those keys are actually rotated and having a recurring Cadence do what you got to do rotation and then auditing the service account keys that
also be created in your environment. So we talked about how so I canceled able to go and grab their users access into gcpd there now able to single sign-on. The next up is really to take some of those sensitive accounts and make sure that we have an extra layer of protection on top of them. And for this we one of the best practices that we recommend especially for the highly privileged account is using security keys. So based on title standards security keys are fishing resistant II factors that use cryptographic Challenge and response is to provide an integrated to
provide Integrity of the author of Education session. So keep your eyes peeled still be an announcement coming on for 10 on something new in this area. Just look at the next level inside a security keys and it just to learn a little bit more of that how they work. The core idea is in this case Alice's navigating to a website and when she tries to sign in the server gives a challenge to the login web page. the web page asks the browser for a security key signature
And then you'll notice that it passes. That's the security key that actually goes and Crips the entire package both. The URL. Alice is actually looking at right now along with the challenge that was sent from the server. That is sent back up all the way to the server. We just now able to see that Alice is Keith sign this this was the actual current challenge that was actually specified and most critically Alice was actually pointing to google.com not some other website and this is where that protection around phishing attacks
actually comes in if somebody was to send Alice an email with a link that said goggle.com, for example, she would actually be able to go and the server would actually reject the call realizing that she's not on the website that she was actually intended to be on. So without him going to hand it over to my colleague Blake who's going to walk us through and access management. Hi everyone. I'm black. I'm a product manager on Google Cloud. I am and I'd like to think they're being for kicking us off with an overview of
identity before we get into best practices. However, I do have a quick refresher course in some of the Core Concepts that are related here and let's start with the resource hierarchy of the entire idea behind the resource hierarchy it so that you can easily map your organizational structure to gcp for easy discoverability of resources for delegation and for access policy management types of objects that exist in your hierarchy. The first at the very top is your organization is automatically Provisions. When you sign up for Google cloud and everything every gcp service every project every
folder will exist underneath this object. And so next let's talk about folders folders are really use for splitting up your gcp resources in a manner that matches your internal structure and is conducive to administration and policy management best practices here that will get into momentarily. But right now you are allowed up to four levels of folders for organizing your resources. Finally you have projects by number at least besides the services themselves are probably the most numerous resource type you're going to have in your hierarchy and ultimately your workloads in gcp services
are going to reside inside of a project to allow for more granular management of access policy below the project level, but most don't seem so this is going to be a frequent attachment point for your access policies in gcp. We'll talk about that. I am itself is really all about who can do what on which resources and we talked about the who took us through users groups and service accounts start with the what are the what is what a principal can do that is done for the granting of permissions to a principal. This is done through the use of a
roll a roll of being groups of permissions. And lastly beyond what resource part sew-in gzp, you apply policies to the resources themselves. And so the typical attachment point new resource hierarchy are going to be that organization your folder or your projects. It is important to know there's actually a pretty big benefit to attach the policies in this way, which is that the role or in affect the permissions that the principal gets can be different for different resources, depending on where you attach those policies are
based on where you apply a policy in this hierarchy the access that you've granted. It's going to inherit down to everything below that level take a quick look at an example. So here I like that you gave a bucket admin role to user at the organization level that users now able to access any bucket inside of that organization. Similarly, though. I said that you granted that role to user on that first folder. In this case. They're able to access all the storage buckets only underneath those first two projects because those projects are underneath that folder and finally applying that policy to
an individual project would only Grant the user to the three buckets for example in this first project. So drowned out a refresher. Let's take a view of what a policy actually looks like I'll keep in mind that since policies are attached to resources. It's the applicable resources really implied through that attachment in the policy. Is that primarily two things once again a collection of permissions and to the members There are two key Focus this year as we get into best practices to make life easier for a company like Doc takes a large company like that fix. The
first is that we want to make Administration manageable to make policy Administration manageable doing everything that they can to achieve that principle of least privilege. The first one of the best things about ticks can do is make sure that they start off using their resource hierarchy correctly since we know that. Kicks is a large company with multiple business units that do operate for the most part independently. We can make that our first layer of. I got you three business units up there. Underneath that what's a potentially one folder protein below data folder for an app
below that a folder for environment the benefits of arranging things in this matter. Is it. Reduce the number of policies? They need to manage while also maintaining the desired isolation. They want between their business units their teams their applications and their environments. In this life you use cases here. So Cloud administrators for each of their business units can be granted the necessary access at each of these top levels and have been in here it down to everything in their business unit is Ariane call groups could be configured at the team or apple level folders for what
they're supporting engineering teams could be given their foundational access at the team level with only the more granular policies of Fire Down Below by making use of the resource our keys. I was able to avoid having to specify all of these pop all of these policies and very duplicative way separately on all of their projects. Stop moving on to achieving least privilege. Except a few options available to them while editor and viewer. They quickly found these to be far too permissive. I would actually comes to achieving that principle of least privilege
by service and even further by Persona 4 job role that there are several hundred of these rolls in gcp that Google creates that they curate you can see some examples of those here. But for some of their Grands. Kicks found that even the curated rolls that we were providing we're close but not exactly what they were looking for when it comes to granting access and as a result, they decided to take a look at custom roles. For example, they copied one of the big query curated
rolls and removed a couple of permissions. They didn't want to Grants and other cases that kids can do the same but add a few additional permissions. They could also combine 2 curated rolls to simplify their access grams. Finally today, let's take a look at a future that will be entering public beta soon. It allows. Pics to configure their their access controls and even more of a finer grain to Manor. I am conditions at the layer of attribute-based access control on top of the world based Access Control Concepts that we just went through this allows you to configure roll Grant to
provide access to a principal only a certain other conditions are also met One such example of a condition would be granting access based on time other couple different ways. You can do this one would we can figure it access grant that is only valid before specified expiration time. This will help over break last Mario. So just give me the developer 2 hours of access to production to fix an issue knowing that that access Grant will be automatically revoked. This could also be done as part of a recurring schedule ranking access to a resource looks like Monday through Friday
nine-to-five. Another use could be during project-level grants that only allow access to some of the resources of a given type in that project. For example, you could Grant a computer admin role to user but with conditions specify the user can only manage bm's whose name starts with test Dash or whatever other prefix you wanted to use. And finally, you can use that conditions for context to wear access as well by configuring a grant that is valid so long as only so long as aspects of that users context such as their IP address or device security policy or met.
Is optimally configure their access policy. So they're gcp resources. They're not ready to move on to extending that access so that they're distributed spills teams can access internal ebuild corporate apps that they need Sprint. I will tell you more about that. Okay, so has Blake Mansion Roanoke over house. Expanding able seamless access to their absent services for usage by the distributor and also how they can secure support the employees and developers to work from home without need of a VPN.
So let's not wake her up. Where is Doc Texas Tans on the identification effort Exotics migrated suncorp apps and their consumer photo to the cloud but they still run several apps on premises. They want to enable the employees to access both sets of apps from their workplaces from their homes and on the road and they need that their sales and a partner stuff. I'll be able to access tools and Emma's when visiting your customers location maybe when they're attending Cloud next what anywhere
So here we get introduced The Bancorp security model. So we starting in 2011 Google created a new approach for access management the Beyond Corp Enterprise security. It's a zero trust security model. That means that requests are not granted. Just based one where they originated in the network instead Vian Corp in system verify that the request has permissions to access the services that they invoke. Sodium Corp shift access controls from the network perimeter individual users and devices and allow employees to work securely from any location.
So let's look a little closer a how Beyond corporates and how we can help Celtics. Who first looks let's look at the Beyond corpse solution components. Okay requires that for instance. You haven't strong notion of user identity. It doesn't say that you used a fishing resistant authentication, but it can leverage that information information about the session strength to make a decision based on the sensitivity of the request. It also requires contact information such as location devices status at cetera requires. The
rules engine that allows the it security teams to Define access rules. And finally it defines enforcement points that control access to the various resource types such as web at VMS. Apis Etc. To Google cloud provider solution to enable to be on court security model for your apps and infrastructure. This solution is called context-aware access it integrates with multiple Google cloud services to make a b Encore possible for your organization. So one of the components is called a
VPC service controls epcsc for short and it improves your ability to mitigate the risk of deodorant detox filtration from Google managed services, like a cloud Storenvy query with VPC service controls. You can configure context-aware security perimeters around the resort on your pool managed services. And you also can control the movement of data across the perimeter egress controls. Call Diane we covered thanks to Blake's presentation earlier and identity aware proxy. It provides the enforcement for the English Rose service in Ingress proxy
that provides level 427 Network filtering capabilities. I'm now all we are going to see how subjects can achieve consistent security and Access Control Management across their various environments between on-premise and cloud-based apps. Sue for that the winter Deuces to you. If you haven't heard about it is still is an open-source servicemesh that layers transparently onto existing distributed application. It is also a platform including apis that let it integrate into any login platform Telemetry a
policy system. Steals the first feature that lets you efficiently run a distributed microservices architecture. Any provides a uniform way to secure connect and monitor microservices. So why would you say still is still makes it easy to create a network of deployed services with load balancing service to service authentication monitoring and more with few or no changes in service code. It can also be used to deliver secure service to service Communication in a cluster with a strong identity based authentication and authorization
based on Mutual TLS. And with Google as a major contributor to steal development architecture, it means that using stereo. You can take advantage of best-in-class the strategies for microservice Mash management. So you want us to do two Services by deploying a sidecar proxy throughout the environment 18th ourselves all network communication between microservices. One then come figures that manages is still using his control plane functionality. This allows for instance. Kicks to distribute policy about Network
accessibility about effect equation of 30 station and audit policies as well as Telemetry configuration. The configuration is consumed by the envoy proxy attached to each workload instance and policy is enforced by the infrastructure. So in particular why use a steel security so it still delivers authentication authorization at all part of the platform. You shouldn't consistent compliance and remove removing the burden on app developers in addition authorization can use both their identities of the requesting user and of the connecting Pier.
It's still delivers automatic metrics logs and traces for all tractors in the cluster including cluster Ingress and egress anything for his visibility into all operations and consistent all the support. So now let's look how is. Excalibur is just you and Google managed Services something consistent security across the hybrid deployment. Forklift lookenhouse arctix address access management for their own premises apps in the examples. I will show is still deployed in kubernetes in particular in this scenario is that takes has deployed educate on brand Caster but I
would like to emphasize that is Stereo does not require kubernetes. It can be used to manage more traditional on premise data centers. Beyond by proxy is deployed in Ingress as well as a side car in Nation Ford and it managers all connections in and out of the cluster and Eno out of each pod. So that provides that you still enforcement point. Now, let's see. How about Corp user which is authenticated with the core prudential's can access services in the cluster. So here when the Corp user makes a request of Exotics HR app and
void terminates the TLs connection and enforces that they request includes user credentials to become perform in Yoder Ingress checks. Next the request has been of course be forwarded to the HR app. In the sidecar Envoy, I've always thought Edition rules. So for instance, it can require that the authenticating user have an administrative role if a privileged operation isn't. As a request travels down the services stack the HR app called the back end which also applies authorization rules and these rules as before. I mentioned that can be both. Both of
the pier in this case is the front end for the HR up as well as the requesting user. So now let's look a situation where a Corp user is excesses Up Kicks on premise cluster from overseas. So to take advantage of Google's fast and Globe spinning network is that kids can route the remote access to the on premise clusters from the identity of a proxy in Google Cloud. IEP provides additional authorization features if you share that access comes from a managed device. So this shows how Beyond Corp Solutions can seamlessly extend
to protect. Keystone Primus apps. In fact many IEP customers choose to use IP as the Ingress proxy for all their apps. Where did the apps on juicy be on premises or another clouds? Let's not look at house up Kicks Kim protects its Cloud apps. So we are assuming here. That's Up Kicks has already extended that identity authentication system to GCT by sinking their active directory with Cloud identity as snapping went over earlier. So in this case. Kicks has deployed a legacy
application in a clouded host of e m i l p can be used to provide Ingress enforcement of authentication and authorization when exotic simple Yes access is a legacy database hosted in the city. Legacy applications can also be protected on promises and when located in order clouds you can do this using and is doing grass proxy or using IP and of course if you use IP you got a vantage of the benefit of the context-aware enforcement rules. So now it's show how you can deploy steel Enrique using
IP for Ingress blocks in this scenario. Exotics can configure configure a router base Access Control in both our IP an Indian voice sidecars on each parts. And for instance again iup can deliver the contacts to wear functionality here requirement for his sister second-factor authentication are used for trustworthy device and the invoice the invoice sidecar proxy can provide find gray notarization using Services specific configuration. We can also use the same architecture to press press to protect access
by end-users of the customer portal. Authentication authorization and audit are throughout the service is stuck at every level and if we do this reduces stress between systems, which means that it mitigates use the risk and its Affiliates compliance activities. We also look to hear about how is still Kenny has security of service to service Communication in particular is still allows that takes to deploy TLS certificate each of their workload. So Services can now communicate to each other using Mutual TLS to strongly identified up
your identity. Now let's explore how we can leverage the native of the Native workload identity of kubernetes and this can improve additional aspects of service to service authentication. For instance. It can provide simpler and more secure means to manage service credentials. Stop kicks Kim now add. I am Bindings that allow a native kubernetes workload identity to exercise and act as permission on a JCB service account. Exotics can create a list of Peace service account and use that to Grant access to respond cific permissions and resources and then
allow their workload identities the ability to impersonate this just to be serviced account. So by doing this. Kicks a tree security without burden of Key Management because they authentication of native workload identity is handled by the kubernetes infrastructure. So with workload identity Giuseppe Services can more easily be consumed by kubernetes work clothes in addition. It makes it even easier to levers Google managed services such as stackdriver monitoring and logging to seamlessly deliver functionality
into steel platform. So tying it all together. We can see that in the hybrids and deployment is that kicks can leverage open source steel architecture and Google managed services such as IP and static driver, you know, well integrated environment that delivers consistent transparent and auditable policy enforcement. in addition through the integration of work related entity with I am is that kicks can seamlessly consume just did this service is from there GK apps With improved security
by eliminating the need to manage keys. So now I want to ask him if he needs to continue this presentation by showing how is that kids can achieve their goal to simplify identity management in their consumer apps? Thank you, brother. So hopefully that gave you a good overview of istio and we're going to continue on our story and our journey now talking a little bit of both customer identity and access management. So to the presentation so far, we've talked about identities for employees. We talked to the developers group usage.
We also talked about how kind of services would be protected and how you can use these across hybrid environments and now we're heading into the customer identity and access management portion of the challenges that. Cakes has was it with its current solution many of its people are are sorted local see I am instances that are stored in Holliston several different parts of the country, but Wendy's people on travel if a customer was accessing it from a different location than they were actually in he spends a lot of Highly, please. I'd like to introduce you to Google Cloud identity Google
Cloud identity platform, which allows you to. Add customer identity access management capabilities into your apps. So they had any platform takes the foundation of Google's extensive and mature identity infrastructure and provide some to developers and lured her to allow you to add this type of functionality into your apps protect user accounts and skill with the confidence that we have built throughout the Google stock. Platform includes a variety of capabilities that allows developers to select the type of functionality
that they want if they need a user story provides the user story. If you need to go in separate with a identity systems that exist outside the industry suggests a molar or ATC it has that capability and Leslie also supports a multitude of different social off providers one of the great things because it's like Google and Google scale whenever a person connects him regardless of where they're connecting to they actually get access onto the the Google connected incidence of this closest to them. And so they would be able to get much reduce latency is for that initial authorization request
on the subjects in infrastructure. What are the things to go to but the identity platform is it was formerly called Cloud any for customers and partners? It is now been renamed to add any platform and is currently in GA as of today. So we encourage you to go and try that out. So just to wrap up. We talked about the different things that duck eggs achieved they were able to on where their users to gcp protector sense of accounts secure leave manage kind of policies using many of the techniques that we talked about me. I M portion enable Steam has access to the
disputed sales team through tools like identity aware proxy and the Beyond Court model administer authentic Nazi consistently across their environments using tools against you and then finally simplify the complexity of their customer portal using the identity platform.
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.