Integrating existing identity management solution with Google Cloud Platform
Given below are the steps to integrate a third party identity management platform
- You should have a domain that is enabled for email. In case of a preexisting domain registered with Google or a non-existent domain you cannot proceed
- You should have permissions to verify domain ownership by creating txt or CNAME entry
- Implement SAML SSO if existing identity management system is to be used for authentication to GCP console
- Create the first cloud identity administration account and account for admin who will manage users in GCP
- Configure billing accounts- this can either be an online account or offline invoiced account linked to a Purchase Order. For applying for an invoiced billing account you would need to meet certain criteria , ie be a registered business for one year, have min billing of $2500/month for 3 months
- Create additional admin accounts like network admins or organization admins
- Use directory sync to sync identities. Passwords are not synced by default unless you choose to do so. Synching passwords is not a best practices and it is recommended to use SSO instead
- You can also use third party IDP connectors such as connectors from Ping, Okta or Azure AD G Suite connector
Recommended usage of service accounts
Service accounts are used in access management scenarios where human users are not involved, for e.g.: when applications want to access a DB, storage or similar resources in Google cloud.While using service account to authenticate to other Google Services and APIs, it is recommended to use a user-managed service account and not default service accounts(default service accounts are created when you enable a Google cloud service). After attaching a user-managed service account to resources, you should use application default credentials(ADC) for authentication. ADC should be configured in the application environment and is automatically used by client libraries for authentication
Envelope encryption
Envelope encryption is the process of implementing multiple layers of key , where one key is encrypted with another. The encryption can either be done at application or storage layer. The default encryption offered by Google is also envelope encryption, but the central keystore is Google's internal key management system. You can also choose to use KMS instead of the internal key management system
Data Encryption Keys(DEK) - used for data encryption, should be generated locally and stored with encryption at rest
Key Encryption Key(KEK)- Used for encryption DEK. Recommended to store centrally(in KMS) and rotate regularly
The process happens as follows
DEK generated locally-> Data encrypted with DEK-> DEK wrapped with KEK-> Encrypted data and wrapped DEK stored in storage system->KEK stored in KMS
0 comments:
Post a Comment