Source URL: https://cloud.google.com/blog/products/identity-security/automate-access-control-with-sensitive-data-protection-and-conditional-iam/
Source: Cloud Blog
Title: Safer by default: Automate access control with Sensitive Data Protection and conditional IAM
Feedly Summary: The first step towards protecting sensitive data begins with knowing where it exists. Continuous data monitoring can help you stay one step ahead of data security risks and set proper access controls to ensure data is used for the right reasons while minimizing unnecessary friction.
Google Cloud’s Sensitive Data Protection can automatically discover sensitive data assets and attach tags to your data assets based on sensitivity. Using IAM conditions, you can grant or deny access to data based on the presence or absence of a sensitivity level tag key or tag value.
This feature can help you:
Automate access control across various supported resources based on attributes and classifications of the data in those resources. Automation helps you keep up with the growth and changes in the data in your organization, folders, and projects.
Restrict access to the supported resources like Cloud Storage, BigQuery and CloudSQL until those resources are profiled and classified by Sensitive Data Protection. This practice is in accordance with the secure by default principle.
Change access to a resource automatically as the data sensitivity level for that resource changes.
Automated discovery and conditional access
Sensitive Data Protection can look for evidence of sensitive data such as personally identifiable information, secrets, medical information, financial documents, and more. Discovery uses this technology to continuously monitor your data footprint looking for new assets and critical changes in existing assets that might increase or decrease risk to your business.
Along with continuous monitoring, you can enable automated actions so that you can remediate issues as they arise and ensure that your data insights are deeply integrated downstream to power security workflows like data security posture management and enrich SecOps findings. With Sensitive Data Protection and Security Command Center, you can get vulnerability and posture alerts when sensitive data is exposed publicly or when credentials or passwords are found in storage systems.
Image showing geo map and results from a discovery scan of sensitive data
You can help prevent issues by leveraging conditional IAM allow and deny policies along with a new Discovery action to automatically tag your assets based on their sensitivity.
With IAM Conditions, you can choose to grant or deny access to principles based on the presence of a tag or the value of a tag. This allows you to ensure that access is only granted when the right tag attributes are present for that user or principal accessing. With deny policies, you can proactively deny access based on a tag attribute.
This enables safer default scenarios such as:
You have highly sensitive data and want to ensure that certain principals are denied access to that across your project or org.
You have a lot of new data entering your platform and want to allow access only once it’s been scanned and tagged appropriately.
Safer by default, automated
With Sensitive Data Protection’s automated data tagging and IAM conditional access, you can help automate proper access control.
Consider the following example: Your data team creates new BigQuery tables throughout the week. These tables are moved and shared across a handful of projects and datasets. You want to keep business momentum by sharing these tables automatically with the broader team, but are concerned that some of these assets may contain highly sensitive customer data like personally identifiable information (PII) or moderately sensitive data like demographic information. Those two categories of data should only be seen by a select set of roles on the team, while nonsensitive data can be shared with the whole team.
Step 1 – Create IAM Tags
First, create a set of tags to represent these three categories:
Level 1 : Low Sensitivity (no PII) Level 2 : Moderate Sensitivity (names and demographic details) Level 3 : High Sensitivity (unique or sensitive identifiers)
Image showing Tags create indicating three levels of data sensitivity
Step 2 – Enable IAM Conditional Access
Grant access to your data team with the condition that data has been automatically tagged as “Level 1” or “Low” sensitivity data.
Image showing an IAM condition based on a tag
Access to tables that are not tagged appropriately will now be blocked.
Step 3 – Enable action for “Automated Tags”
Enable the “Tag resources” action in your Sensitive Data Protection discovery scan configuration and map the Sensitivity Level to the appropriate tag in your organization.
Image showing the configuration of Sensitive Data Protection to automatically apply tags based on sensitivity level
Now, when a table is created, your team won’t get access to it until it’s been automatically discovered, classified, and tagged by Sensitive Data Protection. For the higher sensitivity assets, you can ensure that only the right roles have access by adding the appropriate conditions to their IAM grants.
Using IAM Deny
The examples above used conditional IAM grants to allow access based on the sensitivity. You may also have cases where you want to deny access based on the sensitivity. For example, consider an environment where access is granted to a partner to specific tables for different use cases. You want to ensure that this partner is not granted access to any highly sensitive data. For this, we’ll use an IAM deny policy.
For this example, we’ll assume that you’ve followed all the steps above. Now you want to create a deny policy for the partner group account called partner@example.org.
To do this, you can use the Google Cloud CLI (gcloud) or IAM API to deploy a policy to your project or organization. The following example will deny access to BigQuery tables based on the presence of the tag value for high sensitivity data (Level 3).
code_block
When this partner account tries to access a highly sensitive table, their access will be blocked:
Next steps
To get started on automating sensitive data discovery and conditional access control, see the following:
Sensitive Data Protection Discovery
Control IAM access based on data sensitivity
AI Summary and Description: Yes
**Summary:** The text provides an in-depth overview of Google Cloud’s Sensitive Data Protection feature, which automates the discovery and classification of sensitive data in cloud resources. It emphasizes the importance of continuous monitoring, conditional access control, and automatic tagging in enhancing data security and ensuring compliance with privacy regulations.
**Detailed Description:**
The text elaborates on how Google Cloud’s Sensitive Data Protection enables businesses to safeguard sensitive information while streamlining data access management. Here are the major points of significance:
– **Continuous Data Monitoring:**
– Critical for identifying and managing sensitive data to mitigate security risks.
– Helps in setting appropriate access controls, reducing unnecessary friction in data access.
– **Automated Discovery and Tagging:**
– Sensitive Data Protection can automatically classify data assets, identifying sensitive information such as personally identifiable information (PII), secrets, and financial documents.
– Integration with IAM (Identity and Access Management), allowing access controls based on the sensitivity level of the data.
– **IAM Conditional Access:**
– Access can be dynamically restricted based on the sensitivity tags assigned.
– Grants or denies access based on the presence of specific data sensitivity tags, enforcing stricter compliance and governance.
– **Safer by Default Principle:**
– Access to resources like Cloud Storage and BigQuery is restricted until data is classified, aligning with security best practices.
– The system ensures that only the necessary personnel have access to sensitive information, thereby minimizing potential data breaches.
– **Practical Workflow Example:**
– The example of tagging new BigQuery tables based on sensitivity provides a practical illustration of implementing IAM conditional access.
– Automating the tagging process helps maintain security as new data is introduced, eliminating gaps in protection.
– **Use of Deny Policies:**
– Deny policies can be created to prevent specific user groups (e.g., partners) from accessing sensitive data, adding another layer of security.
– **Integration with Security Operations:**
– Continuous monitoring facilitates integration with SecOps, allowing teams to respond swiftly to vulnerabilities.
– Alerts on exposure of sensitive data enhance organizational security posture.
Key Takeaways for Security and Compliance Professionals:
– Leveraging automated tools like Sensitive Data Protection can significantly enhance an organization’s data governance strategy by aligning with compliance requirements.
– Understanding how to effectively implement IAM conditions and deny policies can mitigate access-related risks and enforce security best practices.
– Continuous monitoring and management of sensitive data assets are essential components in a robust security framework, particularly in cloud environments.
This comprehensive approach to managing sensitive data not only bolsters security but also provides organizations with a method to streamline access control processes while adhering to compliance mandates.