Gain access visibility and control with Access Transparency and Access Approval
Alexander Harrison
Product Manager, Google Cloud Security
Anil Nandigam
Product Marketing Lead, Google Cloud Security
Organizations within regulated industries must balance cloud benefits with potential security and regulatory concerns. These include strict requirements to audit and control the cloud provider, especially when it comes to accessing the organization’s data and workloads.
At Google Cloud, we're focused on providing our customers many ways to help achieve their security, compliance, and regulatory outcomes. One such capability is Access Transparency and Access Approval, which provides our customers with direct oversight of Google Cloud access to their resources when customer assistance or disaster recovery operations are underway.
Full visibility and control with Access Transparency and Access Approval
Access Transparency and Access Approval provides the visibility and control that Google Cloud customers need in order to address access requirements for security and compliance. Each customer’s data in Google Cloud is protected via a privileged access approach, which ensures that access to customer data is secured via multiple controls. By default, Google does not have access to customer data. Occasionally, upon customer request, Google admin personnel may request to access customer assets in order to fulfill the customer’s support request. These requests require business justification.
Google’s commitment to customer data access is two-fold:
- Access Approval provides control for customers to either approve or deny Google administrative access. A customer request is initiated prior to any access being permitted to Google personnel. When a request is approved, access is permitted for a configurable, limited period of time or until access is revoked by a customer administrator.
- Access Transparency provides visibility into Google’s access to customer data in the form of audit logs. These logs provide granular information around the reason for the access, the role performing the access, and the data or resource that has been accessed.
Commerzbank AG, one of Germany’s largest banking institutions, is using both Access Transparency and Access Approval to expand visibility and control over its resources in Google Cloud.
As a bank, for every application we move to the cloud, we have to consider a wide range of security and compliance requirements, including underlying services consumed. That’s why, as a prerequisite for leveraging the services, we need to have the ability to both control and validate cloud provider access to our workloads. We’re achieving this by combining Access Approval and Access Transparency on Google Cloud.
Christian Gorke, Head of Cyber Center of Excellence, Commerzbank AG
Meeting security and compliance requirements
Regulatory compliance requirements such as European banking regulations require end-to-end audit capabilities for privileged access, including cloud provider access management. Access Approval and Access Transparency on Google Cloud can help customers address these requirements with a tiered approach with controlled access and auditable logs. Access Approval is turned on for thorough review for access requests, especially sensitive workloads, before granting access.
With Access Transparency activated, logs for the cloud provider’s actions (once approved to perform the access) with respect to the customer's resources are all logged in Cloud Logging. These access logs are generated in real-time, providing an auditable log of administrative accesses and can be used to address compliance requirements.
“We were looking for a cloud provider compliance and governance solution to support our invisible security system. With Access Approval and Access Transparency, we can enable our individual teams, products, and services to decide how to interact with Google Cloud support. The democratized access approval and transparent audit trail tracking of Google Cloud personnel helps us to save time without compromising on compliance and security,” said Gorke.
Shaping a secure and compliant cloud future
Google Cloud took a software-defined approach to build security and compliance controls. We offer Assured Workloads solutions that allow our customers to run regulated workloads in many of Google Cloud's global regions. Access Approval and Access Transparency are core capabilities of Google Cloud that help you to quickly and easily apply controls and guardrails independently or utilize them as part of Assured Workloads to meet global regulatory compliance requirements.
To learn more about Assured Workloads, check this documentation. You can get started with Access Transparency by enabling it in a Google Cloud project, and get started with Access Approval by following these instructions.