Introducing Organization Restrictions, a new way to keep threat actors out
Product Manager, Google Cloud
Product Marketing Lead, Google Cloud Security
In Google Cloud, IAM Policies provide administrators with fine-grained control over who can use resources within their Google Cloud organization. With Organization Restrictions, a new generally available Google Cloud security control, administrators can restrict users’ access to only resources and data in specifically authorized Google Cloud organizations. It does this by restricting Google Cloud organization access to traffic originating from corporate managed devices.
Mitigating data exfiltration risks with Organization Restrictions
Even for well-defended and managed Cloud organizations, there are multiple ways an attacker might seek to exfiltrate data. For example, a threat actor could create a rogue organization and grant your company’s employees access to it. The threat actor is banking on human error, hoping one of your company employees mistakenly uploads sensitive information to this rogue organization instead of the company's actual organization in Google Cloud. Similarly, a malicious insider could deploy their own rogue Google Cloud organization, grant their corporate identity access to this rogue organization via IAM policy, and exfiltrate corporate data to this destination.
Organization Restrictions mitigates the risk of these data exfiltration events by allowing security administrators to set guardrails on what resources their principals or users are allowed to interact with regardless of what access permissions they have been granted via IAM policies.
How Organization Restrictions works
Organization Restrictions are implemented for corporate-managed devices which have been configured to route all of their traffic to Google Cloud through a corporate-managed egress proxy:
Security administrators configure the egress proxy to insert a newly-introduced HTTP header called X-Goog-Allowed-Resources for all Google Cloud-bound requests. The header value contains a list of authorized Google Cloud organizations that can be accessed by requests traversing the proxy. Once a request containing this header reaches Google Cloud, the Organization Restrictions service enforces that the request can only access resources that belong to the Google Cloud organizations specified.
For example, the sample header value below specifies that all requests containing this header can only access resources in the
22222222 Google Cloud organizations:
Once an administrator drafts this header value and encodes it in a web-safe base64 format, they configure their egress proxy to insert this header for all Google Cloud-bound requests. Subsequently, employee access requests for resources not parented by either of these organizations will be denied access. That’s it — you have now successfully added another layer of protection against unauthorized access to your resources and data.
Working with our security ecosystem partners to deliver the solution
Organization Restrictions can be enabled in egress proxies provided by our security partners. Customers have the flexibility to choose their preferred vendor’s egress proxy as long as it satisfies these prerequisites. F5 Networks, Fortinet, and Palo Alto Networks are some of the partners that help us deliver Organization Restrictions in conjunction with their proxy products. Here’s what they had to say:
“We are excited to collaborate with Google Cloud to further support our customers to strengthen their security and protect their Google Cloud environment. Our F5 BIG-IP SSL Orchestrator integration with Google Cloud Organization Restrictions enables our joint customers to restrict access to only authorized Google Cloud Organizations and helps prevent data exfiltration from insider attacks. This integration provides another tool in our customers' arsenal to secure their Google Cloud environment.” — Kevin Stewart, Principal Product Manager, F5
“Companies face extreme pressure to deliver consistent, enterprise-grade security across their entire business – from on-premises data centers, to branches and cloud deployments. It is critical that we as an industry continue to deliver new solutions, features, and security controls, such as Google Cloud’s Organization Restrictions, to meet the evolving cybersecurity requirements of today’s businesses. We are proud to be a Google Cloud partner and look forward to the continued collaboration and innovation as we work together to help customers reduce their overall technology complexity and minimize their attack surface.” – Vincent Hwang, Senior Director of cloud security at Fortinet
Palo Alto Networks
"Our Next-Generation Firewalls help protect our customers from unauthorized or unintended data leaks. We are excited about Google Cloud's Organization Restrictions capability that helps prevent data exfiltration for our cloud customers. Our firewalls can easily be configured to block traffic based on the new Google Cloud Org Restrictions header, giving our joint customers another layer of protection for their sensitive data." — Mukesh Gupta, VP Product Management, Palo Alto Networks
Getting started with Organization Restrictions
Organization Restrictions is available at no additional cost for Google Cloud users. You can get started with Organization Restrictions by visiting our documentation page where you can learn more about egress proxy prerequisite requirements, additional configuration options, and Google Cloud services which support organization restrictions enforcement. Lastly, if you are looking to test this feature without the use of an egress proxy, we recommend that you visit the step-by-step testing guide.