Google Cloud Security Fundamentals: Identity and Access Management

This walkthrough explores the foundational security services within Google Cloud Platform through a series of hands-on labs. The progression moves from basic identity management concepts through advanced encryption and network security implementations, establishing the security expertise required for enterprise cloud deployments.

Each lab demonstrates practical security patterns while building toward comprehensive cloud security architectures that address real-world requirements for data protection, access control, and compliance.

Lab 1: Implement Cloud Security Fundamentals on Google Cloud

Security implementation begins with understanding the fundamental services and their integration patterns. This foundational lab establishes the security baseline and introduces the core services that will be explored in subsequent labs.

Implementation Overview

Security Services Architecture: The lab introduces the relationship between identity management, encryption, network security, and access controls as integrated components of a comprehensive security strategy.

Core Security Principles:

• Defense in Depth: Multiple layers of security controls working together
• Least Privilege Access: Granting minimum necessary permissions
• Zero Trust Architecture: Verifying every access request regardless of source
• Compliance by Design: Building security controls that support regulatory requirements

Service Integration Patterns: Understanding how IAM, KMS, VPC networking, and application-level security work together to create secure cloud environments that scale with business requirements.

Security Architecture Foundation

Identity Management Layer: IAM serves as the foundation for all access control decisions, providing centralised identity verification and authorisation across all Google Cloud services.

Encryption Layer: Cloud KMS provides centralised key management for protecting data at rest and in transit, with integration across storage, compute, and database services.

Network Security Layer: VPC networking with private clusters and controlled peering creates secure communication channels while isolating resources from external threats.

Application Security Layer: Identity-Aware Proxy provides application-level access control that supplements network and infrastructure security measures.

Lab 2: Cloud IAM Quickstart

Identity and Access Management forms the cornerstone of cloud security. This lab establishes fundamental IAM concepts through practical implementation of role-based access control patterns.

Implementation Strategy

Basic IAM Policy Configuration:

# List current IAM policies for audit baseline
gcloud projects get-iam-policy $PROJECT_ID \
  --format="table(bindings.role,bindings.members:list)"

# Add user with viewer permissions
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="user:analyst@company.com" \
  --role="roles/viewer"

# Verify policy assignment
gcloud projects get-iam-policy $PROJECT_ID \
  --flatten="bindings[].members" \
  --format="table(bindings.role,bindings.members)"

Access Verification Testing:

# Test access with different user contexts
gcloud auth activate-service-account test-account@project.iam.gserviceaccount.com \
  --key-file=test-key.json

# Attempt resource access to verify permissions
gcloud compute instances list --format="table(name,zone,status)"

Security Architecture Principles

Role-Based Access Control (RBAC): IAM roles provide granular permission sets that align with job functions and responsibilities, enabling scalable access management across large organisations.

Principle of Least Privilege: Starting with minimal permissions and adding specific access as needed reduces security risks while maintaining operational efficiency.

Audit and Compliance: IAM provides comprehensive logging of all access decisions, supporting compliance requirements and security investigations.

Lab 3: Cloud IAM Custom Roles

Organisational requirements often exceed the scope of predefined roles. This lab demonstrates creating custom roles that provide precise permission sets aligned with specific business functions.

Implementation Strategy

Custom Role Definition:

# Create role definition file
cat > custom-storage-role.yaml << EOF
title: "Custom Storage Analyst"
description: "Limited storage access for data analysis"
stage: "GA"
includedPermissions:
- storage.objects.get
- storage.objects.list
- storage.buckets.get
- storage.buckets.list
EOF

# Create custom role from definition
gcloud iam roles create customStorageAnalyst \
  --project=$PROJECT_ID \
  --file=custom-storage-role.yaml

Permission Validation:

# Test custom role permissions
gcloud iam roles describe customStorageAnalyst \
  --project=$PROJECT_ID \
  --format="yaml(includedPermissions)"

# Assign custom role to user
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="user:data-analyst@company.com" \
  --role="projects/$PROJECT_ID/roles/customStorageAnalyst"

Role Lifecycle Management:

# Update custom role with additional permissions
gcloud iam roles update customStorageAnalyst \
  --project=$PROJECT_ID \
  --add-permissions="monitoring.timeSeries.list"

# Create new version of role
gcloud iam roles undelete customStorageAnalyst \
  --project=$PROJECT_ID

Security Architecture Principles

Precision Access Control: Custom roles enable exact permission matching to job requirements, eliminating unnecessary access while maintaining operational capability.

Organisational Alignment: Role definitions can reflect specific organisational structures and compliance requirements that predefined roles cannot address.

Change Management: Version control and lifecycle management for custom roles ensures security policies evolve with organisational needs.

Lab 4: Service Accounts and Roles Fundamentals

Service accounts provide secure authentication for applications and automated systems. This lab demonstrates best practices for service account creation, management, and security.

Implementation Strategy

Service Account Creation:

# Create service account for specific application
gcloud iam service-accounts create web-app-backend \
  --display-name="Web Application Backend Service" \
  --description="Service account for backend API authentication"

# Assign minimal required roles
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:web-app-backend@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storage.objectViewer"

Workload Identity Configuration:

# Enable workload identity for GKE integration
gcloud container clusters update secure-cluster \
  --workload-pool=$PROJECT_ID.svc.id.goog \
  --zone=us-central1-a

# Bind Kubernetes service account to Google service account
gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:$PROJECT_ID.svc.id.goog[default/web-app-ksa]" \
  web-app-backend@$PROJECT_ID.iam.gserviceaccount.com

Key Management Best Practices:

# Generate short-lived access tokens instead of keys
gcloud auth print-access-token \
  --impersonate-service-account=web-app-backend@$PROJECT_ID.iam.gserviceaccount.com

# List and rotate service account keys when necessary
gcloud iam service-accounts keys list \
  --iam-account=web-app-backend@$PROJECT_ID.iam.gserviceaccount.com

Security Architecture Principles

Machine Identity Management: Service accounts provide secure, auditable identity for applications without requiring human credential management.

Token-Based Authentication: Short-lived access tokens eliminate the security risks associated with long-lived credential files.

Workload Identity Integration: Native integration with container orchestration platforms provides seamless authentication without credential exposure.

Lab 5: VPC Network Peering

Network isolation through multiple VPCs provides strong security boundaries while enabling controlled connectivity between isolated environments. This lab demonstrates secure inter-network communication patterns.

Implementation Strategy

Multi-VPC Architecture Setup:

# Create production VPC with private subnets
gcloud compute networks create production-vpc \
  --subnet-mode=custom \
  --bgp-routing-mode=regional

gcloud compute networks subnets create prod-backend-subnet \
  --network=production-vpc \
  --range=10.1.0.0/24 \
  --region=us-central1 \
  --enable-private-ip-google-access

# Create shared services VPC
gcloud compute networks create shared-services-vpc \
  --subnet-mode=custom \
  --bgp-routing-mode=regional

gcloud compute networks subnets create shared-subnet \
  --network=shared-services-vpc \
  --range=10.2.0.0/24 \
  --region=us-central1 \
  --enable-private-ip-google-access

Bidirectional Peering Configuration:

# Establish peering from production to shared services
gcloud compute networks peerings create prod-to-shared \
  --network=production-vpc \
  --peer-network=shared-services-vpc \
  --auto-create-routes

# Complete bidirectional peering
gcloud compute networks peerings create shared-to-prod \
  --network=shared-services-vpc \
  --peer-network=production-vpc \
  --auto-create-routes

Cross-Network Security Policies:

# Create firewall rules for controlled cross-network access
gcloud compute firewall-rules create allow-shared-services \
  --network=production-vpc \
  --allow=tcp:443,tcp:80 \
  --source-ranges=10.2.0.0/24 \
  --target-tags=backend-services

gcloud compute firewall-rules create allow-production-access \
  --network=shared-services-vpc \
  --allow=tcp:3306,tcp:5432 \
  --source-ranges=10.1.0.0/24 \
  --target-tags=database-services

Security Architecture Principles

Network Segmentation: Separate VPCs create strong isolation boundaries that prevent lateral movement while enabling controlled connectivity.

Selective Connectivity: Peering relationships enable specific inter-network communication patterns without exposing entire network ranges.

Defense in Depth: Firewall rules continue to provide granular access control even across peered networks.

Lab 6: User Authentication with Identity-Aware Proxy

Application-level access control provides an additional security layer beyond network and infrastructure protections. This lab implements zero-trust access patterns using Identity-Aware Proxy.

Implementation Strategy

Application Deployment with IAP:

# Deploy sample application to App Engine
gcloud app deploy app.yaml \
  --project=$PROJECT_ID \
  --version=v1

# Enable Identity-Aware Proxy
gcloud iap web enable \
  --resource-type=app-engine \
  --project=$PROJECT_ID

Access Policy Configuration:

# Configure access policies for specific users
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="user:developer@company.com" \
  --role="roles/iap.httpsResourceAccessor"

# Create group-based access policies
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="group:engineering@company.com" \
  --role="roles/iap.httpsResourceAccessor"

Advanced Access Controls:

# Configure access context manager for device-based policies
gcloud access-context-manager policies create \
  --title="Corporate Device Policy" \
  --organization=$ORG_ID

# Create access level with device requirements
gcloud access-context-manager levels create CorporateDevices \
  --policy=$POLICY_ID \
  --title="Corporate Managed Devices" \
  --device-policy-allowed-device-management-levels=BASIC

Security Architecture Principles

Zero Trust Application Access: IAP verifies user identity and device posture for every application request, regardless of network location.

Context-Aware Security: Access decisions incorporate user identity, device state, and request context to provide dynamic security policies.

Application Integration: IAP provides transparent security without requiring application code changes or complex authentication implementations.

Lab 7: Getting Started with Cloud KMS

Encryption key management is fundamental to data protection in cloud environments. This lab demonstrates comprehensive key management practices using Google Cloud KMS.

Implementation Strategy

Key Management Infrastructure:

# Create key ring for organisational key management
gcloud kms keyrings create production-keys \
  --location=us-central1

# Create application-specific encryption keys
gcloud kms keys create app-data-key \
  --location=us-central1 \
  --keyring=production-keys \
  --purpose=encryption

gcloud kms keys create database-key \
  --location=us-central1 \
  --keyring=production-keys \
  --purpose=encryption

Envelope Encryption Implementation:

# Generate data encryption key (DEK)
openssl rand -base64 32 > dek.key

# Encrypt DEK with KMS key
gcloud kms encrypt \
  --location=us-central1 \
  --keyring=production-keys \
  --key=app-data-key \
  --plaintext-file=dek.key \
  --ciphertext-file=encrypted-dek.key

# Encrypt application data with DEK
openssl enc -aes-256-cbc -salt \
  -in sensitive-data.txt \
  -out encrypted-data.bin \
  -pass file:dek.key

Key Rotation and Lifecycle Management:

# Create new key version for rotation
gcloud kms keys versions create \
  --location=us-central1 \
  --keyring=production-keys \
  --key=app-data-key

# Set automatic rotation schedule
gcloud kms keys update app-data-key \
  --location=us-central1 \
  --keyring=production-keys \
  --rotation-period=90d \
  --next-rotation-time=2024-04-01T00:00:00Z

Security Architecture Principles

Centralised Key Management: Cloud KMS provides enterprise-grade key management with hardware security module (HSM) protection and audit trails.

Envelope Encryption: Separating data encryption keys from key encryption keys provides scalable encryption with minimal performance impact.

Key Lifecycle Automation: Automated key rotation and version management reduces operational overhead while maintaining security standards.

Lab 8: Setting up a Private Kubernetes Cluster

Container orchestration requires secure cluster configurations that protect both the control plane and worker nodes. This lab implements private GKE clusters with comprehensive security controls.

Implementation Strategy

Private Cluster Architecture:

# Create private GKE cluster with security hardening
gcloud container clusters create secure-private-cluster \
  --zone=us-central1-a \
  --enable-private-nodes \
  --master-ipv4-cidr-block=172.16.0.0/28 \
  --enable-ip-alias \
  --cluster-ipv4-cidr=10.4.0.0/14 \
  --services-ipv4-cidr=10.8.0.0/20 \
  --enable-network-policy \
  --enable-workload-identity \
  --num-nodes=3

Network Security Configuration:

# Configure authorised networks for API server access
gcloud container clusters update secure-private-cluster \
  --zone=us-central1-a \
  --enable-master-authorized-networks \
  --master-authorized-networks=203.0.113.0/24

# Create Cloud NAT for outbound connectivity
gcloud compute routers create cluster-router \
  --network=default \
  --region=us-central1

gcloud compute routers nats create cluster-nat \
  --router=cluster-router \
  --region=us-central1 \
  --nat-all-subnet-ip-ranges \
  --auto-allocate-nat-external-ips

Workload Identity Integration:

# Configure workload identity for secure service account access
kubectl create serviceaccount web-app-ksa \
  --namespace=default

kubectl annotate serviceaccount web-app-ksa \
  --namespace=default \
  iam.gke.io/gcp-service-account=web-app-backend@$PROJECT_ID.iam.gserviceaccount.com

# Deploy application with workload identity
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-web-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: secure-web-app
  template:
    metadata:
      labels:
        app: secure-web-app
    spec:
      serviceAccountName: web-app-ksa
      containers:
      - name: web-app
        image: gcr.io/$PROJECT_ID/secure-web-app:latest
        ports:
        - containerPort: 8080
EOF

Network Policy Implementation:

# Apply network policies for pod-to-pod security
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-app-netpol
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: secure-web-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: load-balancer
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432
EOF

Security Architecture Principles

Private Cluster Isolation: Eliminating external IP addresses from worker nodes reduces attack surface while maintaining necessary connectivity through controlled pathways.

Network Policy Enforcement: Kubernetes network policies provide microsegmentation for pod-to-pod communication, implementing zero-trust networking within the cluster.

Workload Identity Security: Native integration between Kubernetes service accounts and Google Cloud service accounts eliminates credential management complexity.

Enterprise Security Integration Patterns

This comprehensive lab series establishes several critical enterprise security patterns:

Identity-Centric Security: All access control decisions flow through centralised identity management, providing consistent policy enforcement across infrastructure, platform, and application layers.

Encryption Everywhere: Data protection through comprehensive encryption strategies that address data at rest, in transit, and in processing across all cloud services.

Network Zero Trust: Network architectures that eliminate implicit trust and verify every connection request, whether internal or external to the organisation.

Policy-Driven Automation: Security controls implemented through code and configuration management that support compliance requirements and operational efficiency.

Production Implementation Considerations

Scalability and Performance: Security implementations must scale with application growth while maintaining performance characteristics that support business requirements.

Compliance Integration: Security architectures should support multiple compliance frameworks including SOC 2, ISO 27001, PCI DSS, and industry-specific regulations.

Operational Excellence: Security tools and processes should integrate with existing operational workflows while providing clear visibility into security posture and incident response capabilities.

Cost Optimisation: Security implementations should balance protection requirements with cost considerations, leveraging managed services and automation to optimise both security and operational expenses.

This comprehensive security fundamentals series provides the foundation for implementing enterprise-grade cloud security architectures that protect against modern threats while supporting business agility and compliance requirements.