Wednesday, February 12, 2025

Custom Org Policy A Path to Improved Organizational Security

Expand your Custom Org Policy to strengthen your security posture.

Setting boundaries for resource settings that can be applied uniformly throughout the environment, centrally controlled, and safely deployed is one of the most crucial tools available to administrators when it comes to safeguarding cloud resources.

One effective tool that can assist organizations in protecting cloud resources is Google Cloud Custom Org Policy. Without affecting development velocity, administrators may improve security posture, meet regulatory requirements, and boost operational efficiency by implementing granular resource settings using bespoke organisation policies.

Google Cloud is reporting that more than 30 more Google Cloud services are now supported by a custom Org Policy.

custom Org Policy
Image credit to Google cloud

This extension broadens the scope of cloud governance and opens up several new use cases.

Securely scale access control management with custom Org Policies 

Security teams may find it difficult to handle the increasing volume of access requests from various departments inside their company as cloud deployments expand. Organisations must create an operational model for access control that strikes a balance between developer empowerment, security, and compliance if they want to expand successfully.

Any desired level of the Google Cloud resource hierarchy (organisation, folder, or project) can have restrictions on IAM Policies enabled by integrating Custom Org Policy with IAM policies. Developers can then be given responsibility for managing IAM Policies going forward, knowing that any changes made to these environments won’t violate the restrictions that have been put in place.

Administrators can use this feature to impose conditional restrictions, such as “Deny “allUsers” grant for any resources in this organisation,” “Only allow specific roles to be granted against resources in this project,” or “Only allow specific members to be granted access via policies against this folder.”

Regardless of current Allow rules, you can expressly forbid access to certain resources using these coarser-grained restrictive policies. Here are some instances of custom Org Policies that control IAM policies:

Restrict specific roles to be granted against resources in this project

resource_types: iam.googleapis.com/AllowPolicy
method_types:

  • CREATE
  • UPDATE
    condition:
    resource.bindings.exists(binding,
    RoleNameMatches(binding.role, [‘roles/owner’])
    )
    action_type: DENY

Restrict “allUsers” grant for any resources in this organization

resource_types: iam.googleapis.com/AllowPolicy
method_types:

  • CREATE
  • UPDATE
    condition:
    resource.bindings.exists(binding,
    RoleNameStartsWith(binding.role, [“roles/storage”]) &&
    binding.members.exists(member,
    MemberSubjectMatches(member, [‘allUsers’, ‘allAuthenticatedUsers’])
    )
    )
    action_type: DENY

Additionally, by enabling principle level granularity in the policy design, custom Organisation Policy expands Domain Restricted Sharing. You can, for instance, establish policies that permit certain partner identities, service accounts, or service agents in addition to all individuals inside your company. Administrators may be able to administer policies more skilfully without introducing identities thanks to this more flexibility.

Establish strong data governance for Cloud SQL

When employing different SQL solutions, data platform teams frequently want to make sure that each application team is following security best practices. You may handle data governance needs and create robust boundaries around SQL resources with the aid of Custom Org Policy support for Cloud SQL. The following typical use cases demonstrate the effectiveness of using Cloud SQL in conjunction with bespoke organisation policy:

Ensure that each application team is using the latest database version for SQL instances

resource_types: sqladmin.googleapis.com/Instance
method_types:

  • CREATE
  • UPDATE
    condition:
    resource.databaseVersion == ‘MYSQL_8_4’ ||
    resource.databaseVersion == ‘POSTGRES_16’ ||
    resource.databaseVersion == ‘SQLSERVER_2022_EXPRESS’ ||
    resource.databaseVersion == ‘SQLSERVER_2022_WEB’ ||
    resource.databaseVersion == ‘SQLSERVER_2022_STANDARD’ ||
    resource.databaseVersion == ‘SQLSERVER_2022_ENTERPRISE’
    action_type: Allow

Ensure that all the database instances require complex passwords requirements

resource_types: sqladmin.googleapis.com/Instance
method_types:

  • CREATE
  • UPDATE
    condition:
    resource.settings.passwordValidationPolicy.enablePasswordPolicy == true &&
    resource.settings.passwordValidationPolicy.complexity == ‘COMPLEX’ &&
    resource.settings.passwordValidationPolicy.minLength >= 8 &&
    resource.settings.passwordValidationPolicy.reuseInterval >= 10
    action_type: Allow

Enhancing security posture with custom Org Policy at Yahoo

Yahoo’s cloud security teams regularly deploy established Org Policy rules to satisfy their security and compliance needs, serving hundreds of millions of users worldwide. However, Yahoo’s security team required the ability to create unique guardrails because every Yahoo business had different architecture and demands.

The Paranoids, Yahoo’s information security team and platform engineers, have been collaborating with Google Cloud since March 2023 to implement unique Org Policies for Kubernetes and other cloud infrastructure.

In order to surpass industry-standard baselines, it has put in place 24 unique Organisation Policies, such the one requiring secure boot for GKE nodes. These policies allowed us to securely grow security measures while also using the greater flexibility that bespoke Org Policy provides. These safeguards automatically took care of following many of Yahoo’s information security regulations, so it engineers around the organisation no longer had to actively worry about security needs.

In addition to improving these policies, Google Cloud team plans to include coverage for Cloud SQL, CloudRun, and IAM. Yahoo’s platforms team intends to support the continued implementation of bespoke organisation policies when new products and use cases are introduced. To put it briefly, this assisted us in improving security posture on a large scale, according to Yahoo senior software development engineer Alex Verkhovtsev.

Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Recent Posts

Popular Post

Govindhtech.com Would you like to receive notifications on latest updates? No Yes