Solved: Break Glass Solution in Enterprise GCP

vamsi_nrv

Team,

What are the solutions and approaches you have followed to have break glass solution in place for your enterprise GCP Deployment in an organization?

I highly appreciate if you can share any pointers or if you have implemented any process to use this break glass solution in GCP?

DamianS

Hello @vamsi_nrv ,

Welcome on Google Cloud Community. Great questions. Let me share my experience in this matter.

Basically, for JIT access, general access, user provisioning etc, you can use Okta with additional modules ( IGA). You will be able to create workflows for provisioning and deprovisioning accounts as well as granting / revoking permissions.

For break glass accounts, you can also use Okta, to obtain credentials or access. In case if Okta is down, live credentials should be kept in any kind of vault, depending on your hyperscaler or vault in choose. I know, that CyberArk have those kind of modules for break-the-glass accounts and so on implemented by default at their products ( saw demo few weeks ago and that was amazing tho).

If you don't want to use IDP, or you are afraid that IDP can be down, you can always ( this is not perfect option ) create SuperUser account and keep credentials at vault like 1Password or any kind of, and have a process for requesting access to this account in emergency situations like P1, MIM or such.

If we talking about Google Cloud, you can you Just-in-Time approach and setup small application which will act as IAM proxy. Once you've create customRole with SuperUser permissions or customRole with Break-the-glass permissions, you can setup approval group, and request time-restricted access with justification and so on, and as long as application is working, you have option to grant access in controlled way, ofc all is auditable ( logs are visible at Logs Explorer). Personally, I'm using JIT[1] to granting access to my product projects for stakeholders 🙂

I'm always using the simplest way for all my solutions, as i like this KISS approach. So if you are able to pay for 3rd party, use 3rd party ( CyberArk rocks in this matter). If you want to use cloud native, auditable solution for Google Cloud, use JIT. If you want to do it in a cheapest way, create one SuperUser acc by hands, and second by code, just in case 😉 and keep credentials at vaults, with proper access process.

[1]. https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

cheers,
DamianS

View solution in original post

DamianS

Hello @vamsi_nrv ,

Welcome on Google Cloud Community. Great questions. Let me share my experience in this matter.

Basically, for JIT access, general access, user provisioning etc, you can use Okta with additional modules ( IGA). You will be able to create workflows for provisioning and deprovisioning accounts as well as granting / revoking permissions.

For break glass accounts, you can also use Okta, to obtain credentials or access. In case if Okta is down, live credentials should be kept in any kind of vault, depending on your hyperscaler or vault in choose. I know, that CyberArk have those kind of modules for break-the-glass accounts and so on implemented by default at their products ( saw demo few weeks ago and that was amazing tho).

If you don't want to use IDP, or you are afraid that IDP can be down, you can always ( this is not perfect option ) create SuperUser account and keep credentials at vault like 1Password or any kind of, and have a process for requesting access to this account in emergency situations like P1, MIM or such.

If we talking about Google Cloud, you can you Just-in-Time approach and setup small application which will act as IAM proxy. Once you've create customRole with SuperUser permissions or customRole with Break-the-glass permissions, you can setup approval group, and request time-restricted access with justification and so on, and as long as application is working, you have option to grant access in controlled way, ofc all is auditable ( logs are visible at Logs Explorer). Personally, I'm using JIT[1] to granting access to my product projects for stakeholders 🙂

I'm always using the simplest way for all my solutions, as i like this KISS approach. So if you are able to pay for 3rd party, use 3rd party ( CyberArk rocks in this matter). If you want to use cloud native, auditable solution for Google Cloud, use JIT. If you want to do it in a cheapest way, create one SuperUser acc by hands, and second by code, just in case 😉 and keep credentials at vaults, with proper access process.

[1]. https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project

cheers,
DamianS