In today’s digital world, security vulnerabilities caused by over-authorization and permanent authorization of users can become a serious problem. Organizations are looking for new ways to make access to critical data and systems more secure and controlled. In response to this need, Google Cloud Platform (GCP) offers Privileged Access Manager (PAM), which enables on-demand access.
With GCP’s recently launched PAM feature, organizations can provide a more dynamic and secure access management by reducing the dependency on persistent authorizations. This feature minimizes security risks and makes system administration more secure by ensuring that users are only authorized when they need to be and for specific periods of time. It also allows adding a confirmation step in the authorization process. In this way, organizations can prevent accidental or redundant authorizations by providing a requirement that all authorizations granted must be approved by an administrator, if deemed necessary.
The most important point to be considered to increase security while managing authorizations within organizations is the approach known as the Least Privilege principle. This principle is an approach to security that recommends that users and systems be given only the minimum authorization necessary to perform their work. By reducing potential vulnerabilities in this way, the impact of malicious access and errors can be minimized.
GCP’s Privileged Access Manager feature also facilitates the application of this principle, ensuring that users are only temporarily authorized for specific tasks. Thus, system security is significantly increased. PAM works on the principle of least privilege, guaranteeing that users have only the access they need and that this access is time-limited.
How does PAM work?
In GCP, authorizations are made through the Identity and Access Management (IAM) page. To use the PAM feature, you need to switch to the PAM tab on the IAM page. Then, by creating an “entitlement”, you can specify the people who will need authorization, which authorizations will be granted, how long these authorizations will be defined, whether the users requesting authorization will be required to provide a justification for what they will use these authorizations for, and finally, whether the authorizations require approval by another user (e.g. IAM administrator).
As you can see in the image, you first need to define a name for the entitlement. It then specifies the roles for which this entitlement will be created and the maximum duration of the entitlement. Then, as “requester”, the person or group information that will need this authorization is entered. Optionally, users (requesters) can be asked to provide information about their reasons for requesting this authorization by checking the “Justification required from requesters” option.
In Step 3, “Add approvers”, when you want to add an approval process, the person who will make this approval needs to be added, or by checking the “Activate access without approvals” option, authorization can be defined without requiring approval. Using the Approval step will not only be safer but will also enable easy monitoring of the authorizations granted, as all transactions can be viewed in the Approval History section of the PAM menu.
After the entitlement is created, when the users say “Request Grant” for the entitlement they want from the PAM menu when they need it, the specified authorizations are instantly defined to the user.
With Privileged Access Manager, you can no longer abuse
