Chapter Eight

Security & Identity

Eight services that together form the security posture of a Google Cloud organization. Each one answers a different question — who, what, where, with what data — and they only work as a set.

8 services

Security on GCP is layered. Cloud Identity answers who — the users and groups that everything else trusts. IAM answers what is allowed — the authorization model on top of that identity foundation. Secret Manager and Cloud KMS protect data at rest with different scopes that get confused for each other. IAP gates access to internal applications without a VPN. Cloud Armor protects public-facing traffic at the edge. Security Command Center is the dashboard that ties findings together. PAM closes the loop with just-in-time elevation for sensitive operations. Each service has a narrow role; the goal of this chapter is to know which is which.

Security Is a Stack, Not a Service
IAPGates internal apps
Cloud ArmorProtects the edge
Security Command CenterTies findings together
PAMJust-in-time elevation
Secret Manager  +  Cloud KMS
Protect data at rest — Secret Manager stores the secret value, KMS manages the keys that wrap it.
IAM — what is allowed
The authorization model: which principals can perform which actions on which resources.
Cloud Identity — who
The users and groups everything above trusts. The foundation IAM binds to.

Services in This Chapter