Opal Security now allows customers to easily manage granular access for Google Cloud Platform (GCP) Service Accounts, empowering users to remediate security risks associated with both human and non-human identities (NHI).
Roughly 94% of organizations do not have full visibility into their non-human identities, making these highly vulnerable and often privileged identities a prime target for attackers. In GCP, machine identities such as Service Accounts represent applications or workloads – rather than humans – and are often bound to privileged IAM Roles with access to critical data. Anyone who is able to authenticate as the Service Account therefore inherits its permissions to perform sensitive actions. Given the ubiquity of Service Accounts in GCP, securely managing them is crucial for protecting organizations against privilege escalation, spoofing, non-repudiation, and information disclosure. To maintain a least-privilege identity posture, security and infrastructure teams must be able to quickly identify, track, and manage not only who has access to Service Accounts, but also what resources those Service Accounts have access to (e.g. GCP Compute, Cloud SQL Database, Bigquery Datasets). Without an easy way to understand these User <> Service Account and Service Account <> Resource relationships, teams struggle to effectively analyze and remediate risks posed by different identity types at large.
In order to provide security and infrastructure teams both the visibility and control needed to reduce the risks associated with overprovisioned Service Accounts, Opal has expanded identity type coverage in our native GCP integration to include Service Accounts. Since they are by nature both resources and principals, we allow customers to manage which employees have access to Service Accounts, and we additionally allow customers to manage what resources these Service Accounts have access to. With this expansion, our users are equipped to truly implement least privilege in GCP at scale.
GCP Service Accounts feature is available in beta for all Opal Security customers. Interested customers can contact their Technical Account Manager to enable this feature.
In order to begin importing Service Accounts into Opal, you will need to update your Opal Service Account’s Role to have the following permissions:
Service Accounts that have access to your resources will be automatically imported into Opal as children of their associated GCP projects. Admins can also select additional Service Accounts to manually import into Opal:
Opal Security is redefining identity security for modern enterprises. The unified platform aggregates identity and access data to provide customers with visibility and rapid control to protect mission-critical systems while accommodating the complexity and agility businesses require for growth. IT and security teams can discover anomalous identity risks and remediate them in minutes. Many global leaders, including Databricks, Figma and Scale AI, trust Opal Security to enable them to govern and adapt sensitive access quickly and securely.