Cloud IAM & Endpoint Security Project

Introduction & Goal

This project was conceived as a practical demonstration of a defense-in-depth security strategy within a Google Cloud environment. The primary goal was to move beyond default permissions and implement a security model that is both granular and context-aware. It addresses two fundamental questions in enterprise security: "Is this the right person?" (Identity) and "Are they accessing from a secure device?" (Endpoint).

Problem Statement

In many cloud deployments, security is an afterthought, or overly broad permissions are granted for the sake of convenience. This project directly confronts this problem by building a permission model from the ground up based on the principle of least privilege and acknowledging that stolen credentials are a primary attack vector.

Key Objectives

  • Establish Least Privilege by building custom IAM roles.
  • Automate & Validate role assignments using the `gcloud` command-line tool.
  • Document Enterprise-Level Controls like Context-Aware Access.
  • Showcase a holistic security view connecting GCP identity with Workspace device management.

Architectural Approach

The design philosophy was to build a security model in layers: identity (authenticated via Workspace, authorized via GCP IAM) and device context. This layered approach ensures that a failure at one level does not grant an attacker full access.

Phase 1: IAM Role Design

  • HRViewer Role: Granted read-only access to specific IAM and Cloud Storage resources for auditing without modification rights.
  • EngComputeAdmin Role: Provided limited administrative permissions for Compute Engine instances, allowing VM management without access to billing.

Phase 2: Context-Aware Access Design (Simulated)

This phase was designed to mimic how a large enterprise would secure its environment by defining a "trusted device" based on a specific set of rules (desktop OS, disk encryption, screen lock, and endpoint verification) and grouping them into a single, manageable Access Level.

Phase 1: Hands-on Implementation

The methodology for the first phase followed a standard, practical workflow for a cloud administrator, from requirement gathering to programmatic assignment using `gcloud add-iam-policy-binding` commands, which is scriptable and auditable. Verification was performed after each command.

Phase 2: Structured Simulation

For the second phase, a structured documentation approach was used. This involved creating clear, step-by-step guides in Markdown for setting up device policies, explaining the user and admin-side workflows, and creating a detailed walkthrough for policy creation, while explicitly acknowledging the licensing limitations.

Implementation Results

The primary result of Phase 1 was the successful creation and enforcement of a least-privilege access model, significantly reducing security risk. The use of `gcloud` proved efficient, and the audit log query provided a valuable lesson in cloud operational delays. The documentation from Phase 2 serves as a complete and actionable blueprint for any organization looking to implement device-based security.

Conclusion

This project successfully demonstrated the design and implementation of a layered cloud security strategy. It proves that effective security relies on the intelligent integration of multiple services, combining identity-based controls in IAM with device-based controls in Workspace, reflecting a modern, zero-trust security mindset.

Link to the Project