Cloud Identity controls for generative AI use cases

This document includes the best practices and guidelines for Cloud Build when running generative AI workloads on Google Cloud. Use Cloud Identity with Vertex AI to unify identity, access, application, and management for Google Cloud.

Required Cloud Identity controls

The following controls are strongly recommended when using Cloud Identity.

Enable two-step verification for super admin accounts

Google control ID CI-CO-6.1
Category Required
Description

Google recommends Titan Security Keys for 2-step verification (2SV) for super admin accounts. However, for use cases where this isn't possible, we recommend using another security key as an alternative.
Applicable products
  • Cloud Identity
  • Titan Security Keys
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
  • IA-7
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Enforce two-step verification on the super admin organization unit

Google control ID CI-CO-6.2
Category Required
Description

Enforce 2-step verification (2SV) for a specific organization unit (OU) or the entire organization. We recommend that you create an OU for super admins and enforce 2SV on that OU.
Applicable products
  • Cloud Identity
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
  • IA-7
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Create an exclusive email address for the primary super admin

Google control ID CI-CO-6.4
Category Required
Description
Create an email address that's not specific to a particular user as the primary Cloud Identity super admin account.
Applicable products
  • Cloud Identity
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Share audit logs from Cloud Identity

Google control ID CI-CO-6.5
Category Required
Description

If using Cloud Identity, share audit logs from Cloud Identity to Google Cloud.

Admin Activity audit logs from Google Workspace or Cloud Identity are ordinarily managed and viewed in the Google Admin console, separately from your logs in your Google Cloud environment. These logs contain information that is relevant for your Google Cloud environment, such as user login events.

We recommend that you share Cloud Identity audit logs to your Google Cloud environment to centrally manage logs from all sources.
Applicable products
  • Google Workspace
  • Cloud Logging
  • Cloud Identity
Related NIST-800-53 controls
  • AC-2
  • AC-3
  • AC-8
  • AC-9
Related CRI profile controls
  • DM.ED-7.1
  • DM.ED-7.2
  • DM.ED-7.3
  • DM.ED-7.4
Related information

Create redundant administrator accounts

Google control ID CI-CO-6.7
Category Required
Description

Don't have a single super admin or Organization Administrator. Create one or more (up to 20) backup administrator accounts. A single super admin or Organization Administrator can result in lockout scenarios. This situation also carries a higher risk as one person can make platform-altering changes, potentially with no oversight.
Applicable products
  • Identity and Access Management (IAM)
  • Google Workspace
  • Cloud Identity
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Recommended cloud controls

We recommend that you apply the following Cloud Identity controls to your Google Cloud environment, regardless of your specific use case.

Block access to Cloud Shell for Cloud Identity managed user accounts

Google control ID CI-CO-6.8
Category Recommended
Description

To avoid granting excessive access to Google Cloud, block access to Cloud Shell for Cloud Identity managed user accounts.
Applicable products
  • Cloud Identity
  • Cloud Shell
Related NIST-800-53 controls
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

Optional controls

You can optionally implement the following Cloud Identity controls based on your organization's requirements.

Block account self-recovery for super admin accounts

Google control ID CI-CO-6.3
Category Optional
Description
An attacker could use the self-recovery process to reset super admin passwords. To mitigate the security risks associated with Signaling System 7 (SS7) attacks, SIM Swap attacks, or other phishing attacks, we recommend that you turn off this feature. To turn off the feature, go to the account recovery settings in the Google Admin console.
Applicable products
  • Cloud Identity
  • Google Workspace
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Turn off unused Google services

Google control ID CI-CO-6.6
Category Optional
Description
In general, we recommend turning off the services that you won't use.
Applicable products
  • Cloud Identity
Path http://admin.google.com > Apps > Additional Google Services
Operator Setting
Value
  • False
Related NIST-800-53 controls
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

What's next