You can use certificate-based access (CBA) to require verified X.509 certificates for access to Google Cloud resources. The additional credential provides a stronger signal of device identity and helps protect your organization from credential theft or accidental loss by requiring that both the user credentials and the original device certificate are present before granting access.
Relying only on credentials, like bearer tokens, to grant access to the Google Cloud APIs and resources can put you at risk. Those credentials can be exposed by user error or become prime targets for attackers. If attackers obtain the credentials, they can replay the credentials to access resources.
By using CBA, you enhance the security of your resources by requiring an additional authorization factor, a device certificate. Device certificates are validated and verified using a mutual TLS handshake. This requires users to prove possession of the private key associated with the certificate, thereby providing a strong signal of device identity.
Following is a high-level illustration of the CBA access flow:
The benefits of using Google CBA
Following are some of the benefits of using CBA.
- Comprehensive Security
- Protects your important resources by preventing access using stolen credentials from untrusted devices, such as cookie theft.
- Protects all Google Cloud API requests regardless of access points, including on-premises or Google networks, and web browsers or desktops applications.
- Fine-grained Policy Control
- Works seamlessly with VPC Service Controls service perimeters and lets you to specify fine-grained access control over your resources.
- Works seamlessly with user groups and lets you apply CBA to a group of users.
- Good Developer Experience
- Automated CBA support in common libraries and tools, such as the gcloud CLI, which reduces the programming cost of using CBA.