Access Control
Access to infrastructure (vendor access)
A limited group of qualified and trained Google Security Operations DevOps engineers have access to the production service environment for support and maintenance purposes. Access is named and granted by role (RBAC) on a need-to-know basis and subject to least-privileged principles. Access is governed by a policy that requires satisfying password complexity and 2FA. These are enforced by an Identity Provider (IdP) service.
Access to SaaS Application
Users of the Google Security Operations cloud service are provisioned with a unique account and are required to change their initial password in accordance with password best practices. In addition, Google Security Operations supports SAML integration to manage access via an external customer organizational IdP.
Google Security Operations utilizes a customizable RBAC mechanism to support any required flexibility or strictness on access control and provides a default Master Admin account which belongs to the customer.