Google Cloud Landing Zone Series – Part 5: Organizational Policies

Table of Contents:

Tags:

As described, a Landing Zone serves as the foundation and enables customers to effectively deploy workloads and operate their cloud environment at scale. But while enabling is important, it is also crucial to define standards and define guardrails what the different teams can do or cannot do. At this point, organizational policies come into play and that’s reason enough to discuss them in our Google Cloud Landing Zone series.

What are Organizational Policies?

Let’s give some kind of formal description:

Basically, Organizational Policies in Google Cloud Platform (GCP) are a set of constraints that apply to resources across your entire organization. These policies help govern resource usage and enforce security and compliance practices across all projects and resources within a GCP organization. Organizational Policies ensure that the actions of individual resources align with the broader business rules and regulations that a company wants to enforce.

How do Organizational Policies work?

Basically, Organizational Policies are easy to understand. Let’s discuss the most important aspects:

  • Constraints: Policies are enforced through constraints, which define the specific rules or limitations for resource management within the organization. For example, a constraint can limit which Google Cloud services can be activated or restrict the locations (regions and zones) where resources can be deployed.
  • Policy types: There are two policy types: Boolean constraints are simple enable/disable toggles for certain features or behaviors. For example, disabling serial port access for VM instances. On the other side, list constraints manage lists of values that either deny or allow specific behaviors. For example, restricting which Google Cloud APIs can be enabled in a project
  • Hierachy and Scope: Organizational Policies are implemented within a hierarchical structure in GCP. This hierarchy starts from the organization level, extends to folders, and then to projects. Policies set at a higher level (like the organization) apply to all items within it unless explicitly overridden at a lower level (like a project).
  • Customizability: Each constraint can be customized to meet specific organizational needs. This means policies can be tailored to allow exceptions, enforce stricter controls, or completely block certain actions.
  • Enforcement and Compliance: Organizational policies are automatically enforced by the platform, ensuring compliance and reducing the risk of human error. This automated enforcement helps maintain security standards and compliance with internal policies and regulatory requirements.

The following picture shows how Organizational Polices are embedded within the GCP organization hierarchy:

Flowchart depicting the policy management structure in a Google Cloud Landing Zone. The chart shows an Organization Policy Administrator defining an Org Policy, which is set on a Resource Hierarchy Node. This policy is inherited by default to Descendant Resource Hierarchy Nodes, which enforce constraints outlined in the policy. Constraints are defined and referenced by GCP Services, indicating how policies are evaluated and enforced across the cloud resource hierarchy.

Why do I need Organizational Policies?

I think it is basically easy to understand, why guardrails should be set in a cloud enviroment, but let’s write down the reasons:

  • Security and Compliance: Organizational policies help ensure that your cloud environment complies with both internal security policies and external regulatory requirements. For example, you can enforce policies that restrict the deployment of resources to specific regions to comply with data residency laws.

  • Risk Management: Policies reduce the risk of data breaches and other security incidents by limiting how resources are configured and who can access them. For example, disabling public IP addresses on virtual machines can prevent accidental exposure of services to the internet.

  • Consistency and Standardization: Applying uniform policies across an entire organization helps maintain consistency in how resources are managed and configured. This standardization is crucial for large organizations where different teams might deploy and manage their resources differently.

  • Operational Visibility: With organizational policies, administrators have a clearer view of the entire organization’s configurations.

  • Minimize Human Error: By enforcing certain configurations and restrictions at the organizational level, you minimize the risk of human error. This can be particularly valuable in preventing misconfigurations that might otherwise lead to security vulnerabilities or operational issues.

What are examples of Organizational Policies?

Currently, at the time this blog post has been written, there are 121 different Organizational Policies in GCP and this number is still increasing. The list of Organizational Policies can be found in the Google Cloud documentation:

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

While it is too long to discuss all the Organizational Policies in detail, we will nevertheless give some examples of some policies:

  1. Resource Location Restriction: This policy restricts the geographical location where resources can be created. Organizations can enforce data residency requirements by ensuring that data and resources are stored in specific regions or countries, complying with local laws and regulations. For example, you could restrict the locations for the European Union.
  2. Restricting VM IP Forwarding: This policy prevents virtual machines from forwarding packets, which can be a critical security measure to avoid misuse of the network.
  3. Disable Serial Port Access: By disabling serial port access for VM instances, organizations can enhance the security of their virtual machines by preventing potential external access through these ports.
  4. Service Usage Restrictions: Organizations can control which Google Cloud services are available for use. For example, you might want to restrict the use of certain services that are not compliant with your security standards or are deemed unnecessary for your business operations.
  5. Restrictions on External IP Addresses: This policy can be used to prevent resources such as virtual machines from being assigned external IP addresses, reducing exposure to external threats and helping to enforce a more secure network perimeter.
  6. Enforce uniform bucket-level access: For Google Cloud Storage, enabling the “ Enforce uniform bucket-level access“ setting ensures that access controls are uniformly managed through IAM roles, rather than through both IAM and Access Control Lists (ACLs), simplifying management and improving security.
  7. Enforcing Disk Encryption: You can enforce the encryption of compute disks, ensuring that all data is encrypted at rest and reducing the risk of data theft or exposure.
  8. Enforcing Minimum TLS Version: This policy ensures that services communicate using a minimum version of TLS, enhancing the security of data in transit by protecting against vulnerabilities in older versions of the protocol.
  9. Disabling Service Account Key Creation: By preventing the creation of new service account keys, organizations can encourage more secure and manageable authentication methods, such as using the IAM roles or the Workload Identity feature.

These examples represent just a few of the many organizational policies available in GCP that can be applied to secure and manage cloud resources effectively, ensuring they align with organizational objectives and compliance requirements.

Are Organizational Policies related to regulatory frameworks like Digital Operational Resilience Act  (DORA) or the revised Directive on Security of Network and Information Systems (NIS2)?

Yes, organizational policies help you with implementing those regulations. For example, in CHAPTER II, ICT risk management Article 5, Governance and organization the following is written:

Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with Article 6(4), in order to achieve a high level of digital operational resilience.

The management body of the financial entity shall define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).

Here are some examples, which are also available as Organizational Policies:

IAM
– Appropriate Service Accounts Access Key Rotation

Storage:
– Object Storage – Blocked Public Access (Organization-wise)

Networking
– Disabled Endpoint Public Access in Existing Clusters 

We at Soeldner Consult can support you not only in building a safe Landing Zone, but also help you with setting Organizational Policies the right way.

> Click here for Part 6: Connectivity

Autor

Dr. Guido Söldner

Geschäftsführer

Guido Söldner ist Geschäftsführer und Principal Consultant bei Söldner Consult. Sein Themenfeld umfasst Cloud Infrastruktur, Automatisierung und DevOps, Kubernetes, Machine Learning und Enterprise Programmierung mit Spring.