Cloud Identity controls for generative AI use cases

This document includes the best practices and guidelines for Cloud Build when running generative AI workloads on Google Cloud. Use Cloud Identity with Vertex AI to unify identity, access, application, and management for Google Cloud.

Required Cloud Identity controls

The following controls are strongly recommended when using Cloud Identity.

Enable two-step verification for super admin accounts

Google control ID CI-CO-6.1
Category Required
Description

Google recommends Titan Security Keys for 2-step verification (2SV) for super admin accounts. However, for use cases where this isn't possible, we recommend using another security key as an alternative.
Applicable products
  • Cloud Identity
  • Titan Security Keys
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
  • IA-7
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Enforce two-step verification on the super admin organization unit

Google control ID CI-CO-6.2
Category Required
Description

Enforce 2-step verification (2SV) for a specific organization unit (OU) or the entire organization. We recommend that you create an OU for super admins and enforce 2SV on that OU.
Applicable products
  • Cloud Identity
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
  • IA-7
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Create an exclusive email address for the primary super admin

Google control ID CI-CO-6.4
Category Required
Description
Create an email address that's not specific to a particular user as the primary Cloud Identity super admin account.
Applicable products
  • Cloud Identity
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Send audit logs to Google Cloud

Google control ID CI-CO-6.5
Category Required
Description

You can share data from your Google Workspace, Cloud Identity, or Essentials account with services in Google Cloud. Google Workspace collects login logs, administrator logs, and group logs. Access the shared data through the Cloud Audit Logs.
Applicable products
  • Google Workspace
  • Cloud Logging
Related NIST-800-53 controls
  • AC-2
  • AC-3
  • AC-8
  • AC-9
Related CRI profile controls
  • DM.ED-7.1
  • DM.ED-7.2
  • DM.ED-7.3
  • DM.ED-7.4
Related information

Create backup super admin accounts

Google control ID CI-CO-6.7
Category Required
Description

Create one or two backup super admin accounts. As a general rule, don't use super admin accounts for day-to-day management tasks. Have only two to three super admin accounts for your organization.
Applicable products
  • Google Workspace
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2

Recommended cloud controls

We recommend that you apply the following Cloud Identity controls to your Google Cloud environment, regardless of your specific use case.

Block access to Cloud Shell for Cloud Identity managed user accounts

Google control ID CI-CO-6.8
Category Recommended
Description

To avoid granting excessive access to Google Cloud, block access to Cloud Shell for Cloud Identity managed user accounts.
Applicable products
  • Cloud Identity
  • Cloud Shell
Related NIST-800-53 controls
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

Optional controls

You can optionally implement the following Cloud Identity controls based on your organization's requirements.

Block account self-recovery for super admin accounts

Google control ID CI-CO-6.3
Category Optional
Description
An attacker could use the self-recovery process to reset super admin passwords. To mitigate the security risks associated with Signaling System 7 (SS7) attacks, SIM Swap attacks, or other phishing attacks, we recommend that you turn off this feature. To turn off the feature, go to the account recovery settings in the Google Admin console.
Applicable products
  • Cloud Identity
  • Google Workspace
Related NIST-800-53 controls
  • IA-2
  • IA-4
  • IA-5
Related CRI profile controls
  • PR.AC-1.1
  • PR.AC-1.2
  • PR.AC-1.3
  • PR.AC-6.1
  • PR.AC-7.1
  • PR.AC-7.2
Related information

Turn off unused Google services

Google control ID CI-CO-6.6
Category Optional
Description
In general, we recommend turning off the services that you won't use.
Applicable products
  • Cloud Identity
Path http://admin.google.com > Apps > Additional Google Services
Operator Setting
Value
  • False
Related NIST-800-53 controls
  • SC-7
  • SC-8
Related CRI profile controls
  • PR.AC-5.1
  • PR.AC-5.2
  • PR.DS-2.1
  • PR.DS-2.2
  • PR.DS-5.1
  • PR.PT-4.1
  • DE.CM-1.1
  • DE.CM-1.2
  • DE.CM-1.3
  • DE.CM-1.4
Related information

What's next