Google bases the way it develops its products on security, openness, and data protection. Every Google Cloud customer owns their data and has total control over how it is utilised.
Access Transparency is an element of Google's ongoing dedication to openness and user trust. The steps Google employees take when gaining access to client content are recorded in Access Transparency logs.
You can learn various things from Access Transparency logs than from Cloud Audit Logs. While Access Transparency logs document activities made by Google employees, Cloud Audit Logs document actions made by members of your Google Cloud organisation in your Google Cloud resources.
Note: Regardless of whether an object is local or remote, access transparency mandates that the same actions be used to access both types of objects. In other words, regardless of where an object is really stored in the system, the interface used to access it should be consistent.
Need of Access Transparency
Access Transparency is an element of Google's ongoing dedication to openness and user confidence. The steps Google employees take when gaining access to client content are recorded in Access Transparency logs. You can learn various things from Access Transparency logs than from Cloud Audit Logs.
When to Use Access Transparency?
Confirming that Google staff only access your content when doing so is necessary to address your support requests or fix an issue.
Confirming that no mistakes were made while following out your directions by Google employees.
Confirming and monitoring adherence to legal or regulatory requirements.
Using a security information and event management (SIEM) tool to automatically gather and examine tracked access events.
Enable Access Transparency
You have to enable the access transparency for your google cloud organisation in order for it to work.
Check out the below documentation that discusses how you can enable and disable access transparency in your project:
Your current security information and event management (SIEM) solutions can be connected with Access Transparency logs to automate your audits of Google employees who access your content. Along with your Cloud Audit Logs, Access Transparency logs are accessible in the Google Cloud console.
The following categories of information are included in Access Transparency log entries:
Resources and activity that were impacted.
Reasons behind the action (for example, the case number associated with a customer support request).
Information on the individuals acting on the content (such as the location of the Google employees).
Viewing Access Transparency Logs
By giving a person or group the Private Logs Viewer role after configuring Access Transparency for your Google Cloud organisation, you may restrict who has access to the Access Transparency logs.
Use the following Google Cloud operations suite logging filter to view Access Transparency logs.
A log type is normally accessible for a service if GA is present. A log type that is available but may change in a way that is backward-incompatible and is not covered by a SLA or deprecation policy is shown as being in preview.
These are the following services supports Access Transparency in Google cloud:
Services
Availability
Artifact Registry
GA
Anthos clusters on VMware
GA
App Engine1
GA
BigQuery2
GA
Binary Authorization
GA
Cloud Bigtable
GA
Cloud Composer
GA
Cloud Data Fusion
GA
Cloud Data Loss Prevention
GA
Cloud External Key Manager
GA
Cloud Healthcare API3
GA
Cloud HSM
GA
Cloud Key Management Service (KMS)
GA
Cloud Run
GA
Cloud Logging
GA
Cloud Spanner
GA
Cloud SQL
GA
Cloud Storage
GA
Cloud Vision
GA
Cloud VPN
GA
Compute Engine
GA
Contact Center AI Insights
GA
Container Registry
Preview
Dataflow
GA
Dataproc
GA
Dialogflow CX
GA
Document AI4
GA
Google Kubernetes Engine
GA
Identity and Access Management
GA
Organization Policy Service
GA
Persistent Disk
GA
Pub/Sub5
GA
Secret Manager
GA
Speaker ID
GA
Speech-to-Text
GA
Text-to-Speech
GA
Vertex AI6
GA
Vertex AI Feature Store
GA
Vertex AI Workbench user-managed notebooks
GA
Access Transparency Exclusions
When Google employees view content that you've uploaded to a service that supports Access Transparency, Access Transparency logs are produced, with the exception of the following circumstances:
It is illegal for Google to let you know about the access.
By implementing your identity and access management policy, you've given the Google employees access to your material; their actions are documented in Cloud Audit Logs (when enabled), not Access Transparency logs.
The access doesn't specifically target the content of one user, as in the case of a Google employee looking for the average record size in a database that holds data from many Google Cloud user.
The request for access comes from a routine workflow, such as a compression task that is conducted on the material or disc destruction after content deletion.
It is a public resource identification that is under doubt.
For instance:
Names of cloud storage buckets
Names of Compute Engine VMs
Names of clusters in Google Kubernetes Engine
names of BigQuery resources (including datasets, tables, and reservations.
Before creating Access Transparency logs, Google determines whether access to customer material is targeted or untargeted. An Access Transparency log is not produced if a client cannot be identified based on the content that was accessed.
Privileged Access
Privilege access refers to the right of access to your data by Google employees for the purpose of performing a contracted service.
You can often access your data in Google Cloud for the following reasons:
You can see your own information.
You are utilising a service that accesses data on your behalf.
Google employees who are functioning in the capacity of privileged administrators may access your data upon request to provide a contracted service.
Principles of Privileged Access
What a single Google employee can view and do with your data is carefully constrained by Google Cloud's privileged access management method.
The following ideas form the foundation of the privileged access strategy at Google Cloud:
Least privilege: All Google employees are by default prohibited from seeing client data. When access is allowed, it is only given for the brief period of time required to deliver the contracted service.
Limit singular access to data: Limiting a single person's access to data is important since no Google employee should be able to access a customer's data alone.
All access must be justified: Every access must be authorised: By default, Google employees are not granted access to client information. Only Google employees who have a legitimate business reason to do so may access your data.
Monitor and alerting: Monitoring and response procedures are in place to spot, prioritise, and address infractions of these rules.
Frequently Asked Questions
What does Google workspace access transparency mean?
You can utilise Access Openness to examine logs of the actions done by Google staff members when accessing user content as part of Google's ongoing commitment to security and transparency.
Can we configure access transparency?
Yes you can configure the access transparency for your projects.
What is a log?
In the context of computers, a log is the automatically created and time-stamped record of occurrences pertinent to a specific system. Log files are generated by almost all software programmes and systems.
Does cloud VPN also support Access Transparency?
Yes cloud also supports the Access Transparency.
Why do Google employees need access to consumer content?
Access to your content is typically requested by Google staff in order to address a customer support case. A Google employee may be needed to ask for access to your content if you submit a customer support request.
Conclusion
In this article, we learned about Access transparency and what is and how to view access transparency logs. We also learned about the various Google services that support access transparency.
For more cloud related information you can refer to the following articles: