Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
1.1.
Need of Access Transparency
1.2.
When to Use Access Transparency?
2.
Enable Access Transparency
3.
Access Transparency Log
3.1.
Viewing Access Transparency Logs
4.
Supported Services
5.
Access Transparency Exclusions
6.
Privileged Access
6.1.
Principles of Privileged Access
7.
Frequently Asked Questions
7.1.
What does Google workspace access transparency mean?
7.2.
Can we configure access transparency?
7.3.
What is a log?
7.4.
Does cloud VPN also support Access Transparency?
7.5.
Why do Google employees need access to consumer content?
8.
Conclusion
Last Updated: Mar 27, 2024

Access Transparency

Introduction

Google bases the way it develops its products on security, openness, and data protection. Every Google Cloud customer owns their data and has total control over how it is utilised. 

Access Transparency is an element of Google's ongoing dedication to openness and user trust. The steps Google employees take when gaining access to client content are recorded in Access Transparency logs.

access transparency in google cloud

You can learn various things from Access Transparency logs than from Cloud Audit Logs. While Access Transparency logs document activities made by Google employees, Cloud Audit Logs document actions made by members of your Google Cloud organisation in your Google Cloud resources.

NoteRegardless of whether an object is local or remote, access transparency mandates that the same actions be used to access both types of objects. In other words, regardless of where an object is really stored in the system, the interface used to access it should be consistent.

Need of Access Transparency

Access Transparency is an element of Google's ongoing dedication to openness and user confidence. The steps Google employees take when gaining access to client content are recorded in Access Transparency logs. You can learn various things from Access Transparency logs than from Cloud Audit Logs.

When to Use Access Transparency?

  • Confirming that Google staff only access your content when doing so is necessary to address your support requests or fix an issue.
  • Confirming that no mistakes were made while following out your directions by Google employees.
  • Confirming and monitoring adherence to legal or regulatory requirements.
  • Using a security information and event management (SIEM) tool to automatically gather and examine tracked access events.

Enable Access Transparency

You have to enable the access transparency for your google cloud organisation in order for it to work.

Check out the below documentation that discusses how you can enable and disable access transparency in your project:

configure access transparency

Access Transparency Log

access transparency logs

Your current security information and event management (SIEM) solutions can be connected with Access Transparency logs to automate your audits of Google employees who access your content. Along with your Cloud Audit Logs, Access Transparency logs are accessible in the Google Cloud console.

The following categories of information are included in Access Transparency log entries:

  • Resources and activity that were impacted.
  • Reasons behind the action (for example, the case number associated with a customer support request).
  • Information on the individuals acting on the content (such as the location of the Google employees).

Viewing Access Transparency Logs

By giving a person or group the Private Logs Viewer role after configuring Access Transparency for your Google Cloud organisation, you may restrict who has access to the Access Transparency logs.

Use the following Google Cloud operations suite logging filter to view Access Transparency logs.

logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Faccess_transparency"

For more detailed description of the logs you check out this documentation link:

Log field descriptors

Supported Services

supported services

A log type is normally accessible for a service if GA is present. A log type that is available but may change in a way that is backward-incompatible and is not covered by a SLA or deprecation policy is shown as being in preview.

These are the following services supports Access Transparency in Google cloud: 

Services 

Availability

Artifact Registry GA
Anthos clusters on VMware GA
App Engine1 GA
BigQuery2 GA
Binary Authorization GA
Cloud Bigtable GA
Cloud Composer GA
Cloud Data Fusion GA
Cloud Data Loss Prevention GA
Cloud External Key Manager GA
Cloud Healthcare API3 GA
Cloud HSM GA
Cloud Key Management Service (KMS) GA
Cloud Run GA
Cloud Logging GA
Cloud Spanner GA
Cloud SQL GA
Cloud Storage GA
Cloud Vision GA
Cloud VPN GA
Compute Engine GA
Contact Center AI Insights GA
Container Registry Preview
Dataflow GA
Dataproc GA
Dialogflow CX GA
Document AI4 GA
Google Kubernetes Engine GA
Identity and Access Management GA
Organization Policy Service GA
Persistent Disk GA
Pub/Sub5 GA
Secret Manager GA
Speaker ID GA
Speech-to-Text GA
Text-to-Speech GA
Vertex AI6 GA
Vertex AI Feature Store GA
Vertex AI Workbench user-managed notebooks GA

Access Transparency Exclusions

When Google employees view content that you've uploaded to a service that supports Access Transparency, Access Transparency logs are produced, with the exception of the following circumstances:

  1. It is illegal for Google to let you know about the access.
     
  2. By implementing your identity and access management policy, you've given the Google employees access to your material; their actions are documented in Cloud Audit Logs (when enabled), not Access Transparency logs.
     
  3. The access doesn't specifically target the content of one user, as in the case of a Google employee looking for the average record size in a database that holds data from many Google Cloud user.
     
  4. The request for access comes from a routine workflow, such as a compression task that is conducted on the material or disc destruction after content deletion.
     
  5. It is a public resource identification that is under doubt. 

    For instance:
  • Names of cloud storage buckets
  • Names of Compute Engine VMs
  • Names of clusters in Google Kubernetes Engine
  • names of BigQuery resources (including datasets, tables, and reservations.
     

Before creating Access Transparency logs, Google determines whether access to customer material is targeted or untargeted. An Access Transparency log is not produced if a client cannot be identified based on the content that was accessed.

Privileged Access

Privileged Access


Privilege access refers to the right of access to your data by Google employees for the purpose of performing a contracted service. 

You can often access your data in Google Cloud for the following reasons:

  • You can see your own information.
  • You are utilising a service that accesses data on your behalf.
  • Google employees who are functioning in the capacity of privileged administrators may access your data upon request to provide a contracted service.

Principles of Privileged Access

What a single Google employee can view and do with your data is carefully constrained by Google Cloud's privileged access management method. 

The following ideas form the foundation of the privileged access strategy at Google Cloud:

  • Least privilege: All Google employees are by default prohibited from seeing client data. When access is allowed, it is only given for the brief period of time required to deliver the contracted service.
  • Limit singular access to data: Limiting a single person's access to data is important since no Google employee should be able to access a customer's data alone.
  • All access must be justified: Every access must be authorised: By default, Google employees are not granted access to client information. Only Google employees who have a legitimate business reason to do so may access your data. 
  • Monitor and alerting: Monitoring and response procedures are in place to spot, prioritise, and address infractions of these rules.

Frequently Asked Questions

What does Google workspace access transparency mean?

You can utilise Access Openness to examine logs of the actions done by Google staff members when accessing user content as part of Google's ongoing commitment to security and transparency.

Can we configure access transparency?

Yes you can configure the access transparency for your projects.

What is a log?

In the context of computers, a log is the automatically created and time-stamped record of occurrences pertinent to a specific system. Log files are generated by almost all software programmes and systems.

Does cloud VPN also support Access Transparency?

Yes cloud also supports the Access Transparency.

Why do Google employees need access to consumer content?

Access to your content is typically requested by Google staff in order to address a customer support case. A Google employee may be needed to ask for access to your content if you submit a customer support request.

Conclusion

In this article, we learned about Access transparency and what is and how to view access transparency logs. We also learned about the various Google services that support access transparency.

For more cloud related information you can refer to the following articles:

Cloud APIs

Cloud DNS

Google Cloud Console

Cloud Domains

To learn more about DSA, competitive coding and many more knowledgeable topics, please look into the guided paths on Coding Ninjas Studio. Also, you can enroll in our courses and check out the mock test and problems available to you. Please check out our interview experiences and interview bundle for placement preparations.

thank you

Please upvote our blog to help other ninjas grow.

Happy Learning

Live masterclass