Key Takeaways
- Eliminated 30,000+ static keys and reduced over-privileged access
- Automated key rotation and permission management across 1,000+ GCP projects
- Achieved full governance of non-human identities (NHIs) within weeks
Background
A major insurance provider operates over 1,000 projects in Google Cloud Platform (GCP). Over time, developers created thousands of service accounts for various purposes, leading to significant security risks.
For example, the company uses a cloud security platform to scan GCP instances for misconfigurations. To integrate with GCP, the platform requires a service account that can read GCP logs. This service account requires a key or static credential, created by the company’s DevOps team and stored in the security platform by its administrator.
Challenges with Service Account Governance
The company faced significant challenges due to the proliferation of service accounts (40,000+, growing at 5% monthly) and static keys (30,000+).
Security Risks
- No Ownership or Accountability – Many service accounts lacked assigned owners, making governance impossible.
- Lack of Visibility – Without clear insights into risk, usage, and ownership, security teams hesitated to take action.
- Inefficient Remediation – Addressing risks manually across 1,000+ projects required significant personnel effort and custom tooling.
Why Existing Solutions Fell ShortIGA Platforms (e.g., SailPoint)
- Could govern human identities but lacked capabilities for managing non-human identities like service accounts and static keys.
Native GCP Tools
- Workload Identity Federation – Recommended by Google, but impractical due to dependencies on static keys for third-party integrations.
- Policy Analyzer – Paywalled behind Google Security Command Center (SCC) Premium SKU, limiting accessibility.
- Lack of Centralized Visibility – Identifying unused accounts required manual effort across 1,000+ projects.
Cloud Security Posture Management (CSPM) Tools (e.g., Wiz)
- No Governance Workflows – Built for visibility but lacked automated remediation capabilities.
- Limited GCP Support – Most CSPMs prioritize AWS and Azure over GCP.
How P0 HelpedComprehensive Inventory
- Identified all identities (users and service accounts), owners, and consumers.
Proactive Risk Posture Analysis
- Detected over-privileged accounts and unused service accounts.
- Assessed accessible resources for each identity.
- Categorized identities based on risk level.
Scalable Governance & Automation
- Enabled bulk remediation of over-provisioned and unused service accounts.
- Automated key rotation and permission management using P0-managed service accounts.
- Implemented just-in-time (JIT) permissions for human users.
Results & ROI
P0 was deployed in under an hour by connecting GCP APIs and onboarding all 1,000+ projects via a simple script. No additional infrastructure was required.
Immediate Impact:
- Full visibility into every GCP identity within minutes.
- Eliminated all static keys and reduced over-privileged access within weeks.
- Automated an ongoing governance program to ensure new service accounts are secure from the outset.
Without P0, this effort would have taken months and achieved only 70% risk reduction. Instead, the company now maintains a continuous, automated identity governance framework, securing its cloud environment at scale.
Want to identify and secure overprivileged service accounts and keys in your cloud? Book a demo with P0 today.
