From Sprawl to Control: How CNA Governs Service Accounts and NHIs in GCP

Background: CNA Insurance has 1000+ projects in GCP. Over time, developers created thousands of service accounts in them for a variety of purposes. 

‍

For example, CNA uses Palo Alto Networks’ Prisma Cloud to scan their GCP instances for misconfigurations. To integrate to GCP, Prisma Cloud needs a GCP service account that can read GCP logs. This service account requires a key or static credential, which is created in the GCP console by CNA’s DevOps team and stored in Prisma Cloud by the Prisma admin. 

‍

Problem: The sprawl of service accounts (40,000+, growing 5% monthly) and static keys (30,000+) presented a significant security risk for CNA. Per industry reports, credential leakage and over-privileged accounts were behind 75% of cloud breaches in 2022.

‍

Governance of these service accounts created several operational challenges:

• ‍No inventory or ownership: Many service accounts did not have any documented owners. Without documented owners, the security team could not delegate governance.
• Lack of visibility: Without full context into the risk, usage, and ownership, the security team was hesitant to take remedial action due to the risk of breaking a workload or service. 
• Remediation at scale: Due to the huge number of accounts, taking remedial action on each of them in the GCP Console was cumbersome at scale and would take 1-2 FTEs, as well as investment into custom tools, scripts, and support. 

‍

Shortcomings of Existing Solutions

Current IGA (Sailpoint): CNA used Sailpoint to govern access to their on-prem stack and, to a limited extent, for GCP. However, Sailpoint does not have capabilities for governing non-human identities, such as service accounts and static keys in GCP 

‍

Native GCP tooling: As a best practice, Google recommends customers:

• Disable unused service accounts
• Remove static keys and authenticate active service accounts using GCP’s Workload Identity Federation service 
• Remove excess permissions on each active account using GCP Policy Analyzer

‍

These were impractical for a number of reasons: 

• In the absence of a single pane of glass, it was not easy to find unused accounts across 1000+ projects without going through each project one by one. The security team was relying on brittle in-house scripts to generate this information.
• CNA used several apps such as Prisma Cloud and Informatica, for whom the only way to integrate into GCP was via static keys stored in Google Secrets Manager
• Google decided to paywall Policy Analyzer behind the SCC Premium SKU

‍

CSPMs (such as Wiz): These provide visibility into the risk posture of the service accounts but fall short in other areas:

• No governance workflows: They do not provide operationally efficient risk remediation at scale, such as automatic key rotation and permissions removal. They were built for visibility and not governance and provisioning/deprovisioning. 
• Limited visibility into GCP permissions and service account usage: Most CSPMs provide limited depth of GCP specific risks since they prioritize AWS and Azure.

‍

How P0 Helped

Comprehensive Discovery

• Inventoried all identities (users and service accounts), owners and consumers

‍

Proactive Risk Posture Analysis

• Identified overprivileged identities
• Discovered unused service accounts and keys
• Identified the resources the identity can access
• Categorized over-privileged identities

‍

Governance at scale

• Operationally efficient workflows to remediate over-provisioned service accounts
• Operationally efficient workflows to remediate unused service accounts and keys
• Automate key rotation using P0 managed service accounts 
• Automate removal of unused permissions using P0 managed service accounts
• Just-in-time permission workflows for human users

‍

Results/ROI 

P0’s deployment was straightforward and consisted of connecting CNA’s GCP APIs to P0 and adding all 1000+ projects via a script in P0’s web GUI. The process took less than an hour, and no additional infrastructure was required to be deployed. 

‍

Out of the box, P0 started providing visibility into every GCP identity. Over a period of a few weeks, CNA’s security team began managing 40,000+ service accounts via P0, thereby eliminating all static keys and over-privileged access. This process would have ordinarily taken several months and likely would have resulted in only around 70% of risk reduction. More importantly, CNA can operationalize an ongoing governance program, ensuring that new service accounts are governed from the outset.

‍