Console
    Contact Us Start free

    Cloud Identity controls for generative AI use cases

    This document includes the best practices and guidelines for Cloud Build when running generative AI workloads on Google Cloud. Use Cloud Identity with Vertex AI to unify identity, access, application, and management for Google Cloud.

    Required Cloud Identity controls

    The following controls are strongly recommended when using Cloud Identity.

    Enable two-step verification for super admin accounts

    Google control ID
    CI-CO-6.1
    Category
    Required
    Description

    Google recommends Titan Security Keys for 2-step verification (2SV) for super admin accounts. However, for use cases where this isn't possible, we recommend using another security key as an alternative.

    Applicable products
    • Cloud Identity
    • Titan Security Keys
    Related NIST-800-53 controls
    • IA-2
    • IA-4
    • IA-5
    • IA-7
    Related CRI profile controls
    • PR.AC-1.1
    • PR.AC-1.2
    • PR.AC-1.3
    • PR.AC-6.1
    • PR.AC-7.1
    • PR.AC-7.2
    Related information

    Enforce two-step verification on the super admin organization unit

    Google control ID
    CI-CO-6.2
    Category
    Required
    Description

    Enforce 2-step verification (2SV) for a specific organization unit (OU) or the entire organization. We recommend that you create an OU for super admins and enforce 2SV on that OU.

    Applicable products
    • Cloud Identity
    Related NIST-800-53 controls
    • IA-2
    • IA-4
    • IA-5
    • IA-7
    Related CRI profile controls
    • PR.AC-1.1
    • PR.AC-1.2
    • PR.AC-1.3
    • PR.AC-6.1
    • PR.AC-7.1
    • PR.AC-7.2
    Related information

    Create an exclusive email address for the primary super admin

    Google control ID
    CI-CO-6.4
    Category
    Required
    Description
    Create an email address that's not specific to a particular user as the primary Cloud Identity super admin account.
    Applicable products
    • Cloud Identity
    Related NIST-800-53 controls
    • IA-2
    • IA-4
    • IA-5
    Related CRI profile controls
    • PR.AC-1.1
    • PR.AC-1.2
    • PR.AC-1.3
    • PR.AC-6.1
    • PR.AC-7.1
    • PR.AC-7.2
    Related information

    Send audit logs to Google Cloud

    Google control ID
    CI-CO-6.5
    Category
    Required
    Description

    You can share data from your Google Workspace, Cloud Identity, or Essentials account with services in Google Cloud. Google Workspace collects login logs, administrator logs, and group logs. Access the shared data through the Cloud Audit Logs.

    Applicable products
    • Google Workspace
    • Cloud Logging
    Related NIST-800-53 controls
    • AC-2
    • AC-3
    • AC-8
    • AC-9
    Related CRI profile controls
    • DM.ED-7.1
    • DM.ED-7.2
    • DM.ED-7.3
    • DM.ED-7.4
    Related information

    Create backup super admin accounts

    Google control ID
    CI-CO-6.7
    Category
    Required
    Description

    Create one or two backup super admin accounts. As a general rule, don't use super admin accounts for day-to-day management tasks. Have only two to three super admin accounts for your organization.

    Applicable products
    • Google Workspace
    Related NIST-800-53 controls
    • IA-2
    • IA-4
    • IA-5
    Related CRI profile controls
    • PR.AC-1.1
    • PR.AC-1.2
    • PR.AC-1.3
    • PR.AC-6.1
    • PR.AC-7.1
    • PR.AC-7.2

    Recommended cloud controls

    We recommend that you apply the following Cloud Identity controls to your Google Cloud environment, regardless of your specific use case.

    Block access to Cloud Shell for Cloud Identity managed user accounts

    Google control ID
    CI-CO-6.8
    Category
    Recommended
    Description

    To avoid granting excessive access to Google Cloud, block access to Cloud Shell for Cloud Identity managed user accounts.

    Applicable products
    • Cloud Identity
    • Cloud Shell
    Related NIST-800-53 controls
    • SC-7
    • SC-8
    Related CRI profile controls
    • PR.AC-5.1
    • PR.AC-5.2
    • PR.DS-2.1
    • PR.DS-2.2
    • PR.DS-5.1
    • PR.PT-4.1
    • DE.CM-1.1
    • DE.CM-1.2
    • DE.CM-1.3
    • DE.CM-1.4
    Related information

    Optional controls

    You can optionally implement the following Cloud Identity controls based on your organization's requirements.

    Google control ID
    CI-CO-6.3
    Category
    Optional
    Description
    An attacker could use the self-recovery process to reset super admin passwords. To mitigate the security risks associated with Signaling System 7 (SS7) attacks, SIM Swap attacks, or other phishing attacks, we recommend that you turn off this feature. To turn off the feature, go to the account recovery settings in the Google Admin console.
    Applicable products
    • Cloud Identity
    • Google Workspace
    Related NIST-800-53 controls
    • IA-2
    • IA-4
    • IA-5
    Related CRI profile controls
    • PR.AC-1.1
    • PR.AC-1.2
    • PR.AC-1.3
    • PR.AC-6.1
    • PR.AC-7.1
    • PR.AC-7.2
    Related information

    Turn off unused Google services

    Google control ID
    CI-CO-6.6
    Category
    Optional
    Description
    In general, we recommend turning off the services that you won't use.
    Applicable products
    • Cloud Identity
    Path
    http://admin.google.com > Apps > Additional Google Services
    Operator
    Setting
    Value
    • False
    Related NIST-800-53 controls
    • SC-7
    • SC-8
    Related CRI profile controls
    • PR.AC-5.1
    • PR.AC-5.2
    • PR.DS-2.1
    • PR.DS-2.2
    • PR.DS-5.1
    • PR.PT-4.1
    • DE.CM-1.1
    • DE.CM-1.2
    • DE.CM-1.3
    • DE.CM-1.4
    Related information

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: