1.0 Introduction
This article describes the Google Cloud Platform (GCP) connection concepts and supported features in Fortanix Key Insight. Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.
2.0 Concepts
The following table summarizes the GCP connection concepts used in Fortanix Key Insight:
CONCEPT | DESCRIPTION |
|---|---|
GCP Organization | It is the highest-level resource in Google Cloud. It represents a company or enterprise and sits at the top of the Google Cloud resource hierarchy. A GCP organization contains all folders and projects, which are arranged in a hierarchical tree with the organization at the top. Policies applied at the organization level inherit down to all resources within the hierarchy. Fortanix Key Insight scans an entire GCP organization, including all folders and projects within it. |
GCP Folders | A resource used to group related projects and sub-folders within a Google Cloud organization. They sit below the organization in the resource hierarchy and can be nested to represent departments, teams, or functional groupings. Any policies applied to a folder are automatically inherited by all resources inside it. Fortanix Key Insight scans a GCP folder along with all nested folders and projects under it. |
GCP Projects | A fundamental resource that serves as the base-level organizing entity in Google Cloud. Projects exist under an organization or folder and are required for creating and using any Google Cloud service. Each project manages its own API settings, permissions, and other configurations. Fortanix Key Insight scans a GCP project and all resources associated with that project. |
GCP Resources | They are the fundamental components of Google Cloud environments. They include compute, storage, networking, database, security, and key management services such as Compute Engine, Cloud Storage, BigQuery, Cloud SQL, Kubernetes, and Cloud Key Management Service (Cloud KMS).
|
GCP Role | GCP Roles in Identity and Access Management (IAM) define sets of permissions that control access to Google Cloud resources. Roles are assigned to users, service accounts, or groups through IAM policies. Fortanix Key Insight uses the required IAM roles and service account permissions for security access and scans GCP resources. |
GCP Cloud KMS | Google Cloud KMS allows you to create, manage, and use cryptographic keys for encryption, signing, and key protection across Google Cloud services. It provides centralized key lifecycle management and access control through IAM. Cloud KMS resources follow a structured hierarchy:
Fortanix Key Insight scans Cloud KMS key rings, keys, and key versions across an organization’s folders and projects to evaluate compliance, lifecycle state, algorithms, and regional distribution. |
GCP Key Rings | GCP Key Rings are logical groupings used to organize Cloud KMS keys within a project. They help organize keys by teams, environments, or applications. Fortanix Key Insight scans all key rings and their associated keys as part of Cloud KMS analysis. |
GCP Key Versions | GCP Key Versions represent individual instances of a Cloud KMS key. Each version contains the actual cryptographic material and has its own lifecycle state (enabled, disabled, destroyed, and so on). Fortanix Key Insight analyzes key versions to assess usage, rotation, and compliance status. |
GCP Scan | The process of connecting to Google Cloud and retrieving information about Cloud KMS keys and other supported GCP services for analysis. Fortanix Key Insight performs periodic or on-demand scans to analyze cryptographic posture, compliance, algorithms, and lifecycle metadata across GCP resources. |
GCP Service Accounts | GCP Service Accounts are special Google identities used by applications or services to authenticate and access GCP APIs. They are commonly used for automated tasks and scanning operations. |
3.0 Supported Features
The Fortanix Key Insight GCP connection supports the following features:
Allows users to scan all GCP regions across all projects and folders within a GCP organization. For each region, it identifies cryptographic assets such as Cloud KMS keys, key rings, and key versions, and encryption configurations for GCP services.
Generates reports on GCP non-compliant keys and services.
The assessment report shows the following information:
The risk score
Service violations
Top security issues
Key violations by sources
Provides a dashboard view of the scanned cryptographic key and services.
The dashboard shows the following information:
Scanned GCP organizations, folders, projects, and regions
Key types
Key by status
Top projects by key and status
Key by source
Protected services
For every GCP key in a region,
Provides a tabular view that shows the key details such as identifier, key source, key state, key type, key ID, project ID, expiration date, creation date, and so on.
Displays a map of the key compliance status.
Detects non-compliant keys based on the applied policies and issues vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation details, service mappings, and related violations.
For every GCP service in a region,
Displays a comprehensive overview that allows you to filter services by type, violations, account, and region. You can click on each service to view a detailed list of associated vulnerabilities, if applicable.
Offers a tabular view showing service name, service type, region, encryption status, GCP project ID, and other relevant details.
Provides detailed insights into service configurations and any violations associated with each service, helping you to understand potential issues and compliance gaps.
Allows users to export all scanned keys and service data in comma-separated values (CSV) format and provides the ability to track export activities.
Enables users to optionally select pre-configured Fortanix Data Security Manager (DSM) (on-premises or SaaS) application credentials for key correlation during the GCP connection onboarding. This allows Fortanix Key Insight to identify whether scanned keys originate from a Fortanix DSM SaaS or on-premises environment.
Allows users to create and manage user-defined policies, duplicate and modify system-defined, Fortanix DSM-defined policies, and automatically retrieve cryptographic policies from Fortanix DSM to apply them to scanned GCP connections.