Veza for Google Cloud

If Google Cloud is a cornerstone of your cloud infrastructure, excessive or misconfigured access permissions in Google Cloud IAM can be your single biggest vulnerability. Veza is the identity security platform enabling you to answer the question: Who can take what action on what services and data in Google Cloud?

Identity security challenges in Google Cloud


Identity access is highly configurable, with over 40 distinct permissions for cloud storage alone. Add in the challenge of resolving interactions between IAM policies and Access Control lists, and access outcomes become almost impossible to predict.


Security and governance teams are managing many more resources and identities in Google Cloud than in the on-prem world, especially when you account for machine identities. Traditional security and governance tools and processes are still catching up.

Siloed access data

Google knows the permissions assigned to local IAM roles and users. Your IdP knows which users and groups can assume a role. Neither can connect a federated identity to its specific permissions in Google Cloud.

How Veza can help

Veza is powered by its Authorization Graph, which gives organizations the ability to visualize authorization relationships between all identities and systems by connecting users, groups, roles, and permissions.

Key Benefits
  • Reduced Risk: Surface and prioritize identities with the highest privilege, risk, or policy issues across all enterprise systems, without having to master the complex access model of Google Cloud IAM.
  • Least Privilege: Reduce risks and simplify audits by continuously identifying and remediating identity misconfigurations, dormant permissions, and over-permissioned identities.
  • Team Efficiency: Reduce manual, repetitive tasks by leveraging automation to detect and remove dormant access. Use Veza to delegate access decisions to business managers who best understand specific systems.
Key Features
  • Effective permissions: translate Google Cloud IAM permissions into simple, human-readable language—”create, read, update, delete”—and resolve complex policy interactions to give actionable intelligence on who can do what in Google Cloud.
  • Automated monitoring: watch continuously for policy violations and new privileged accounts, so you can comply with internal controls and external regulations without burdening security and governance teams.
  • Agentless read-only connections to both Google Cloud and your identity providers, give a complete picture of the access granted to federated identities, revealing governance blindspots, like local users.

Bluecore gets complete visibility across Google Cloud with Veza

Bluecore is a cloud-native organization, hosted entirely in Google Cloud since day one. CISO Brent Lassi’s team sought a solution that could meet three primary criteria:

  1. Supportability — could it be supported entirely by Bluecore’s security and IT organization
  2. Extensibility — could it plug into other systems via APIs and automation?
  3. Observability — could it pivot and drill down data to an almost infinite depth?

Only Veza made the cut.

The most critical thing about data security is knowing what you have. You need to know where it is, how long you’ve had it, and how well it’s protected. Veza helps me do all of it. It was hard to find something that didn’t treat Google Cloud like a third-class citizen…I was reassured to see that Veza took Google very, very seriously from the get go.

Brent Lassi | CISO

Watch the video

Full coverage of Google Cloud services

Ready to learn more?

Take a self-guided tour of how Veza automates access reviews