Jump to Content
Security & Identity

Simplifying identity and access management of your employees, partners, and customers

April 10, 2019
Sampath Srinivas

Director, Product Management, Google Cloud

Karthik Lakshminarayanan

Director, Product Management, Google Cloud

Identity and access management (IAM) is a cornerstone of the modern enterprise, helping you manage and secure employee, customer, and other identities, and their access to apps and data, both in the cloud and on-premises. In the past few months, we helped you simplify access to traditional LDAP apps, control access to web apps and VMs without a VPN, and add identity management to your own apps and services.

Today, we’re announcing five new ways to help you adopt the BeyondCorp security model and improve IT, developer, and end-user efficiency:

  • Context-aware access enhancements, including the launch of BeyondCorp Alliance.
  • Security key built into your Android phone—one of the strongest defenses against phishing now available through the convenience of your phone.
  • Cloud Identity enhancements, including single sign-on to thousands of additional apps and integration with human resource management systems (HRMS).
  • General availability of Identity Platform, which you can use to add identity management functionality to your own apps and services.
  • Availability of Managed Service for Microsoft Active Directory for select customers.

Context-aware access: your path to BeyondCorp

As the number and amount of Internet-facing apps and infrastructure increases, it becomes harder to secure access to your data using traditional network-based approaches. In 2011, we introduced the BeyondCorp security model to protect our internal resources, and now you can adopt the same model with context-aware access.

Over the past few months, we added context-aware access capabilities in beta to Cloud Identity-Aware Proxy (IAP) and VPC Service Controls to help protect web apps, VMs, and Google Cloud Platform (GCP) APIs. Today, we are making these capabilities generally available in Cloud IAP, as well as extending them in beta to Cloud Identity, to help you protect access to G Suite apps.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Context-aware_access_high-level_architectu.max-1100x1100.png
Context-aware access high-level architecture

Context-aware access allows you to define and enforce granular access to apps and infrastructure based on a user’s identity and the context of their request. This can help increase your organization’s security posture while giving users an easy way to more securely access apps or infrastructure resources, from virtually any device, anywhere. With today’s general availability of context-aware access in Cloud IAP, you can now enforce access to cloud-based and on-premises web apps. Veolia, a global water, waste and energy management company, has expanded the use of Cloud IAP, leveraging context in access decisions for their apps:

"Veolia provides water, waste and energy services to industry, cities, and citizens around the world. To keep our data protected, we are using context-aware access capabilities in Cloud IAP to ensure that our support team members can access applications only from trusted locations and devices." —Antoine Castex, Product Manager & Cloud Developer, Veolia

We’re also launching context-aware access capabilities in Cloud Identity and G Suite in beta, to help you enforce access to G Suite apps, including Gmail, Drive, Docs, Sheets, Slides, Forms, Calendar, and Keep. Essence, a global data and measurement-driven media agency, has already been using this capability along with Endpoint Verification for desktop devices to help secure access to G Suite:

“Context-aware access is a natural expansion of the MDM we've had in place on Android and iOS devices since 2014. It allows us to place manageable controls on how client G Suite data is accessed, and it does so in a way that does not inhibit the end user while ensuring security compliance.” —Colin McCarthy, VP Global IT, Essence

https://storage.googleapis.com/gweb-cloudblog-publish/images/Cloud_Identity_admin_experience_to_create_.max-1900x1900.png
Cloud Identity admin experience to create a context-aware access policy

If you’re like a lot of organizations, you already have endpoint security solutions that help you assess the security posture of your devices. Today, we are excited to announce BeyondCorp Alliance, a group of endpoint security and management partners with whom we are working to feed device posture data to our context-aware access engine. Initially, we are working with Check Point, Lookout, Palo Alto Networks, Symantec, and VMware, and will make this capability available to joint customers in the coming months.

Using context-aware access to protect access to GCP workloads (web apps, VMs, APIs) is available at no additional charge with Cloud IAP, Cloud IAM, and VPC Service Controls. Context-aware access for G Suite apps is available in beta for customers using Cloud Identity Premium, G Suite Enterprise, and G Suite Enterprise for Education. To get started, sign up for a free trial of Cloud Identity, watch a webinar, and check out our website for how-to guides.

Security key: one of the strongest defenses against phishing, now built into your Android phone

Strong user security paves the way for context-aware access and safer online experiences. Attackers, however, are always looking for new ways to compromise user accounts and access sensitive data, using techniques such as stealing passwords, phishing, and pretexting. Google automatically blocks the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password)—but you can boost your security even more with two-factor authentication (2FA).

We consider security keys based on FIDO standards, such as Google’s Titan Security Key, to be the strongest, most phishing-resistant method of 2FA on the market today, and now, launching in beta, you have an additional choice to use a security key that is built into your Android phone.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/User_experience_on_Pixel_3_small_n2j8TZS.gif
User experience on Pixel 3

Security keys use a protocol based on standard public key cryptography and provide stronger phishing and account takeover protection in comparison to traditional 2FA methods such as SMS, code, or push notification, which sophisticated attacks can skirt around. Last year, we stated that we had no reported or confirmed account takeovers since implementing security keys for Google employees.

Now in beta, we are making security keys available built-in on phones running Android 7.0+ (Nougat) at no additional cost. This means you can use your existing phone as your primary 2FA method for your work (G Suite, Cloud Identity, and GCP) and personal Google accounts to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. This gives you a stronger 2FA method with the convenience of a phone that’s always in your pocket, making it easier for you to implement phishing-resistant 2FA in your organization while keeping user training and overall costs to a minimum. Leading the effort to protect against cyber threats in New York City, NYC Cyber Command started to use this technology to further improve their defenses against phishing and other identity attacks. And for Deputy CISO at NYC Cyber Command, Colin Ahern, this capability means he's able to better protect New York City.

To try this out and protect your own Google Account, follow these simple steps to activate the security key on your phone today. Then, you can enforce the use of security keys for your users in G Suite, Cloud Identity, and GCP, letting them choose between using a physical FIDO security key, their Android phone, or both.

Cloud Identity: simplify identity, app, and device management

Cloud Identity can help unify identity, app, and device management for your employees and other users accessing company data, including enforcing the use of security keys. Last year, we made a number of enhancements in Cloud Identity, including the ability to manage access to traditional LDAP-based apps and infrastructure that are hosted on-premises or in the cloud.

Today, we're excited to announce the upcoming availability of single sign-on (SSO) to thousands of additional apps with password vaulting, an enhanced end-user portal, and integration with popular human resource management systems (HRMS) to simplify and automate user lifecycle management.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Cloud_Identity_admin_experience_to_enable_.max-2000x2000.png
Cloud Identity admin experience to enable SSO

While Cloud Identity supports a large catalog of SAML and OpenID Connect (OIDC) apps for SSO, you might prefer to use credential-based authentication for some apps. With the support of password vaulted apps, your employees can have one-click access to thousands of additional apps. With this capability, Cloud Identity will have one of the largest SSO app catalogs, giving you a single system to manage access for all your apps.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Dashboard_for_end-users.max-2000x2000.png
Dashboard for end-users

The upcoming password vaulting release also includes Dashboard, a unified hub where employees can see and access all of their apps with single sign-on. Dashboard will replace Apps User Hub to provide an improved user experience, so your employees can efficiently and quickly launch and log in to their work apps.

And finally, we’re tackling the challenge of user lifecycle management—automating user account and access management as employees join a company, change roles or move within the org, and eventually leave. To that end, we’re working with leading HRIS/HRMS providers such as ADP, BambooHR, Namely, and Ultimate Software, to integrate with Cloud Identity. This functionality will let you sync employee information directly from your HR system to Cloud Identity, automatically provisioning and deprovisioning user accounts and access throughout the employee lifecycle, resulting in enhanced productivity for both IT and end users and a greater ROI on existing investments.

Automated employee lifecycle management, password vaulting, and Dashboard will be generally available in the coming months. To get started with Cloud Identity today, sign up for a free trial, watch a webinar, and check out our documentation for how-to guides.

Identity Platform: identity management for your apps and services

Modern businesses also need to manage the identities of customers, partners, and Things (IoT). Last year, we launched the beta of Cloud Identity for Customers and Partners (CICP) to help you add Google-grade identity and access management functionality to your apps, protect user accounts, and scale with confidence. Our customers are already using the service to add authentication and identity management to apps for their customers, build a data intelligence platform, enhance a device management service, and issue tokens for Things. Today, we are making the service generally available and renaming it to Identity Platform.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Identity_Platform.max-1200x1200.png

We work hard to keep Identity Platform up-to-date with evolving authentication requirements, helping you keep identities more secure in the face of sophisticated threats and quickly scale when the demand for your app or service grows. Identity Platform provides a drop-in, customizable authentication service that manages the UI flows for user sign-up and sign-in, supports multiple authentication methods, client and server SDKs, and is integrated with Google’s intelligence and threat signals to help detect compromised user accounts.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Identity_Platform_admin_experience.max-1600x1600.png
Identity Platform admin experience

Lightspeed, a commerce solutions provider, is using Identity Platform to upgrade a home-grown authentication solution:

“Identity Platform offers solid features that allow us to build a great solution knowing that the foundations are trustworthy.” —Alexandre Vallières-Lagacé, Team Lead, API Platform, Lightspeed

To get started with Identity Platform, enable it in GCP Marketplace, watch a webinar, and check out the quickstart for how-to guides.

Managed Service for Microsoft Active Directory: simplify AD management

Identity-as-a-service (IDaaS) solutions such as Cloud Identity continue to grow in popularity, but many organizations still rely on Microsoft Active Directory (AD) to manage users and access to traditional applications. While you can deploy a fault-tolerant AD environment in GCP on your own, you are still responsible for its maintenance and security.

Today, we are announcing Managed Service for Microsoft Active Directory (AD), a highly available, hardened Google Cloud service running Microsoft AD, to help you manage cloud-based AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the managed service.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Managed_Service_for_Microsoft_AD_admin_exper.max-700x700.png
Managed Service for Microsoft AD admin experience

As more AD-dependent apps and servers move to the cloud, it becomes harder for IT and security teams to maintain latency and security requirements, on top of typical maintenance required to configure and secure AD domain controllers. Managed Service for Microsoft AD can help you address these issues by automating common tasks and allowing the IT and security teams to focus on higher-value projects.

Google Cloud partner itopia has already integrated their Cloud Automation Stack (CAS) solution with this new service:

“Our platform has supported hybrid AD environments and deep integration with Google Cloud APIs for years now. Since Managed Service for Microsoft AD runs real AD domain controllers, it was natural to add integration and offer even more value to our customers.” —Jonathan Lieberman, CEO, itopia.

Sign up to express interest in trying Managed Service for Microsoft AD early and to be notified when it becomes available in beta.

More to come

We have been hard at work building enterprise-ready IAM services for our customers and partners. We're excited to continue delivering innovative ways to enhance end-user experiences and protect user accounts to help you gain peace of mind. Check out our security announcements focused on increased control and visibility in the cloud, and visit our security and compliance webpage to learn more.

Posted in