Jump to Content
Security & Identity

Simplifying identity and access management for more businesses

October 11, 2018
https://storage.googleapis.com/gweb-cloudblog-publish/images/google_gsuite_gmail_beyondcorp.max-1000x1000.png
Karthik Lakshminarayanan

Director, Product Management, Google Workspace

Effective identity management underpins the modern enterprise, and Google has been hard at work to provide simple, secure solutions for administrators and developers. In March, we launched Cloud Identity to help customers manage users, devices and apps from a central console. In July, we announced context-aware access, an innovative approach to access management that implements many elements of Google’s BeyondCorp vision for apps and services on Google Cloud and beyond.

Today, we’re announcing three new ways we’re extending those identity and security capabilities.

Simplifying identity management in your own apps with Cloud Identity for Customers and Partners

Forward-looking organizations are striving to build modern web and mobile applications to attract customers and partners in order to grow their business. A fundamental component of virtually any app is identity and access management. Users expect simple and secure sign-up, sign-in, and self-service experiences on their favorite devices.

While app developers can build their own identity and access management functionality, this approach has challenges. Getting identity and access management right requires significant effort, expertise, and cost. This is due to the complexity of building and maintaining an identity system that stays up-to-date with the constantly evolving authentication requirements, keeping user accounts secure with threats only increasing in occurrence and sophistication, and scaling reliably when the demand for the app grows.

To address this, we’re announcing Cloud Identity for Customers and Partners (CICP), a customer identity and access management (CIAM) platform that can help developers add Google-grade identity and access management functionality to their apps, protect user accounts, and scale with confidence. CICP will be available in public beta in the coming weeks--stay tuned for more on that in a future blog post.

https://storage.googleapis.com/gweb-cloudblog-publish/images/CICP.max-1800x1800.png

By implementing CICP,  developers can focus on building their app, while CICP delivers essential identity management capabilities:

  • Google-grade authentication. Based on the widely adopted Firebase and Google’s identity platforms, CICP provides a drop-in, customizable authentication service that manages the UI flows for user sign-up and sign-in. CICP also supports multiple authentication methods (anonymous, email/password, phone, social, SAML, OIDC, and more), client SDKs (web, iOS, and Android), and server SDKs (Node.js, Java, Python, and more).

  • Advanced user security. CICP is integrated with Google’s intelligence and threat signals to help detect compromised user accounts. We are also working to enable two-factor authentication (2FA) in CICP, when it becomes generally available, to help protect user accounts from phishing attacks.

  • Planet-scale infrastructure. Built on Google Cloud’s security, performance, network, and scale, CICP is designed to satisfy the needs of even the most demanding applications. When CICP reaches general availability, it will also include an enterprise-grade availability SLA and technical support to give organizations a peace of mind for a foundational component of their app.

We have been working with select customers on implementing CICP in their apps. For example, Veolia is using CICP to build applications for their customers -- such as those that monitor air and water quality to make sure issues are identified and addressed quickly.

“We deal with a lot of operational data and indicators available through digital applications, and our goal is to offer simple and secure sign-up and sign-in experiences to our ecosystem," says Herve DUMAS, CTO, Veolia. “Cloud Identity for Customers and Partners makes this easy, so we can focus on building apps and delivering value to our customers.”

To learn more about CICP, visit our website and stay tuned for the beta launch announcement in the coming weeks.

Simplifying user access to traditional apps with secure LDAP in Cloud Identity

Although adoption of software-as-a-service (SaaS) apps, such as G Suite, continues to grow, many businesses still rely on certain traditional LDAP-based applications and IT infrastructure (e.g. VPN servers) to get their work done. Enabling users to access SaaS and traditional apps in a simple manner is challenging and typically requires IT teams to maintain two identity management systems.

Secure LDAP in Cloud Identity solves this challenge by allowing organizations to manage access to SaaS apps and traditional LDAP-based apps/infrastructure hosted on-premises or in the cloud using a single identity and access management platform. This means that people can use the same Cloud Identity credentials they use to log into services like G Suite and other SaaS apps to log into traditional applications. Another benefit is that administrators can now manage it all in one place. For example, Doctor on Demand uses Cloud Identity to enable access to both cloud and traditional apps.

“Doctor On Demand uses a number of SAML and LDAP-based apps, including Jamf Pro, to improve the world's health through compassionate care and innovation,” says Wez Ireland, Information Security Analyst, Doctor On Demand. “With secure LDAP, we now use Cloud Identity as a single directory to enable our team members access both types of apps, enabling Doctor On Demand to focus on putting the patient first and providing face-to-face healthcare to everyone in the United States, 24/7.”

https://storage.googleapis.com/gweb-cloudblog-publish/images/google_admin.max-1900x1900.png

With secure LDAP, Cloud Identity can now help to unify the management of cloud and on-prem identities as well as SaaS and traditional apps. This can help to decrease complexity and cost by simplifying day-to-day work for IT, reducing the dependency on legacy identity infrastructure such as Microsoft Active Directory, and improving security by having a single place for identity and app policies.

"For the first 18 years of our company, we were a business where 100% of our IT infrastructure remained on-prem,” says Chris Thompson, Head of IT Operations, Utility Warehouse. “However, at the rate we've been expanding, in numbers of both internal staff and customers, our IT infrastructure wasn't able to scale with us or take us on the growth journey we wished to be on. With the ongoing goal of moving everything to the cloud, secure LDAP in Cloud Identity will allow us to accelerate that shift and ensure that our LDAP applications, such as PaperCut, and other traditional applications will no longer have the same on-prem dependencies that could have significantly slowed us down during this transition."

Select customers and partners have already been using secure LDAP for their apps and IT infrastructure, and we are excited to highlight a number of launch partners that we have been working with to ensure that their apps work with secure LDAP: Aruba Networks (HPE), Atlassian, itopia, JAMF, Jenkins (Cloudbees), OpenVPN, Papercut, pfSense (Netgate), Puppet, Sophos, Splunk, and Synology. Virtually any app that supports LDAP over SSL can work with secure LDAP, and we are actively working with partners to validate more apps.

Secure LDAP will be rolling globally to Cloud Identity and G Suite customers in the coming weeks. To learn more, visit our website, check out the documentation, or start a free 14-day trial of Cloud Identity.

Simplifying access management for web apps through context-aware access capabilities in Cloud IAP

In July, we announced context-aware access to give organizations more flexibility and control over how they enforce access to their apps and data. Today, we’re announcing the beta availability of context-aware access capabilities for customers using Cloud Identity-Aware Proxy (IAP).

Context-aware access brings a new approach to access management that implements many elements of Google’s BeyondCorp vision. Context-aware access allows organizations to define and enforce granular access to cloud resources based on a user’s identity and the context of their request without using remote-access VPN gateways. This increases an organization’s security posture while decreasing complexity for users, giving them the ability to seamlessly log on to apps from anywhere and any device.

https://storage.googleapis.com/gweb-cloudblog-publish/images/access_context_manager.max-1600x1600.png

In this beta release, customers using Cloud IAP can now manage access to their web apps hosted on Google Cloud Platform based on context (location, device security status) in addition to their identity.

For example, a customer using Cloud IAP can specify that a web application intended for their employees and their contractors can only be accessed from Windows, macOS or ChromeOS devices updated to a specific version or above. The customer can also specify that the device used for accessing their web app has to have a screen lock enabled and that the device’s disk should be encrypted. Going further, the customer can restrict access for certain contractors to be allowed only if that contractor’s device is from within the company corporate network.

It’s easy to get started with Cloud IAP. Navigate to the IAP console and check out the documentation for how-to guides. We are also working to enable context-aware access capabilities in Cloud IAM, VPC Service Controls, and Cloud Identity.

More to come

We have been hard at work to deliver expanded identity and security capabilities to our customers. We believe that keeping identity and access secure is critical for businesses to move forward, and we’ll continue to deliver innovative ways to help customers gain peace of mind. Check out our other security announcements focused on increased control and visibility in the cloud, and visit our security and compliance webpage to learn more.

Posted in