Google kicked off Next London — its annual conference centered around Google Cloud Platform (GCP) — with a slew of feature announcements yesterday, including organization policy restrictions and the broad deployment of Alert Center for G Suite. On the heels of that news, the company today took the wraps off a new customer identity and access management (CIAM) platform, context-aware access for GCP, and secure lightweight directory access protocol (LDAP) support for traditional apps and IT infrastructure.
“Expectations have changed,” Google senior manager Karthik Jayachandran said during an early October press briefing. “Users expect agile, mobile work environments across multiple devices, and it’s reshaping how we think about security, access, and control. Admins want to give them this modern, forward-thinking experience, but they don’t want security to be compromised. The perimeter has disappeared.”
That’s where Cloud Identity for Customers and Partners (CICP) comes in. It’s a bit of a mouthful, but the concept is simple: an identity management platform that extends “Google-grade” security to apps, services, and websites.
“You might want to accept passwords or social media credentials,” Jayachandran said. “Cloud Identity allows app developers to focus on their apps by offering multiple ways to integrate authentication. We can protect apps with the cloud — their application becomes just as secure from an authentication and identity standpoint.”
Three components make up the core of CICP: an authentication service, automated threat detection, and a scalable infrastructure.
As Jayachandran explained, CICP’s authentication, which is built on Google’s in-house identity tech and its Firebase app development platform, offers a customizable framework that manages app flows for user sign-up and sign-in. It supports basic email and password authentication, phone numbers, and social media accounts, in addition to more sophisticated schemes like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). And it’s compatible with a range of client-side software development kits (SDKs) on the web and mobile platforms (on iOS and Android), as well as server-side SDKs, including Node.js, Java, and Python.
Automated threat detection — CICP’s second pillar — leverages Google’s cloud intelligence to detect signs that an account might be compromised. (In the future, it’ll enable two-factor authentication in CICP.) Meanwhile, on the scalability side, Jayachandran said CICP will include “enterprise-grade availability” and technical support at launch.
“If an access request is coming in from a bad IP or a bad website, an admin doesn’t need to go in and block it manually,” he said. “We automatically take care of that.”
Cloud Identity was actually introduced in June 2017 in G Suite, but it launches this week as a standalone package. It’ll be available in public beta in the coming weeks.
In July, Google debuted context-aware access, a feature that gives customers using GCP’s VPC Service Controls the ability to impose conditional policies around GCP APIs, resources, G Suite, and third-party applications. Essentially, it enables admins to allow or deny access based on users’ identity, location, device security status, and context.
“We look at who the employee is and what they’re trying to access,” Jayachandran said. “We have eight services with more than a billion users … We’re good at crawling the web and finding bad websites. You don’t have to worry about getting hacked.”
As previously announced, Google’s bringing those features to Cloud Identity-Aware Proxy (IAP) customers in beta. Starting today, eligible accounts can manage access to web apps hosted on GCP by context in addition to identity.
“For example,” Karthik Lakshminarayanan, director of product management at Google, wrote in a blog post, “IT and security teams can … restrict access to their apps only from specific countries in Europe.”
LDAP in Cloud Identity
For the uninitiated, Lightweight Directory Access Protocol (LDAP) is an internet protocol that apps and hardware devices use to look up data stored remotely. A number of businesses rely on it, Lakshminarayanan notes, but often at the cost of integration with software-as-a-service (SaaS) apps.
“Enabling users to access SaaS and traditional apps in a simple manner is challenging and typically requires IT teams to maintain two identity management systems,” he said.
Google’s answer is LDAP in Cloud Identity, which lets LDAP-based apps and servers tap into GCP’s identity management platform regardless of whether they’re deployed on-premises or in the cloud. Google claims that virtually any app with support for LDAP over SSL, including those that lean on legacy identity infrastructure, such as Microsoft Active Directory, is compatible with secure LDAP.
“This means that people can use the same Cloud Identity credentials they use to log into services like G Suite and other SaaS apps to log into traditional applications,” Lakshminarayanan said. “Another benefit is that administrators can now manage it all in one place.”
Among Google’s LDAP in Cloud Identity launch partners are Aruba Networks (HPE), Itopia, JAMF, Jenkins (Cloudbees), OpenVPN, PaperCut, pfSense (Netgate), Puppet, Sophos, Splunk, and Doctor on Demand.
Google says it’ll start rolling out globally to Cloud Identity and G Suite customers in the weeks ahead.
“We have been hard at work to deliver expanded identity and security capabilities to our customers,” Lakshminarayanan said. “We believe that keeping identity and access secure is critical for businesses to move forward, and we’ll continue to deliver innovative ways to help customers gain peace of mind.”