Identity and access management (generally referred to as IAM) is the practice of granting the right individuals access to the right resources for the right reasons. This series explores the general practice of IAM and the individuals who are subject to it, including the following:
- Corporate identities: The identities that you manage for employees of your organization. These identities are used for signing in to workstations, accessing email, or using corporate applications. Corporate identities might also include non-employees such as contractors or partners that need access to corporate resources.
- Customer identities: The identities that you manage for users in order to interact with your website or customer-facing applications.
- Service identities: The identities that you manage in order to enable applications to interact with other applications or the underlying platform.
You might need to grant access to the following resources:
- Google services such as Google Cloud, Google Analytics, or Google Workspace
- Resources in Google Cloud, such as projects, Cloud Storage buckets, or virtual machines (VMs)
- Custom applications or resources managed by such applications
The guides in this series break down the discussion of IAM into the following parts:
- Managing corporate, customer, and service identities forms the foundation of IAM. These topics are boxes 4, 5, and 6 (in green).
- Relying on identity management as the foundation, boxes 2 and 3 (in blue) denote access management topics. These topics include managing access to Google services, to Google Cloud resources, and to your custom workloads and applications.
- Box 1 (in yellow) indicates access management topics that are beyond the scope of these guides. To learn about access management for Google Workspace, Google Marketing Platform, and other services, see the individual product documentation.
Identity management focuses on the following processes:
- Provisioning, managing, migrating, and deprovisioning identities, users, and groups.
- Enabling secure authentication to Google services and to your custom workloads.
The processes and technologies differ depending on whether you are dealing with corporate identities, application identities, or customer identities.
Managing corporate identities
Corporate identities are the identities that you manage for your organization's employees. Employees use these identities for signing in to workstations, accessing email, or using corporate applications.
In the context of managing corporate identities, the following are typical requirements:
- Maintaining a single place to manage identities across your organization.
- Enabling employees to use a single identity and single sign-on across multiple applications in a hybrid computing environment.
- Enforcing policies such as multi-factor authentication or password complexity for all employees.
- Meeting compliance criteria that might apply to your business.
If you use Google services in a hybrid or multi-cloud context, addressing these requirements might require that you integrate Google's IAM capabilities with external identity management solutions or identity providers such as Active Directory. The Reference architectures document explains how Google Workspace or Cloud Identity let you realize such an integration.
Some of your employees might rely on Gmail accounts or other consumer user accounts to access corporate resources. Using these types of user accounts might not comply with your individual requirements or policies, however, so you can migrate these users to Google Workspace or Cloud Identity. For more details, see Assessing your existing user accounts and Assessing onboarding plans.
To help you adopt Google Workspace or Cloud Identity, see our assessment and planning guides for guidance on how to access your requirements and how to approach the adoption process.
Managing application identities
Application identities are the identities that you manage in order to let applications interact with other applications or with the underlying platform.
In the context of managing application identities, the following are typical requirements:
- Integrating with third-party APIs and authentication solutions.
- Enabling authentication across environments in a hybrid or multi-cloud scenario.
- Preventing leakage of credentials.
Google Cloud lets you manage application identities, and address these requirements, by using Google Cloud service accounts and Kubernetes service accounts. For more information about service accounts and best practices for using them, see the Understanding service accounts.
Managing customer identities
Customer identities are the identities that you manage for users to let them interact with your website or customer-facing applications. Managing customer identities and their access is also referred to as customer identity and access management (CIAM).
In the context of managing customer identities, the following are typical requirements:
- Letting customers sign up for a new account but guarding against abuse, which might include detecting and blocking the creation of bot accounts.
- Supporting social sign-on and integrating with third-party identity providers.
- Supporting multi-factor authentication and enforcing password complexity requirements.
Google's Identity Platform lets you manage customer identities and address these requirements. For more details on the feature set and how to integrate Identity Platform with your custom applications, see the Identity Platform documentation.
Access management focuses on the following processes:
- Granting or revoking access to specific resources for identities.
- Managing roles and permissions.
- Delegating administrative capabilities to trusted individuals.
- Enforcing access control.
- Auditing accesses that are performed by identities.
Managing access to Google services
Your organization might rely on a combination of Google services. For example, you might use Google Workspace for collaboration, Google Cloud for deploying custom workloads, and Google Analytics for measuring advertising success metrics.
Google Workspace or Cloud Identity lets you centrally control which corporate identities can use which Google services. By restricting access to certain services, you establish a base level of access control. You can then use the access management capabilities of the individual services to configure finer-grained access control.
For more details, read about how to control who can access Google Workspace and Google services.
Managing access to Google Cloud
In Google Cloud, you can use IAM to grant corporate identities granular access to specific resources. By using IAM, you can implement the security principle of least privilege, where you grant these identities permissions to access only the resources that you specify.
For more information, see the IAM documentation.
Managing access to your workloads and applications
Your custom workloads and applications might differ based on the audience they are intended for:
- Some workloads might cater to corporate users—for example, internal line-of-business applications, dashboards, or content management systems.
- Other applications might cater to your customers—for example, your website, a customer self-service portal, or backends for mobile applications.
The right way to manage access, enforce access control, and audit access depends on the audience and the way you deploy the application.
To learn more about how to protect applications and other workloads that cater to corporate users, see the IAP documentation. You can also directly integrate with Google Sign-In by using standard protocols such as OAuth 2.0 or OpenID Connect.
- Understand the concepts and capabilities of identity management by reading the Concepts section.
- Learn about prescriptive guidance to consider in your architecture or design by reading the Best practices section.
- Learn how to assess your requirements and identify a suitable design by reading the Assess and plan section.