Jump to Content
Security & Identity

What's new and next with Cloud Identity

May 15, 2019
Vidya Nagarajan

Group Product Manager, G Suite and Cloud Identity

Over the past year, we’ve seen tremendous growth of Cloud Identity, Google Cloud’s unified identity, access, and device management solution, available to both our G Suite and Google Cloud Platform (GCP) customers. We released a number of exciting features, saw significant growth in the number of users and devices managed, and partnered with many customers on their digital transformation journeys, including Air Asia, Essence, Airbnb, and Health Channels. We were also recognized as a 2018 Gartner Peer Insights Customers’ Choice for Enterprise Mobility Management Suites (EMMs).

Today, we’ll highlight a number of new and upcoming features in Cloud Identity and share how you can get started.

Enhancing group policy management functionality
Many of our customers rely on group policy to grant access to G Suite. A few months ago, we added the ability to use Google Groups to control access to G Suite apps and services within your organization outside of the organizational unit (OU) level. This makes it possible to control G Suite access based on department, job function, project team, seniority, location, and more. We’ll soon launch group-based policy support for Drive, Docs, Chat, App Maker and YouTube, which will give IT additional flexibility when managing G Suite policies.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/Enhancing_group_policy_management_functionality.gif

Frequently, we see customers utilize Google Groups to control access to GCP projects and resources. In an effort to streamline security and access monitoring, they’ve told us they needed a way to view changes to groups using the same tools they use for other GCP audit logs. To address this, we are excited to announce the general availability of group audit logs in Google Cloud Audit Logs, allowing customers to manage all GCP-related activities in a single place, without the need to integrate with multiple APIs to get a complete audit inventory.

Enabling BeyondCorp in your organization

Many attendees at Google Cloud Next ‘19 expressed interest in adopting Google’s BeyondCorp (zero trust) security model. At the event, we announced context-aware access for G Suite, which is a key component of BeyondCorp and allows IT to define and enforce granular access to apps and infrastructure based on a user’s identity, device state, and context of their request. This is an extension of the context-aware access capabilities we’ve previously built to protect GCP web apps and virtual machines (VMs). Context-aware access for G Suite can help increase your organization’s security posture while giving users an easy way to more securely access apps from virtually any device, anywhere.

Essence, a global data and measurement-driven media agency, has already been using this capability to help secure access to G Suite:

“Context-aware access is a natural expansion of the mobile device management (MDM) we've had in place on Android and iOS devices since 2014. It allows us to place manageable controls on how client G Suite data is accessed, and it does so in a way that does not inhibit the end user while ensuring security compliance.” - Colin McCarthy, VP Global IT, Essence

Multi-factor authentication (MFA) or 2-factor authentication (2FA) is a critical building block for BeyondCorp, and we consider security keys based on FIDO standards, such as Google’s Titan Security Key, to be the strongest, most phishing-resistant MFA method on the market today. At Google I/O, we announced that you can now use the security key that is built into your Android phone for MFA, so you can add this extra layer of protection for even more of your users. We also recently gave our customers the ability to block the use of SMS as an MFA method, giving IT additional control and strengthening user security.

If you’re like a lot of organizations, you may already have security solutions that help you assess the security posture of your endpoints. In an effort to integrate with your existing solutions and meet you where you are, we recently announced BeyondCorp Alliance, a group of endpoint security and management partners with whom we are working to feed device posture data to our context-aware access engine. Initially, we are working with Check Point, Lookout, Palo Alto Networks, Symantec, and VMware, and we will make this capability available to joint customers in the coming months.

Strengthening our device management capabilities
One of the key inputs into our context-aware access rule engine is device trust. Google manages over 55 million 30 day active devices across mobile and desktop platforms (including Cloud Identity and Chrome Enterprise), and we’re constantly working to enhance this functionality. To that end, we’re giving admins more control over their corporate data by integrating Cloud Identity and Drive File Stream, our service which streams data directly from the cloud to your Mac or PC. This will ensure users can securely access the files they need, whether they’re online or offline. This integration ensures corporate data is protected by controlling which devices can be used to access Drive File Stream, and with the ability to block or wipe the Drive cache with a few clicks, admins have more control over remediation activities.

In addition, we have enhanced the capabilities of our platform by extending our agentless management capabilities, allowing administrators to manage and distribute Android apps without the installation of a device policy controller. This will allow IT to have an additional layer of security on their endpoints without negatively impacting the end user experience.

Improving the single-sign on (SSO) and end-user experience
While we already support a large catalog of SAML and OpenID Connect (OIDC) apps for single sign-on (SSO), you may still need to use credential-based authentication for some apps. To address this, we’ll be adding support for password vaulted apps in the coming months. With this capability, Cloud Identity will support thousands of additional apps and have one of the largest SSO app catalogs, giving your employees one-click access to all the apps they need to be productive. As part of this work, we’ll also releasing a new, unified hub where employees can see and access all of their SSO apps. Dashboard will provide a user-friendly and efficient user experience, allowing your employees to quickly launch and access all of their apps.

https://storage.googleapis.com/gweb-cloudblog-publish/images/dashboard.max-2800x2800.max-2200x2200.jpg

Partnering with HR providers for automated user lifecycle management
We’ve also recently partnered with leading HRIS/HRMS providers such as ADP, BambooHR, Namely, and Ultimate Software, enabling you to sync employee information directly from your HR system with Cloud Identity and automatically provision and deprovision user accounts and access throughout the employee lifecycle.  

Try it yourself
We’ve made great progress with Cloud Identity for our G Suite and GCP customers over the past year, and we’re excited to continue working hard to deliver new features and functionality in the coming months. If you’re interested in learning more, please take a look at our solution pages for single sign-on, multi-factor authentication, and device management, and consider signing up for a free trial to test out the solution yourself.

Posted in