By Rajat Bhargava Posted January 2, 2015
Google Compute Engine (GCE) has come on as a major platform in the Infrastructure-as-a-Service (IaaS) space. Though Amazon Web Services (AWS) is arguably the leader in the space, GCE is a major contender and is starting to make major impacts on the market. One of the key competitive benefits to Google’s compute services is its ability to run and operate Linux-based servers including CentOS, Debian, RedHat, and SUSE as well as Windows servers (2008 R2). Of course, one of the primary challenges IT admins face in managing these platforms is controlling access to the server instances.
How Organizations Manage Users on Google Compute Engine
Organizations manage GCE users in one of a couple of different ways. The first option is through manual user management. Sys admins and developers simply login and create, edit, or terminate user access, as well as set permissions. While this system effectively manages users, it’s often a time-consuming process prone to human error.
The second option to managing cloud server users is through Chef, Puppet, or similar configuration automation solutions. This option is popular among organizations that already use these tools, and seek to extend the usefulness of those technologies. The problem with this approach, however, is that developers and ops personnel are writing more code to effectively “re-create” directory capabilities. There’s a good chance users aren’t being terminated from all devices, thereby putting organizations at risk for employee-based security breaches.
The third approach companies take to manage their GCE users is through implementing Microsoft Active Directory® or OpenLDAP at GCE. By tying AD or OpenLDAP to GCE, organizations get full directory service capabilities—such as device management, authorization, and authentication. However, IT admins can find this approach challenging due to the time and effort required to create and manage a second directory service.
All three approaches detailed above are effective options to centralized user management on GCE servers. However, each of the options has significant drawbacks, and none rectifies the entirety of the identity management problem.
A Couple of Approaches to Modern User Management
A new option has emerged for GCE user management, namely Directory-as-a-Service® solutions like JumpCloud®. JumpCloud provides IT organizations with two options to tightly manage their GCE cloud server users.
Bridging Existing Directories to GCE
First, organizations can bridge an existing directory, like AD, directly to GCE. This is done by placing a small agent on the AD server. Users that need to have access to GCE are mirrored into JumpCloud. From there, another small agent is placed on each GCE server instance which connects back to the cloud-based directory service. As a result, JumpCloud has full control over creating, terminating, and managing users, and the core AD or LDAP instances are automatically replicated out to the cloud servers via JumpCloud’s cloud directory service. This ensures consistency and security. Also, it gives organizations a single place to manage users without manual effort or writing code.
A Fully Managed Directory Service
Directory-as-a-Service can also work with GCE to provide a fully managed cloud-based directory. In this instance, IT admins don’t need to manually implement AD or LDAP at GCE. Instead, they can leverage a cloud-based directory “as a service” solution. The benefits of this approach require far less effort for both IT admins and businesses, and it reduces overhead. Further, IT organizations get full directory services capabilities including authentication, authorization, and management of cloud servers at GCE. Meanwhile, sys admins don’t have to manage the antiquated software or hardware of the directory service. Similar to other SaaS-based approaches, this allows IT organizations to leverage the directory services solution, without requiring exorbitant costs, resources, or staff.
If you are a Google Compute Engine customer and are thinking about moving to better, more secure ways to manage your server users, take a look at Directory-as-a-Service. Your first 10 users are free! Sign up for JumpCloud today. If you would like to learn more, please drop us a note. We would be happy to discuss any questions you have.