By Cassa Niedringhaus Posted February 12, 2020
Is it possible to migrate to Google CloudTM Identity from on-prem identity providers? This is a common question as organizations leverage G SuiteTM and Google CloudTM services and look to shift away from on-prem solutions such as Microsoft® Active Directory® (AD) and OpenLDAP™.
We’ve outlined five modern and cloud-forward requirements organizations should consider as they assess their individual needs and decide whether to migrate to a new identity provider.
Google Cloud Identity Migration Requirements
1. Authentication to a Wide Range of IT Resources
A cloud identity management solution should enable authentication to a wide range of IT resources, regardless of vendor or platform. This includes systems (Windows®, Mac®, Linux®), applications, networks, and other resources.
Although Google Cloud Identity enables authentication to Google Cloud resources and web applications via SSO, it’s not designed for authentication to systems, servers, networks, or other IT resources not really housed within Google. Ideally, a cloud identity provider would enable authentication to all resources, rather than acting as only one of a collection of solutions to enable users to log in with their core credentials.
2. System Management Across All Major Platforms
A cloud identity management solution should also extend GPO-like functions to Mac and Linux systems, in addition to Windows systems. The result is centralized cross-platform system management with the ability to enforce GPO-like policies at scale.
This capability is critical for admins to centralize system management in one solution (rather than, for example, managing Windows from AD and Mac and Linux from third-party add-ons in addition to AD). Although Google manages Android™ and Apple® iOS® devices and has other mobile device management capabilities, it struggles with broad system management capabilities akin to Windows GPOs (and subsequently cross-platform).
3. Increase Security to Combat Identity Compromises
In addition to systems management, a cloud identity solution should offer group- and role-based access controls and enforce multi-factor authentication (MFA) where possible. Users onboarded should be automatically provisioned to (or prohibited from accessing) company resources depending on what they need to get their jobs done.
They should also be prompted to use a form of MFA when accessing resources such as systems, applications, and servers. MFA significantly reduces the chance that compromised credentials negatively affect data or infrastructure because, as NIST notes, a bad actor would need to steal (and unlock) your phone in addition to your credentials to be able to do anything with them.
4. API-Based Control and Management
APIs allow admins to automate functions in a cloud identity solution. They save time when admins perform key tasks like onboarding and offboarding. In fast-growing organizations, the time saved can be considerable
5. Cloud Delivery and Scalable Costs
The next generation of identity management solutions will be delivered via the cloud, rather than on-prem AD, which requires significantly more work to configure and maintain and which generally has higher licensing costs. With cloud delivery, you only pay for what you need — another benefit of Software-as-a-Service platforms.
Assessing Your Organization’s Needs
IT organizations likely have additional requirements specific to their environments, which should be added to the list above. For some, migrating to Google Cloud Identity will be the right choice. And, for most others, a more comprehensive next-generation cloud directory service will be the right choice.
One such solution, called Directory-as-a-Service®, tightly integrates with Google Cloud Identity so admins can gain the benefits not only of integrating and controlling Google cloud services but also enabling access control over a wide variety of other IT resources.
If you’d like to learn more, check out this guide to centralizing IT management again amid the proliferation of disparate IT resources.