Simple Technology Solutions

GCP Identity and Access Management

 

Description

Configuring & Synchronizing G-Suite Groups and Users Within a Government Agency Active Directory for Secure Single Sign-on.

Categories

Cloud Security
Cloud Enterprise Architecture
DevSecOps
Multi-CSP / Hybrid-Cloud
Cloud Governance & Compliance

PDF

BACKGROUND

A large U.S. Government organization with two cloud platforms (Amazon Web Services  and Microsoft Azure) leveraged a third cloud platform through Google Cloud Platform (GCP). Their goal was to implement an enterprise architecture using G-Suite to configure users and groups synchronized with the Enterprise LDAP server.

ANALYSIS

The Government Agency implemented a customer identity authentication service to manage the existing single sign-on needs. Any new solution would need to integrate with that authoritative identity authentication service and GCP would manage groups and users through G-suite. Any solution would require a low latency replication of the existing enterprise identity authentication service. Simple Technology Solutions (STS) conducted an assessment and determined that the most effective way of adding groups and users was to synchronize the G-Suite with the customer’s LDAP server.

SOLUTION

Google provides a Google Cloud Directory Sync (GCDS) tool for cross platform replication. However, STS determined that this would not support the customer’s defined naming standard for role-based access control. STS engineers synchronized G-Suite groups/users with the canonical groups and users in the Enterprise LDAP server using the Google Cloud Directory Sync Tool. For each project in the GCP, STS engineers developed a script based framework to add the groups defined by the enterprise with the appropriate access control permissions.

BENEFIT

By leveraging GCDS to sync groups and users in GCP Identity and Active Directory, STS reduced the duplication of work processes and the risk of human error. Using GCDS in GCP, STS did not need to create the groups and users again. GCDS is a one-way synchronization tool and the information in Active Directory or LDAP server is never compromised or modified. In addition, rules can be configured to exclude any groups and users created in Google Identity prior to synchronization.

SOLUTION ARCHITECTURE DIAGRAM

STS reduced the duplication of work processes and the risk of human error