GCP Identity and Access Management
A large U.S. Government organization with two cloud platforms (Amazon Web Services and Microsoft Azure) leveraged a third cloud platform through Google Cloud Platform (GCP). Their goal was to implement an enterprise architecture using G-Suite to configure users and groups synchronized with the Enterprise LDAP server.
The Government Agency implemented a customer identity authentication service to manage the existing single sign-on needs. Any new solution would need to integrate with that authoritative identity authentication service and GCP would manage groups and users through G-suite. Any solution would require a low latency replication of the existing enterprise identity authentication service. Simple Technology Solutions (STS) conducted an assessment and determined that the most effective way of adding groups and users was to synchronize the G-Suite with the customer’s LDAP server.
Google provides a Google Cloud Directory Sync (GCDS) tool for cross platform replication. However, STS determined that this would not support the customer’s defined naming standard for role-based access control. STS engineers synchronized G-Suite groups/users with the canonical groups and users in the Enterprise LDAP server using the Google Cloud Directory Sync Tool. For each project in the GCP, STS engineers developed a script based framework to add the groups defined by the enterprise with the appropriate access control permissions.
By leveraging GCDS to sync groups and users in GCP Identity and Active Directory, STS reduced the duplication of work processes and the risk of human error. Using GCDS in GCP, STS did not need to create the groups and users again. GCDS is a one-way synchronization tool and the information in Active Directory or LDAP server is never compromised or modified. In addition, rules can be configured to exclude any groups and users created in Google Identity prior to synchronization.