The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise

Transcription

1

2 The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise Google Apps for Work (formerly known as Google Apps) is quickly becoming one of the most popular cloud-based solutions on the market today. It continues to lack, however, basic features and functionality that enable IT to operate effectively in enterprise environments and ensure the security of information accessed through the Apps. To populate user identities into Google Apps, Google Apps for Work requires integration into the enterprise identity repository via Google Apps Directory Services (GADS). GADS is used to replicate the existing Active Directory or LDAP compliant user identities, and access permissions to the Google Apps domain. IT organizations attempting to secure Google Apps with GADS are often challenged by its limited scalability, delayed on and off-boarding, and lack of desktop Single Sign-On (SSO). This paper details these three significant GADS limitations and their potential impact.

3 Limited Enterprise Scalability In order to enable Google Apps for business users, additional technology must be deployed in order to meet basic operational requirements of the enterprise. Specifically, this includes: Google Apps Directory Services (GADS); to replicate identities and permissions to the Google Apps domain (GADS) and, Google Apps Password Sync (GAPS); a tool required for passwords to work across both AD and Google Apps. GADS performs directory synchronization by comparing any changes in the local Active Directory or LDAP compliant server to the Google Apps domain. It then updates the changes on a periodic basis using Windows Task Scheduler or a cron job. For something as mission critical as directory synchronization, an external application such as Windows Task Scheduler is required for constant monitoring to ensure the synchronization is actually taking place. Unfortunately, GADS has a number of limitations for larger organizations using multiple AD domains, as GADS can only support one Active Directory domain and a single forest by default. Multiple AD domains can be synchronized with GADS, but the process is very complex and requires extensive knowledge of LDAP query scripting. The more domains added, the greater the complexity incurred and potential errors during the synchronization process.

4 Directory Synchronization is Network Intensive and Not Real-Time One of the most significant limitations when considering GADS for directory synchronization is delayed on- and off-boarding. Scheduled processing of any changes between an organization s directory services and Google Apps for Work does not happen in real-time, leaving users and access permissions in limbo until updates from the identity repository to the application infrastructure are fully propagated. In addition, passwords between Active Directory and Google Apps are not automatically synchronized, as the native Active Directory and Lotus Domino password formats are not supported. Therefore, a secondary application - Google Apps Password Sync (GAPS) - is required for passwords to work across both AD and Google Apps, with all required password changes performed in Active Directory. This requirement for password synchronization adds an additional application for IT to manage and a potential point of failure, further increasing the burden on IT and their workload overall.

5 Desktop Single Sign On Requirements for Windows Environments? Originally developed a number of years ago, GADS appears to receive an update only once a year and has not received any new features or updates since July An inconsistent development cycle with limited project resources has left GADS lacking a number of critical enterprise features and bugfix responses that are required in critical enterprise deployments. For example, GADS does not support Kerberos-based authentication. This is a baseline requirement in many Windows-centric enterprise environments moving towards SSO. Kerberos-based authentication allows a user already authenticated into a Windows network to seamlessly authenticate to other application resources via Active Directory - without submitting their login credentials twice.

6 IS THERE SUCH A THING AS SECURE GOOGLE APPS AT WORK? ONELOGIN IS THE ANSWER. OneLogin is an Enterprise Identity Management Solution for Google Apps for Work Unlike GADS, Onelogin handles complex directory structures, delivers instant user on and off-boarding, is lightweight on your network and provides desktop SSO. In addition, OneLogin provides SSO for all your apps, mobile identity, cloud directory, strong authentication, user provisioning, compliance reporting and is free forever for up to 3 applications, including Google Apps for Work.

7 OneLogin Handles Complex Directory Structures OneLogin can virtually consolidate multiple disparate identity repositories and present them as a single unified directory to thousands of different cloud applications in real time. This real-time directory integration means that all directories are updated whenever user modifications are made - with changes propagating through to connected services like Google Apps within seconds.

8 OneLogin Delivers Instant Off-Boarding With OneLogin, you can also instantly enable or disable application access and the automatic synchronization between Workday, AD and other cloud apps providing enterprises with an effective kill switch for off-boarding. This capability is critical when eliminating backdoor access to Google Apps through protocols like IMAP and POP3 to eliminate unauthorized access.

9 OneLogin Delivers Desktop Single Sign On For employees on a OneLogin-enabled corporate network, there s no longer the need for additional usernames and passwords to access cloudbased applications. Users can use their Windows credentials via Desktop SSO from either a PC or Mac to seamlessly access Google Apps and other SaaS applications by delegating authentication via Windows Active Directory.

10 CONCLUSION The limitations of Google Apps Directory Services (GADS) when deployed in an enterprise environment are clear. The lack of basic features and functionality required for Google Apps for Work to operate effectively with your existing identity infrastructure and ensure the security of information can challenge even the most experienced IT department. OneLogin offers a compelling alternative without the limitations of GADS, offering full enterprise Identity and Access Management (IAM) and Desktop SSO for Google Apps for Work deployments in multidomain AD environments.

11 ABOUT ONELOGIN OneLogin is the innovator in enterprise identity management and provides the industry s fastest, easiest and most secure solution for managing internal and external users across all devices and applications. The only Challenger in Gartner s IDaaS MQ, considered a Major Player in IAM by IDC, and Ranked #1 in Network World Magazine s review of SSO tools, OneLogin s cloud identity management platform provides secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more. OneLogin is SAML-enabled and pre-integrated with thousands of applications commonly used by today s enterprises, including Microsoft Office 365, Asure Software, BMC Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC Syncplicity, EchoSign, Google Apps, Innotas, LotusLive, NetSuite, Oracle CRM On-Demand, Parature, Salesforce.com, SuccessFactors, WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin, Inc. is backed by CRV and The Social+Capital Partnership.

12 ABOUT ONELOGIN OneLogin is the innovator in enterprise identity management and provides the industry s fastest, easiest and most secure solution for managing internal and external users across all devices and applications. The only Challenger in Gartner s IDaaS MQ, considered a Major Player in IAM by IDC, and Ranked #1 in Network World Magazine s review of SSO tools, OneLogin s cloud identity management platform provides secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more. OneLogin is SAMLenabled and pre-integrated with thousands of applications commonly used by today s enterprises, including Microsoft Office 365, Asure Software, BMC Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC Syncplicity, EchoSign, Google Apps, Jive, Innotas, LotusLive, NetSuite, Oracle CRM On-Demand, Parature, Salesforce.com, SuccessFactors, WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin, Inc. is backed by CRV and The Social+Capital Partnership.