An update on Google Cloud Identity, Google’s IDaaS and EMM platform

The company that spawned BeyondCorp can now sell you all the pieces you need to make it happen, and is now leaning on partners to help keep endpoints in line.

Google Cloud, the enterprise software-oriented arm of Google, had their conference last week, and there were plenty of EUC announcements. Today, we’re going to take a closer look at updates in Google Cloud Identity, their IDaaS and EMM offering.

The basics of Google Cloud Identity

In case you’re not familiar, Google Cloud Identity is the IDaaS offering that’s built into G Suite and the Google Cloud Platform (GCP). Last year, it became available as a free-standing SKU, independent of G Suite. It has some basic endpoint management capabilities, and inherits many features from the consumer Google account system (so you know it can work at scale). For more, see our coverage from Google Cloud Next 2018 and the 2018 London show.

Google Cloud Identity announcements

Here’s what’s new for Cloud Identity, via the Google Cloud blog. We covered some of these last week, but now we have a lot more context, thanks to interviews with Karthik Lakshminarayanan and Sam Srinivas, as well as demos from the expo hall.

Overall, context-aware access is coming to more Google Cloud services. This is the whole idea that we’ve been talking about a lot recently, i.e., access policies that are based on the app, user, authentication technique, device, client, and other risk signals.

Specifically, context-aware access is now generally available for the Google Cloud Identity Aware Proxy; it was announced (in beta) for Cloud Identity and G Suite; and it remains in beta (as previously announced) for VPC Service Controls (which apply to GCP web apps, APIs, and VMs).

In a demo, I noticed that Google’s Cloud’s context-aware access does not currently have any self-service remediation options. (An example of this would be if a user was blocked because their device wasn’t enrolled in MDM, they could be redirected to an enrollment page.) So, this is something that I’ll watch out for.

One of the things that Karthik and I talked about last year at Next was their roadmap for expanding device management. At the time, Karthik mentioned the possibility of doing MDM for macOS and Windows. The announcements now are a little bit different, but ultimately, I think they’re more pragmatic.

First, Google Cloud Identity will be able to verify macOS and Windows devices via a Chrome browser extension. It’ll verify the device ID (you can upload a list of your corporate devices to check against) and report basic hygiene attributes (like encryption, screen lock, OS version, and so on). Then, it can put an anonymous certificate on the device, so that Google Cloud Identity knows it when it sees it again. With these extensions in plan, you’ll be able to build policies that parse corporate devices, BYOD devices, and devices that you’ve never seen before, and set rules for device health. (This is somewhat similar to the mobile device attestation concept we wrote about a few weeks ago.)

Next, to also look at devices, Google Cloud Identity is creating a new partner integration program called the BeyondCorp Alliance. The initial members are Check Point, Lookout, Palo Alto Networks, Symantec, and VMware. This is similar to other efforts in the industry—the partners will feed data back into the context-aware policy engine, and Google doesn't have to reinvent the wheel or try to compete with all these folks. Everybody wins.

Moving on to other areas, Google Cloud Identity announced a new password vaulting and stuffing features. The bottom line is that enterprises still have hundreds or thousands of apps that don’t support federation standards like SAML or OIDC. Like I wrote earlier this week, if your apps are completely disconnected from your IDaaS, then you have a big hole. Password vaulting lets you bring them into the fold for contextual access.

In other odds and ends, Google Cloud Identity announced some integration with HR software providers, so that they can automatically provision and deprovision users. This is a space to watch—someday, we could have a lot more EUC “workspace” lifecycle tasks driven from HR and service desk platforms.

At the show, we also talked about FIDO and Android phones as security keys (Sam Srinivas also happens to be president of the FIDO Alliance), as well as new managed Active Directory offerings in GCP. Both are exciting, but we’ll save them for another conversation.


Google has been working on the BeyondCorp concept since 2011 (for more, see this 2014 publication). Sam was instrumental in bringing it to market, so he’s pleased that it’s getting wide attention these days. He also emphasized that Google Cloud Identity now has all of the components needed to implement it, and that they do it consistently across all of their services, i.e., G Suite, the identity-aware proxy, and infrastructure in GCP.

Now that Cloud Identity has this complete stack and all the other new bits, how does this change the potential market?

As we’ve always known, the first and best-served customers of Google Cloud Identity are G Suite and other Google Cloud offerings. Now that the freestanding version of Google Cloud Identity has been around for a year or so, Karthik said that the customers for this SKU are mostly companies that already have G Suite for some of their users, but also have a population of users that just need identity management (and not all of G Suite).

As we know, the features—especially on the EMM side—are oriented towards the needs of classic G Suite customers. For example, they support Android Enterprise work profiles and full device management, but stop short of the dedicated device (e.g., kiosks or ruggedized handhelds) management.

This is where the BeyondCorp Alliance gets interesting. For example, you could managed ruggedized devices with Workspace One UEM, and but still do your context-aware policies and federation and other identity tasks with Google Cloud Identity. This is the concept that we’ve seen other IDaaS providers take (Okta, for example). Concentrate on the identity and policies, instead of trying to compete in a bunch of different security and management areas.

Next up, I’ll be watching to see if other endpoint management and security vendors join the BeyondCorp Alliance. (Mac management, anyone?) (Also, don’t forget that Google Cloud has full-featured Chrome OS and browser management built in.)

But overall, this looks like a good strategy for their next stage of growth.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.