In on-premises environments, Microsoft Active Directory is one of the most deployed technologies, providing authentication and access to enterprise resources.
When organizations move to the cloud and attempt some form of hybrid deployment, Active Directory is also often a requirement, which is why Google has been developing a Managed Service for Microsoft Active Directory. The Google Cloud service, which was announced at the Google Next conference in April, became available as a public beta on Aug. 29.
"We launched Managed Service for Microsoft AD in April in alpha and have been working with select customers, including Dunnhumby and Citrix, over the last months to improve the service based on customer feedback," Siddharth Bhai, product manager with Google Cloud, told ITPro Today. "We’re excited to bring the service today in beta to additional enterprise organizations for wider evaluation and feedback."
How Managed AD Works
Managed Service for Microsoft Active Directory can be used as a stand-alone AD domain and can also connect with existing on-premises AD deployments, according to Bhai. When connected with on-premises AD domains, the service leverages AD trust relationships. In that mode, all server, computer and service account authentication of servers joined to the managed AD domain and application of any server or application policies such as Group Policies are fully serviced from the managed AD domain.
"Leveraging the AD trust, users can still authenticate from an on-premises AD and thereby have any existing user authentication password policies still apply, even as users access the apps and servers in the cloud," Bhai said. "This works without a need to sync or replicate any user policies to the cloud."
For organizations that want to duplicate any existing AD policies in the cloud, Bhai said they can create a stand-alone AD domain with Managed Service for Microsoft AD and re-create the policies in that new domain. Microsoft has its own cloud AD service known as Microsoft Azure Active Directory, which can also be connected to the Google service. Bhai said Google's service can be configured to work alongside existing Active Directory domains using Active Directory trust relationships.
"As long as underlying network connectivity is available and AD trust has been established, the other AD could be running on-premises or on other cloud providers," he said.
Not a CASB
One of the ways that some organizations have chosen to enable access and authorization in the cloud is with a Cloud Access Security Broker (CASB) technology. Bhai noted that the Google Managed Service for Microsoft Active Directory is not a CASB replacement. Rather, it is a service that runs real Microsoft AD Domain Controllers and can help customers manage AD-dependent workloads that run in the cloud, automate AD server maintenance and security configuration, and connect their on-premises AD domain to the cloud, he said.
"Google Cloud has a product called Cloud Identity, which is an IDaaS [identity as a service] that includes some of the CASB functionality, including single sign-on, app access control, device management, MFA [multifactor authentication] and more," Bhai said.