All too often, we have had conversations like this one:
Does your organisation use Google Cloud Platform or other Google services?
We don’t use Google. We tend to use competing platforms.
This is a common situation in companies that have not deployed Google services systematically. It leads to a belief that the organisation does not use any Google services at all. However, the situation is often quite different: Google services are almost always being used outside the scope of centralised IT management.
Services such as Google Analytics, Google Ads, Google Maps API, Google Play Store, and Google Datastudio are good examples. In these cases, the services are managed using Google accounts tied to an individual employee’s email address or even a personal @gmail.com account.
The situation described above gives rise to substantial information security and business risks:
The increasing tendency for remote work poses distinct challenges for account security, as services are used in different locations and, potentially, on different devices. However, it is easy to take control of the security of Google accounts at a low cost.
When the basics of Google accounts are under control, it is a good idea to systematically invest in the further development of security. If you use a lot of Google API services for developers, plan the management of user-managed keys in a secure way.
If necessary, user management can be integrated entirely into a different, centralised user management service (over LDAP and, if desired, with password synchronisation), and authentication could harness the company’s SAML single sign-on service (such as Azure AD or Okta). In addition, information security can be further developed using Google Cloud Identity Premium accounts.
We strongly urge you to transfer all Google accounts and services to the centralised management before it is too late.