Centralize access to your organization’s websites with Identity Aware Proxy (IAP)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
MARTIN: Today we will talk about a large enterprise called Big Corp, Limited. They want to centralize access control to their web apps, both internal and external. Charlie, how could they do that with Google Cloud platform? CHARLIE: Well, right now there are a lot of different groups of admins and developers controlling websites at Big Corp, Limited, and they use a lot of different frameworks and languages. We're going to see how Google Cloud platform can help them control access to all those sites without having to change them. It will all be centralized control instead. [MUSIC PLAYING] MARTIN: Let me introduce you to Marissa. She's a systems administrator at Big Corp, Limited, and her team has to manage access to all these different web systems. She has to solve all of these problems that Charlie told us about a minute ago. Marissa and her team has outlined four different use cases. First, Big Corp's public website, of course, needs to be accessible by anybody out there on the internet, anonymous users. Second, their support area of their website needs to be accessible by anybody as well, but we have to know who it is. Users have to log in so they only see their own support tickets. Third, employees at the company, and contractors, and occasional other people who are on the inside of the company, will need to be able to see the intranet and their internal web applications. And fourth, some employees in certain teams, like support team, they'll really get to see customer PII, Personally Identifiable Data. But only if they are on secured machines. So Charlie, can Google Cloud Platform help Marissa with these four access levels? CHARLIE: Yes it can. I've been in Marissa's situation in a previous job and also created new website services that require user authentication and access control. So I know this can be a very challenging technological management and configuration issue. The Google Cloud platform has a tool that can help enormously. It's called Identity-Aware Proxy. It's a great fit for Marissa and her developers, and it's a service that controls access to those websites for them. The nice thing is it can do this without changing those web servers in any way. MARTIN: That sounds great. Just the ticket for Marissa. How would this actually work in practice? CHARLIE: Well, let's take a look at an example. Here, we've got an internet-facing website that needs to control access. And it's got three potential users on this picture. The general public, somebody that doesn't authenticate themselves at all, a real authorized user, and then somebody that can authenticate, they've got credentials, but they're not one of the people the site wants to talk to. So right now, all of their requests hit this server. And it's the web server's responsibility to decide which ones to respond to and which ones to ignore. Identity-Aware Proxy is a service that sits right here, between the server and the internet. All the requests coming from the internet to the web server now go through Identity-Aware Proxy. Identity-Aware Proxy prompts users to log in. And after they log in, it uses their identity and Marissa's configuration to decide who to let through. And only requests coming specifically from the authorized users ever actually hit the web server at all. Now, in order to do this, the users do have to log in. And they use Google's Identity Service, which handles Gmail and G Suite, basically all of those different possible addresses. MARTIN: OK. That sounds pretty good. But how about if Big Corp isn't using a Google identity? I know, for example, my last employer before Google, they use Active Directory instead. CHARLIE: That's certainly pretty common. And Google solves that with IAP as well. Marissa's corp can synchronize their Active Directory with the Google Identity Service, and then all the users in their Active Directory can be verified by Google and used to configure IAP. Once IAP knows who each user is, it can simply block the users that should not come through the website. They can't see it at all. And the web server doesn't need to worry about is that somebody we should respond to or not, because it never even gets a request in the first place. MARTIN: Nice. Yeah, anybody who's had a web server on the public internet knows that you get a lot of weird traffic that you probably don't want to see. CHARLIE: Absolutely MARTIN: So, Charlie, this looks good, and we can keep the unauthorized users out. But what if that web server over there on the left actually needs to know who is accessing? CHARLIE: Well, this picture shows IAP controlling who can come through and have the request come to the web server. But IAP has another trick up its sleeve that I really love. When it sends a request through it, it adds a header. In fact, it has three headers. And those headers include the identity of the user that authenticated IAP. So now if the web server does want to know who that user is, it could just check a header. It's hard to have something easier than that in any kind of a web server framework. So it could find the email address. It can find a persistent ID. There's a lot of information that's available in those headers. MARTIN: OK, cool. You mentioned different frameworks and platforms. And, of course, Marissa's company, they have lots of different frameworks and platforms. Which of these does IAP work with? CHARLIE: As you'd expect, IAP can protect services running on a lot of Google Cloud platform infrastructure, such as App Engine, Compute Engine, and pretty much anything that could be behind a Cloud Load Balancer. But it also can protect stuff on the company's own premises using something called IAP connector. That's going to require some extra network configuration to route the requests from IAP back on to the company's own premises. But once it's set up, then it's configured for access, just like any of the other things behind IAP. All this is straightforward MARTIN: OK. It looks pretty straightforward here in slide four. How would Marissa actually go in and set this up, in real, practical terms? CHARLIE: All right, well, I've set up a demo project on Google Cloud platform with five sample websites. Let's take a look at that on the console. Here we see the console control page for App Engine, and there are five websites set up here for App Engine. One of them is the public one at just plain bigcorpltd.com. There's one for customers to send in support requests, one for the customer support staff to respond to them, and a couple of internal websites for different purposes. One that's open to all employees, one that's more restricted. IAP can configure all of these situations. Now right now, all five of these websites are wide open because we haven't enabled IAP, and we're going to fix that. MARTIN: Right. Yeah, that doesn't seem very safe. Is there some way Marissa can not expose the company internal stuff, not even for a minute, not even for a second? CHARLIE: Well, it turns out that in order to turn on IAP to protect something, something needs to be there already. So what I would do is I would just deploy a simple hello, world website so I could enable IAP. And then when I put more websites out in the same project, they would be protected by default. And I could then configure them to whatever way I wanted them to be so it could all be a little bit different. OK, so let's get started. Here we have our App Engine project with a lot of websites to protect, so we've got to turn IAP, or Identity-Aware Proxy, on for it using the card console. The Cloud Console menu has the different commands organized in groups, and IAP is under the security group. Identity-Aware Proxy. So here we see all the different HTTPS, that is web servers, that are protectable by IAP. All those App Engine ones are. To protect them, all I got to do is flip this toggle. That's it-- MARTIN: That was easy. CHARLIE: --they're protected. Now, if this were-- MARTIN: Yeah. CHARLIE: --the first time I ever turned on IAP in this project, I would be prompted to fill in a form for what we call the consent screen. And that basically is describing who's asking the user to log in. So when Google puts the launch screen up, it can say this is for bigcorpltd.com, that's who you're logging in to. MARTIN: All right. So now this is set up here. And what happens if you hit the public website now? CHARLIE: Well, it takes a few minutes for changes to IAP to propagate, because it's a worldwide service. But once that's done, we'll open a fresh incognito browser, so there's no logged-in user already cached, and try to connect to the corporate website. And I'm immediately asked to sign in. Well, I can sign in with my bigcorpltd.com account. MARTIN: Oh, you work at Big Corp, Charlie. I didn't know. CHARLIE: Just temporarily. And-- MARTIN: Temporarily. CHARLIE: --now I see that IAP is blocking me. MARTIN: Uh oh. But that is a little weird, because I did not see you turn off access for anybody, Charlie. CHARLIE: I did not tell IAP to deny anybody access. But I turned on IAP, and I didn't tell it to let anybody in, either. And that's the way it works IAP doesn't say who to keep out, it says who to let in. So we're going to need to go in to tell IAP to let users in to this public site. Let's go ahead and configure the public site. Remember the use cases we were looking at. The first one is everybody in the world should be able to get to it. This is just a regular public commercial website. MARTIN: Yeah so this seems a little odd, I think, for IAP, because it worked, it was public for everybody a minute ago. We now turned it off with IAP. Do we even need IAP for this use case? CHARLIE: Well, yes. This is kind of an odd use case because we had a site that was already open to the public. We turned on IAP, nobody's allowed in. And now we're going to configure IAP to let everybody in again. The reason for this is that IAP is global across this project. So the public website is in the same Google Cloud project as the other ones, so when I turn on IAP, it affects it as well. Luckily, I can tell IAP, pretend you're not there. Let the public through. Let's go ahead and do that right now. Take a look at how we configure it. Here we see the public website, which is the default one. When we select it, we have an info panel that shows who's got various access to the site. And what we want to do is add a member to the site, this is how we let somebody through, and we just need to put, say, their email addresses. So we can put everybody's email address in the world here. But that's not really what we want to do. MARTIN: That's a lot of typing. CHARLIE: So there's actually a special case that I need to type. All users is a special IAP user. To give anybody access, I need to give them an IAP secure web app user. Save that. Yes, I want to allow public access. And remember, it'll take a couple minutes. But now, after that's propagated, when somebody goes to that website, they won't even see IAP at all. They won't be prompted to log in, they'll just be sent directly to the site. OK. We've waited a couple of minutes, so the changes should be propagated. Let's open a fresh incognito web browser. So nobody's been logged into anything through it yet. MARTIN: Mm-hmm. CHARLIE: And it'll take a second to go through. Didn't prompt me to log in. Anybody in the world was allowed to connect. Just as if we didn't have IAP at all. There are probably easier-- MARTIN: All right. CHARLIE: --ways to write that than turning on IAP and then configuring it. But we're going to see more valuable uses of IAP in a few minutes, MARTIN: I see that Big Corp like minimalist web design. CHARLIE: It was very minimalist web design, yes. MARTIN: Yes. All right, so, cool. That was public access. Perhaps the simplest use case, and maybe the least interesting one. Let's move on to the second one. I think this is a lot more interesting. So users-- anybody can log in, but they must be authenticated. How does IAP do this? CHARLIE: From the IP management point of view, this is almost identical. We want IAP to let everybody through. However, we're saying, before you let them through, authenticate them, and pass through headers telling us who you authenticated them as. So if we go back to the console, instead of default, we go to the support site the general public will use. And again, we add a member. And the only difference here is, instead of adding all users, you add the special use case, all authenticated users. Again, we grant them the role of an IAP-secured web app user. Save it. And warns that we're making it available to the public, but only authenticated members of the public. And after it propagates and we connect to it, we'll see that the site knows who we are. OK. So let's go in a fresh incognito browser, and go to that customer support site, support.bigcorpltd.com. And we told this to let everybody through, but we said authenticate them before you let them through. I'm going to use the same dummy email account, but it really doesn't matter which one I use. It could be anybody that Google can authenticate. Oops. And it can only authenticate me if I type the password in, right? Now I'll pass you through to the account. Take a second for the website to spin up to respond. And notice that it says welcome, engelke@bigcorpltd.com. The website knows my email address. MARTIN: That's your email. CHARLIE: I didn't have to do anything. MARTIN: Yeah. CHARLIE: I didn't have to log in to the website. IAP told the website who it was. MARTIN: So how does IAP do that? How does this work? CHARLIE: Well, the way it knows that-- let's go look at the picture we had earlier. Of all your tests coming in and being intercepted and adding headers, these are the headers that it adds. Three headers, one called X-Goog-Authenticated-User-Email, then X-Goog-Authenticated-User-Id, and X-Goog-Iap-Jwt-Assertion. Here are some examples of the values. The authenticated user email one is my email address that IAP verifies, it stands behind it saying I really checked. That's who this really is. The user ID is kind of an opaque identifier that Google uses, so that every time I go to the website, I'll have the same identifier, but the website won't necessarily know my email address. That way it could store that if it wanted to. Only give me my response back, but without storing something potentially sensitive, like an email address. The final one's a little bit more complicated. It's the JWT header. MARTIN: What is the JWT header? CHARLIE: Well, that's showing-- MARTIN: I see base64. CHARLIE: --it all because this goes on and on and on. It's a very long basic ensure encoded string that represents a digitally-signed record that has a user ID and email in it, which from the other headers anyway. But the fact is, depending on how the company servers are configured, particularly if you're on your own data center, you may have the path from the internet to your website server that has to go through IAP. And you may have other paths from other machines inside your data center network that can send requests to IAP. And if you're concerned that those other machines in your data center could be compromised, they could send fake requests to that web server, and they could add a header that says this is by email address, even though it really isn't. The digitally-signed JWT can't be spoofed, because it's digitally signed by Google with Google's private key. So the website can simply verify it and decode it, and make sure that it didn't get spoofed. So in the description below this video, we've got a link that points to the documentation on things like JWT in general. And there's a codelab specifically on how to decode that for the Flask Python program that's being protected by IPSec. MARTIN: OK. So what I'm hearing is, for many developers, it'll be enough to just look at the email or user ID header. But if you want additional security within your project or data center, then you may want to verify the JWT header. CHARLIE: Yes, the more control of networking options that are in use, the more paths there might be to the server on the back end that don't go through the front door. And then you'd be concerned about it. But in a case like this with App Engine, there aren't any such paths, for our example. So we can do it the simple way. MARTIN: Oh, OK. Oh, excellent. All right, cool. So we talked about the first two use cases. They're about public access to the website. Now what about the third use case? So remember, this was the one where only Big Corp employees should be able to hit their internal web apps. CHARLIE: Yeah, that everybody needs to do. And when people first started doing these internet sites, they would just take an unprotected web server, but put it on the internal company network. So anybody else that's on the internal company network can get to it, people who aren't can't get to it. Great. But it-- MARTIN: Yeah. CHARLIE: --opened a lot of other problems. MARTIN: What's wrong with that? CHARLIE: That website trusted everybody on the internal company network, every device that was there, which might not be a good idea. And an even bigger problem-- MARTIN: Oh. CHARLIE: --that occurred over time is employees are less and less likely to be in the main office and connected to that internal network. They'd be on the road. So the solution to that was let's set up a virtual private network so they can connect to the internal network through the internet as if they were on the internal network. That gave them the access, but it opened up again a whole new set of problems. It was hard to configure and support, and it meant that this outside machine now had access to everything, not just the employee's website. IAP gives us another solution. So remember the picture of how IAP protected access. All other requests had to go through it and it only let a request through if it was one of the users you wanted. So Marissa can simply configure IAP and say, only let through people who really are employees, who can prove they're employees. So the web requests that come through IAP will just be this kind of request that might have come in your internal network for employees. You're protected from all the rest of the internet. And the end user doesn't need to have a VPN client or anything else. They can just connect with any web browser. So long as they can authenticate themselves. Now, configuring this is very similar to what we've seen before. So let's go back to that console. And let's go to the employee website. And we need to add a member that represents all the employees. Well, Marissa's company synchronizes their Active Directory for all email addresses at bigcorpltd.com to Google. So all they need to do is say bigcorpltd.com, and every one of those email addresses is now allowed and no others are. Typically, they may have other people that want to treat as employees for the intranet, but who they don't want to give email addresses to. Maybe they're temps or they're contractors. So they can set up a group with all those email addresses, and they can add the group as well. They don't have to enter each individual address. And then HR can manage that group as new temps come in and new contractors go out. While enabling it is the same thing we've seen twice before. Give them the IAP secured web app user role. And now, in a few minutes-- we're not going to wait and show it, 'cause it's the same kind of thing we've seen before. But anybody that tries to go this employee site will be intercepted by IAP. And only if they're an employee or one of these people in that group of temps and contractors will they get through. Let's look at the customer support site that the customer support staff uses. They're going to log in, and they're going to see the requests from users, and they're going to see those users' email addresses, which we don't want the public in any case, ever, to be able to get to. So we want to make sure that not only are the people connecting a member of the customer support staff, but if they're using, say, a personal laptop, that they don't use something that doesn't have a screen lock, and they leave it logged in, they walk away for a minute, and somebody steals it, they're still logged into the site and see this data. You want to make sure that we can't have that happen. So Marissa's company said, we want the support staff to be able to connect when they're remote. That's very, very common. And we want to restrict it to only those staff. We want to go further. We only want them to connect if they're using a machine that has a screen lock enabled and has the hard drive encrypted. So if the device is lost it doesn't give the person who takes it access to that site. MARTIN: Oh. Can IAP do that? Does it know when machines have been stolen? CHARLIE: Yes it can. This is one last little trick IAP has for the moment. Configuring it to do that looks a lot like the other use cases with a little bit of a twist at the end. Let's go ahead and take a look and do that. So here we see the IAP page and the customer support website. We're going to add members of the customer support group. And we're going to give them IAP-secured Web App User. But before we say go ahead and save this, we're going to add a restriction. Only let them do it if they're connecting from a machine that meets the needs of a safer client. Now, when somebody from the customer support group logs in, even if they properly authenticate, they won't be let through if they're on a machine that doesn't have a screen lock or doesn't have an encrypted hard drive. Now, that's all configured in Access Context Manager. Here's that safer client policy. You can see it says devices have to have a device screen lock and they have to have encryption turned on. Enable. Just for a quick look, there are a lot of other things that can be put in as well if they were appropriate. For example, they can restrict access to specific IP network ranges. They can also restrict access to certain regions. Perhaps they want to only allow people to access it from the US and Canada, or only from European Union countries. They can select those countries, and only those people will come through. The device policy we are using can be made more restrictive. The machine not only might have to have a screen lock and encrypted storage, but maybe it also has to be a machine that's been specifically approved, or even a machine that the company owns. And it can also restrict which operating systems and operating system versions are allowed. I'm not going to add any of those conditions, because this is strong enough for what Marissa's company needs. Now, in order to do that, IAP needs to know some stuff about the end user's machine, like the screen lock and the encryption level, that a browser normally won't tell a web server, normally wouldn't tell IAP that. So the users are going to have to have a work profile on their phone or Chrome extension in their browser that tells them that. That's available for anybody, if they are using G Suite and are connected to a corporate profile, it'll do that automatically. And that basically says, when you're connected to IAP for our company, let it know this information about your machine, so it can decide what level of access to provide. And that's it. IAP can handle all these four use cases, which are pretty universal. There's a lot of different ways you configure and fine tune it. But the nice thing about it is, Marissa can do that, and the app servers that are out there don't have to change at all. MARTIN: Oh, nice. I think Big Corp will eventually be able to delete a lot of their authentication code they've sprinkled all over the web apps. CHARLIE: I think so, too. MARTIN: Thank you for showing us this, Charlie, and thank you all for tuning in. If you have questions about how IAP works or any security questions on GCP and serverless, please post them in comments below. Or if you have questions about, or requests for, other videos we should create around serverless, please let us know. Thank you for this time. See you next time. CHARLIE: Bye. [MUSIC PLAYING]
Info
Channel: Google Cloud Tech
Views: 24,033
Rating: undefined out of 5
Keywords: GDS: Yes, what is IAP, what is Identity Aware Proxy, how to authenticate users with IAP, how to authenticate users for websites, how to configure IAP, how to authenticate users, securing App Engine with IAP, identity and access management, identity management, access management, centralize access to websites, website access management, identity aware proxy, website security, cybersecurity, IAP, Serverless Expeditions, Martin Omander, Charlie Engelke
Id: xM9-FSU5MoY
Channel Id: undefined
Length: 26min 18sec (1578 seconds)
Published: Thu Oct 22 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.