Identity and access management (generally referred to asIAM) is the practiceof granting the right individuals access to the right resources for the rightreasons. This series explores the general practice of IAM and the individualswho are subject to it, including the following:

• Corporate identities: The identities that you manage for employeesof your organization. These identities are used for signing in toworkstations, accessing email, or using corporate applications. Corporateidentities might also include non-employees such as contractors or partnersthat need access to corporate resources.
• Customer identities: The identities that you manage for users inorder to interact with your website or customer-facing applications.
• Service identities: The identities that you manage in order toenable applications to interact with other applications or the underlyingplatform.

You might need to grant access to the following resources:

• Google services such as Google Cloud, Google Analytics, orGoogle Workspace
• Resources in Google Cloud, such as projects, Cloud Storagebuckets, or virtual machines (VMs)
• Custom applications or resources managed by such applications

The guides in this series break down the discussion of IAM into the followingparts:

• Managing corporate, customer, and service identities forms thefoundation of IAM. These topics are boxes 4, 5, and 6 (in green).
• Relying on identity management as the foundation, boxes 2 and 3 (in blue)denote access management topics. These topics include managing accessto Google services, to Google Cloud resources, and to your customworkloads and applications.
• Box 1 (in yellow) indicates access management topics thatare beyond the scope of these guides. To learn about access management forGoogle Workspace,Google Marketing Platform,and other services, see the individual product documentation.

Identity management

Identity management focuses on the following processes:

• Provisioning, managing, migrating, and deprovisioning identities,users, and groups.
• Enabling secure authentication to Google services and to your customworkloads.

The processes and technologies differ depending on whether you are dealing withcorporate identities, application identities, or customer identities.

Manage corporate identities

Corporate identities are the identities that you manage for your organization'semployees. Employees use these identities for signing in to workstations,accessing email, or using corporate applications.

In the context of managing corporate identities, the following are typicalrequirements:

• Maintaining a single place to manage identities across your organization.
• Enabling employees to use a single identity and single sign-on acrossmultiple applications in a hybrid computing environment.
• Enforcing policies such as multi-factor authentication or passwordcomplexity for all employees.
• Meeting compliance criteria that might apply to your business.

Google Workspace andCloud Identity are Google's products that let you address these requirements and centrallymanage identities and policies.

If you use Google services ina hybrid or multi-cloud context,addressing these requirements might require that you integrate Google's IAMcapabilities with external identity management solutions or identity providerssuch as Active Directory. TheReference architectures document explains how Google Workspace or Cloud Identity let yourealize such an integration.

Some of your employees might rely on Gmail accounts or other consumer useraccounts to access corporate resources. Using these types of user accounts mightnot comply with your individual requirements or policies, however, so you canmigrate these users to Google Workspace or Cloud Identity. Formore details, seeAssessing your existing user accounts andAssessing onboarding plans.

To help you adopt Google Workspace or Cloud Identity, see ourassessment and planning guides for guidance on how to access your requirements and how to approach theadoption process.

Manage application identities

Application identities are the identities that you manage in order to letapplications interact with other applications or with the underlying platform.

In the context of managing application identities, the following are typicalrequirements:

• Integrating with third-party APIs and authentication solutions.
• Enabling authentication across environments in a hybrid or multi-cloudscenario.
• Preventing leakage of credentials.

Google Cloud lets you manage application identities, and address theserequirements, by usingGoogle Cloud service accounts andKubernetes service accounts.For more information about service accounts and best practices for using them,see theUnderstanding service accounts.

Manage customer identities

Customer identities are the identities that you manage for users to let theminteract with your website or customer-facing applications. Managing customeridentities and their access is also referred to ascustomer identity and accessmanagement (CIAM).

In the context of managing customer identities, the following are typicalrequirements:

• Letting customers sign up for a new account but guarding against abuse,which might include detecting and blocking the creation of bot accounts.
• Supportingsocial sign-on and integrating with third-party identity providers.
• Supporting multi-factor authentication and enforcing password complexityrequirements.

Google'sIdentity Platform lets you manage customer identities and address these requirements. For moredetails on the feature set and how to integrate Identity Platform with your customapplications, see theIdentity Platform documentation.

Access management

Access management focuses on the following processes:

• Granting or revoking access to specific resources for identities.
• Managing roles and permissions.
• Delegating administrative capabilities to trusted individuals.
• Enforcing access control.
• Auditing accesses that are performed by identities.

Manage access to Google services

Your organization might rely on a combination of Google services. For example,you might use Google Workspace for collaboration, Google Cloud fordeploying custom workloads, and Google Analytics for measuringadvertising success metrics.

Google Workspace or Cloud Identity lets you centrally controlwhich corporate identities can use which Google services. By restricting accessto certain services, you establish a base level of access control. You can thenuse the access management capabilities of the individual services to configurefiner-grained access control.

For more details, read about how tocontrol who can access Google Workspace and Google services.

Manage access to Google Cloud

In Google Cloud, you can useIAM to grant corporate identities granular access to specific resources. By usingIAM, you can implement the security principle ofleastprivilege, where you grant these identities permissions to access only theresources that you specify.

For more information, see theIAM documentation.

Manage access to your workloads and applications

Your custom workloads and applications might differ based on the audience theyare intended for:

• Some workloads might cater to corporate users—for example, internalline-of-business applications, dashboards, or content management systems.
• Other applications might cater to your customers—for example, yourwebsite, a customer self-service portal, or backends for mobile applications.

The right way to manage access, enforce access control, and audit accessdepends on the audience and the way you deploy the application.

To learn more about how to protect applications and other workloads that caterto corporate users, see theIAP documentation.

You can alsodirectly integrate Sign-In With Google or use standard protocols such asOAuth 2.0 orOpenID Connect.

You can find out how to enforce access to APIs inIstio andCloud Endpoints documentation. You can use both products whether your applications cater tocorporate users or to end users.

What's next

• Understand the concepts and capabilities of identity management byreading theConcepts section.
• Learn about prescriptive guidance to consider in your architecture ordesign by reading theBest practices section.
• Learn how to assess your requirements and identify a suitable design byreading theAssess and plan section.