Identity Aware Proxy(IAP) in GCP

2
votes

I was learning about IAP in GCP, which is used for authentication and authorization to GCP hosted apps.

Thoughts

Even before IAP was introduced in GCP, users could be authenticated and authorized using login credentials and google IAM policies.

Okay, IAP replaces VPN, users can work from untrusted networks.

Query

Please correct me if i am thinking wrong.

But if my app./resource is hosted in GCP, than it is accessible publicly with proper authentication and authorization, there is obviously no need of VPN. In this scenario, what is the significance of IAP.

What is the new thing in IAP, as IAP also does the same thing for authentication and authorization?

1
google-app-enginegoogle-cloud-platformgoogle-compute-enginegoogle-authenticationgoogle-identity
sure would be nice to see a Google person come in and say something about this.Randy L

1 Answers

4
votes

You wouldn't technically need IAP if you've already got an app which is secured with proper authentication and authorization, though it still may be desirable. One reason is that IAP gives you the ability to configure individual access outside of your application, rather than needing to control ACLs internally in your app's code. The App Engine IAP quickstart has a good overview of how IAP config works for securing an app.

You can think of IAP as filling the role of a VPN while also giving you the flexibility of OAuth. It is mainly targeted towards perimeter security which is traditionally accomplished by using firewalls and VPNs to secure privileged network resources like intranets which are hosted on premises. IAP allows you to set up a cloud-hosted intranet in much the same way as you'd do on-premises, with access control handled at the perimeter by IAP. This is explained very well in the Google research paper "BeyondCorp - A New Approach to Enterprise Security".