Exam Professional Cloud Architect topic 1 question 11 discussion

The correct answer is B. GCDS tool only copies the usernames, not the passwords. And more over strict security requirements for the passwords. Not allowed to copy them onto Google, I think. Federation technique help resolve this issue. Please correct me if I am wrong.

"A" will syncronise passwords between on pre-mise and the GCP, this duplicates the existing strategy plus Google's "built-in" encryption of all the data. "B" does not support the moving to GCP. "C" The directory sync tool copies the filesystem settings between servers, UNIX filesystems have permission settings built in and passwords to log into the permission groups, syncing these would set GCP up the same way their on-premises is, plus Google's "built-in" encryption. "D" disrupts the users, so this is not correct. The debate should be between "A" and "C", "C" includes "A" according to (https://cloud.google.com/solutions/migrating-consumer-accounts-to-cloud-identity-or-g-suite-best-practices-federation) so choose "C"

A&C: would also copy password in GCP, so will certainly not satisfy security requirement B : Recommended, no service interruption, no change for users, quick to set up https://cloud.google.com/architecture/identity/best-practices-for-federating D : Just kidding solution

1. Minimal User Disruption: Federated authentication allows users to use their existing corporate credentials to access the application in Google Cloud. This eliminates the need for them to create and remember new passwords, minimizing disruption and improving user experience. 2. Strict Security Requirements: SAML 2.0 is a widely used, secure standard for authentication and authorization. It allows the existing identity provider (IdP) to handle password management and security policies, ensuring compliance with the security team's requirements. 3. Centralized Identity Management: Federation keeps identity management centralized within the existing corporate infrastructure. This simplifies user management and reduces the overhead of managing identities in multiple places.

cross-domain SSO can be achieved by SAML

I think B is correct

Minimal user disruption: By federating authentication via SAML 2.0, users can continue using their existing corporate credentials without having to manage or remember new passwords. Security requirements: SAML 2.0 federation allows your organization to maintain control over user authentication and password management within the existing Identity Provider (IdP). Passwords do not need to be stored in Google’s systems, which aligns with strict security requirements.

B is right one . Because C While Google Cloud Directory Syc (GCDS) helps sync users between an on-premises directory and Google, it does not address the password management aspect. Users may still face disruptions as this method might not handle existing passwords securely.

Choose B

the most convenient way is B, but the principle of this kind of exam is use cloud provider's native tools, so the C is correct.. this principle is also used on aws

B. Federate authentication via SAML 2.0 to the existing Identity Provider. Here's why: Security: SAML 2.0 allows for secure single sign-on (SSO) without storing passwords on Google's side. It ensures that authentication happens against the corporate Identity Provider (IdP), which maintains control over the user credentials. Minimal Disruption: Users can continue to use their existing corporate credentials to access the application on GCP without having to remember a new set of credentials or go through a password change process. Compliance: It satisfies the security team's requirements for password storage by ensuring that passwords remain within the corporate boundary. Integration: SAML is widely supported and can be integrated with many IdPs, allowing for a seamless transition to cloud-based resources while leveraging existing identity management infrastructure.

The correct answer is C. Google Cloud Directory Sync will provide federated authentications. B is wrong because SAML is used for Single sign-on. It also doesn't mention how the cloud can be authenticated to the existing Identity Provider. SAML by itself is not enough to do the job.

Federating authentication aligns with strict security team requirements for password storage, as it avoids the need to store or sync passwords outside the corporate environment.

Minimal User Disruption: Users continue using their existing corporate credentials for both on-premises and GCP applications, avoiding password resets or new account creations. Security Team Requirements: GCP doesn't store or manage corporate passwords; authentication relies on the existing Identity Provider (IdP), meeting strict password storage requirements.

B is a preferred solution nowadays, that's why: https://cloud.google.com/architecture/framework/security/identity-access#use_a_single_identity_provider

GCDS is better as it is a corporate application. The requirements for storing password can be met by GCP. As GCP has many security features For SAML, the corporate needs to have Identity provider service such as the one provided by Google, Facebook

main reason for B are strict storage requirements.