[cobookman]

Lets you have a whitelist of accounts per serivce. for example your HR payroll site can have IAP sitting in front of the site. IAP can only allow managers & hr access where-as the underlying system might not have this identity protection.

You can then have different whitelists per service.

Also IAP doesn't require the use of a VPN client. All one needs is a web browser with an internet connection. Giving your workers freedom to access corp assets just about anywhere.

[nunez]

VPNs are also much more expensive to maintain (good VPN hardware isn't cheap), introduce much more network latency and are another thing for help desk personnel to have to support (read: spend money supporting).

BeyondCorp/UberProxy is just a really complicated whitelist. That's it. Super simple.