[CSDude]

You want to enforce some more controls when you access to critical things, such as AWS, you can't with Google. It has no granular controls. Otherwise it's much easier. We use JumpCloud though, it's a mix between and more comprhensible.

[PhLR]

When talking about controls are you referring to provisioning? What are some examples for missing controls?

[warrenm]

Pretty sure he means audit compliance, proper RBAC, etc

[mathiasn]

Hmm audit compliance? Google gives you a log of who logged in where, doesn't it? And with "proper RBAC" you mean that you can put somebody into the "Developer" role, hence he gets AWS, GCP, Datadog, right?

[warrenm]

I don't know how extensive Google's logging is - heck, didn't even know they offered Enterprise SSO until a few days ago (every organization I know uses either Okta or M365/AD) :)

Proper RBAC is as granular as necessary, but no more

Proper RBAC also links everything needed by a certain role together

Merely knowing who logged-in where and when, though, is not enough - you also need to know what they did while there (and that they did not do anything they were not supposed to be able to do (which links back to proper RBAC'ing))

CIS, HIPAA, FISMA, SOX, STIG and all the other alphabet soup compliance rules, frameworks, etc are a lot more extensive than just "who logged in where" :)

--------

See NIST's page on RBAC for some of this: https://csrc.nist.gov/Projects/Role-Based-Access-Control