Welcome to module three. Now that you have set up your user accounts, and Cloud Identity domain, let's talk about how to protect their accounts, and your organization's data by establishing basic security protocols, and policies. Following the same format as the last module, you'll have a chance to practice applying security settings in your own Cloud Identity domain. By the end of this module, you'll be able to explain admin security policies, and best practices for establishing security policies like two-step verification. You'll be able to set up single sign on policy for your entire domain. You'll be able to apply access control policies. You'll be able to explain API security, and you'll be able to set up Anti-Phishing policies. Google takes security, and privacy seriously, and offers tools that help organizations protect their user accounts with a robust combination of technologies that balance security, and end-user convenience. As an admin you can view, and manage the security settings for your users in the Admin console to reinforce, and monitor the security of your Google Accounts in several ways. Let's discuss some security best practices that will help you keep your organization's data safe, and secure. These best practices are viewing of users security settings, examining the users password strength, and ensuring that they have two-step verification set up, also known as multi-factor authentication, and viewing your users behavior reports. As an administrator, you can view, and manage individual users security settings in the admin console. Here, you can enforce two-step verification, and ensure password strength. Also if a user loses a device, you can revoke any application specific passwords to ensure that no one can access their account information from that device. Another option is disabling client logins. As an admin, you'll be able to turn off access to those less secure applications, further securing your domain. As part of security best practices, two-step verification should always be enabled, and turned on for all user accounts in your domain. If you choose to enforce two-step verification for your entire domain, or a specific organizational unit, you will have the options on how to deploy this policy. You can immediately turn on two-step verification, or you can turn it on by a specific date, and time for your organization. This will give you your organizations end-users time before a policy goes into effect. By taking advantage of two-step verification, you'll reinforce your domains password security by requiring your users to enter an additional code which only the user can obtain via their own mobile device, RVM encrypted signature contained on a security key. This can greatly reduce the risk of unauthorized access if a user's password is compromised. Even if a user's password is cracked, compromised, or otherwise stolen, an attacker cannot sign in without access to users additional verification. Another security best practice we'd recommend is for you to check your user's account activity report page. Here you can view your users' account status, and activity. This page gives you access to all the data from user account, and admin statuses, to two-step verification enrollment reports. Along with being able to view your users' activity, you'll be able to see which applications are getting access to your organization's business data. You as an admin can literally see which users have given access to specific third party cloud applications. This is a cool feature that further secures your data. Now let's discuss single sign-on, also known as SSO. With SSO, your users can access many applications without having to enter usernames, and passwords in each of them. How does this work? It works by using Security Assertion Markup Language, or SAML in short. SAML allows secure Web domains to exchange user authentication. For example, an online service provider like Slack or Salesforce, can contact an online identity provider like Google, or another identity service provider to authenticate users who are trying to access secure content. Using SAML, users can use their cloud identity credentials to sign into a pre-integrated list of SSO applications, and also custom Web applications. Cloud identities are able to work with any application that supports SAML standard. If your organization already has an identity provider, you can use cloud identity as your cloud-based single sign-on solution while keeping your original identity provider. Cloud identity will also allow your existing set of users to use SSO into other cloud-based applications. After ensuring that your users passwords, and sign-in are protected, you'll next want to consider securing your entire organization's data by establishing access control policies. You can monitor your organization, and control who have access to your users, apps, and devices. Remember the organizational units that you set up in the last module? You can now apply specific security policies, and settings to your different organizational units. This additional layer allows you to apply special security policies, and select subset of users by turning services on or off for that organizational unit. As an administrator, you'll have further control of how applications interact with your organization services. In order to understand this, let's define an integral concept. APIs are application program interfaces. An API is a set of protocols, and tools in an application that allows it to directly interface, or connect to another application. Think of it like a software intermediary that allows two applications to talk to each other. As an administrator, you want to ensure that your organization is protected against potentially malicious behavior from many applications. These applications could be attempting to communicate with your services through APIs. In order to ensure your organization security, you as an administrator can block, and disable access to specific less secure applications. We have a feature in security tools that allows you to block sign-in attempts at the domain or organizational unit level from some applications or devices that do not use modern security standards. You will be able to block these APIs that are attempting to communicate with your domain by simply disabling their access at the organization. Lastly, you can monitor, and control who has access to your organization's mobile devices by using password settings to protect your organization's data. You can define a password type, and strength, and determine a length of time before it expires. You can set an elapsed time limit before locking the device screen, and you can wipe a device if it's compromised by too many failed attempts. You learn more about these in the mobile management module that follows. And finally, let's talk about how to prevent phishing attacks on your users. A phishing attack is an attempt to obtain personal information like usernames, passwords, and credit card details by sending emails, text messages, or other forms of electronic communication that are pretending to be from a reputable resource. As an administrator, you can help your users avoid phishing attacks by implementing the Password Alert extension to your users in your domain. Password Alert is a Chrome extension that helps your users avoid phishing attacks by detecting when they enter their Google password into any other websites that is other than Google's sign-in page. All right. Now that we've gone through how to establish basic security protocols, and policies within cloud identity, let's practice applying some of these security settings in your cloud identity domain through the admin console. There are many advanced security features that we're not covering in this introductory course. We'll ensure that you have linked resources to explore these features at the end of the course. In the following exercises, you've been tasked with helping your organizations aware of all of the different security tools that cloud identity offers. You're also responsible for implementing some of the basic security best practices. Good luck. Happy learning.
