Ever set up what you thought was a bulletproof Google Cloud Organization, only to discover mysterious projects appearing like uninvited guests at a dinner party? You're not alone. Our recent NET+ GCP strategy call with Google's Jeff Nessen dove into the messy reality of how Google's various services can wreak havoc on your carefully managed cloud organization.
The Hierarchy That Rules Them All
Jeff started with a crucial reminder: Google Workspace sits at the top of the entire Google ecosystem hierarchy. Your Workspace super admin can essentially override anything happening in your GCP environment. While this gives them ultimate control, it also means that when that super admin retires (as Jeff has seen countless times), you're potentially locked out of critical billing and administrative functions. The solution involves opening support cases and getting letters from C-level executives – not exactly the streamlined process anyone wants.
The Usual Suspects
The conversation revealed the sources of several common expected surprises for GCP administrators:
Apps Script turned out to be particularly sneaky. As one participant discovered, a computer science class assignment using Apps Script automatically created dozens of GCP projects, completely bypassing the project creation restrictions they thought they had in place.
Google Analytics and Google Ads can suddenly start appearing in your GCP billing when users enable BigQuery integration features. The challenge? Figuring out which department in marketing set this up and should be paying for it.
Terra.bio and NIH's All of Us create projects that bill back to your organization, often requiring detective work to trace costs back to the right researcher or grant.
The Billing Maze
One of the most practical insights was about billing account management. Jeff emphasized that being a GCP org admin doesn't automatically make you a billing administrator – these are separate permission sets. For NET+ subscribers using resellers like Burwood, this actually works in your favor, at least for the billing IDs on contract. Your reseller can help clean up orphaned billing accounts when people leave, since through them the distributor Carahsoft ultimately holds the billing super admin rights.
Real-World Solutions
Craig from Yale shared a practical approach: they work one-on-one with users to grant temporary access for linking billing accounts, then remove those permissions to prevent unauthorized project creation. Jon from University of Washington praised Burwood's help in tracking down "surprising" services that appear on bills.
The Organizational Reality
An interesting sidebar emerged: at most institutions, Google Workspace (collaboration/productivity) and GCP (cloud) are managed by completely separate teams. In Google’s worldview, all you would use is Google, and so there is no conflict. In reality, at most institutions, the cloud team is trying to support and develop strategies around multiple cloud platforms and the collaboration team is doing the same in their space. We are organized by function, not by vendor. If there is good communication and collaboration, this is a non-issue operationally, but this can create its own compliance challenges, considering that the Workspace team has ultimate override capabilities over the Cloud team's carefully constructed security policies.
The bottom line? Managing a Google Cloud organization isn't just about GCP policies and permissions. It's about understanding the interconnected web of Google services and planning for the inevitable exceptions that will test your governance model.
What unexpected Google services have surprised you in your GCP environment? The community would love to hear your war stories.
In case you missed it, here are the latest updates from the NET+ Google Workspace for Education (GWE) program, along with the new Gemini features.
NET+ GWE Program Updates
- 2025 Renewals
If your institution is up for renewal this year, we've streamlined the process—universities only need to sign the Reseller Service Order (RSO) form with the 2025 pricing exhibit. Reach out to your Reseller to request the 2025 renewal paperwork. If you have any questions, check out the 2025 Frequently Asked Questions, or reach out to us at netplus@internet2.edu.
- How to report misuse of Google tools?
As part of a joint effort between the NET+ GWE Service Advisory Board, Internet2, and REN-ISAC, a dedicated intake channel is now available to report compromised Google products, including Google Forms, Gmail, Google Drive, Docs, Sites, Drawings, Sheets, and Slides. As announced on March 4, REN-ISAC has enrolled in the Google Workspace Priority Flagger Program.
To report a compromised Google product, simply send the link to soc@ren-isac.net. This program is open to all universities, and your campus does not need to be a paid Google Workspace customer to participate. If your institution is a member of REN-ISAC, your point of contact for REN-ISAC should have received an informational message on March 4 titled “Report Google form phishing to REN-ISAC”.
Upcoming Events
- Strengthen Your Defenses: Essential Cybersecurity Tools within Google Workspace for Education (virtual webinar)
- Date: April 2 at 3pm ET
- Topic: This session will cover key security features, such as user access controls, data encryption, and real-time monitoring, to help educational institutions safeguard sensitive data. Learn practical strategies to improve cybersecurity and ensure a safe digital environment for students, faculty, and staff.
- Audience: CISOs, security professionals, directors, managers, and workspace administrators
- Registration URL: https://internet2.zoom.us/webinar/register/WN_z0HC1f6cQzapapU4Dq5bQg
- The Internet2 Community Exchange Conference brings together research and education leaders to explore cutting-edge technology, collaboration, and infrastructure. This year, the Google team will be in attendance, sharing insights on their latest innovations and partnerships. Sessions will include:
- AI on Campus: Balancing Innovation and Data Security
§ Date: Tuesday, April 29 at 4:00pm
- AI - Powered Partnerships: How we are revolutionizing student success and campus operations
- Date: Thursday, May 5 at 8:40am
Google Updates
New Gemini app features - Available at no cost!
All Gemini app users (18+) will have access to the following features free of charge:
- Gems
Gems are customized versions of Gemini that you can personalize to be experts on any topic. You can get started with a Gem that is premade by Google, like Learning coach or Brainstormer, or create your own custom Gem with the option to ground it in your own sources to provide even more helpful responses — no coding required. You can learn more about how education institutions are using Gems here.
- Deep Research
Deep Research in the Gemini app can save you hours of time as your personal AI research assistant, searching and analyzing information from across and synthesizing it into comprehensive reports with citations in just minutes. Education institutions are using Deep Research to quickly get up to speed on various topics, get help with grant writing and lesson planning, and so much more. You can learn more about Deep Research in this video.
Gemini users 18+ can try Deep Research free of charge with five reports per 30 day period, and users with a Gemini Education license get full usage to save even more time on their most complex projects.
Gemini LTI™ is now live! Gemini LTI™ enhances the educational experience for both educators and students by providing AI-driven tools and features powered by Gemini, directly within their LMS environment. Gemini LTI™ integrates seamlessly with Canvas by Instructure and Powerschool Schoology Learning, empowering users to access advanced AI tools in their everyday learning and teaching.
To stay up to date on the latest Gemini updates, visit: https://blog.google/products/gemini/
We appreciate your continued engagement with the NET+ Google Workspace for Education program. If you have any questions, feel free to reach out to netplus@internet2.edu. We look forward to seeing you at our upcoming events!
You know what I love about our NET+ GCP community calls? We dive straight into the weeds. This week's conversation was a perfect example – equal parts practical problem-solving and "wait, how does that actually work?"
The Skills Boost Reality Check
Google's Cloud Skills Boost program came up again, and it's clear some organizations are getting real value from it. Charles from NYGC shared how they're using it seamlessly through their reseller, while Ezequiel talked about incorporating it into their onboarding process for new projects. But here's the thing that caught my attention: the confusion between Skills Boost courses that also exist on Coursera. Because apparently having multiple learning platforms isn't complicated enough already.
The big news? Google announced at Next 2024 that each public sector institution gets free licenses. Chris hinted there's another announcement coming soon on this front, so stay tuned.
Marketplace Madness
Ethan from Carnegie Mellon dropped a question that made everyone lean in: "Has anybody successfully used a Carahsoft billing account with a marketplace product like Databricks?" Doug from Burwood's response was basically "it's complicated" – which is consultant-speak for "buckle up." The Google Cloud Marketplace doesn't play nicely with a reseller in the mix, which creates all sorts of fun billing gymnastics.
This is exactly the kind of real-world friction that doesn't show up in vendor presentations but absolutely matters when you're trying to implement these solutions.
The Teaching Credits Conundrum
Kelly from UW-Madison brought up something that's been bugging a lot of us: the current hold on Google Cloud Faculty teaching credits. Nobody seems clear on how long this pause will last, which makes planning for classes and workshops a bit like shooting in the dark. Meanwhile, she's planning to demo GCP Cloud Lab with automatic budget shutdowns – because nothing says "responsible cloud usage" like hard stops when you hit your spending limit.
The Google Influence Elephant
We spent some time discussing Google's broader influence on GCP, touching on Firebase, Google Ads, Maps API, and AppScript. The "no users under 18" policy came up again, along with some cryptic recaptcha changes that Kelly's still waiting to hear more about. It's a reminder that when you're in the Google ecosystem, you're not just dealing with cloud infrastructure – you're navigating an entire constellation of interconnected services.
The real question hanging over everything? How many institutions have NotebookLM turned on, and what's the feedback been? Sounds like the topic for our next deep dive.
Chris's Dream (And Ours)
Google’s Chris Daugherty shared his vision of leveraging CloudLab to create a seamless Colab Enterprise experience. Currently, the billing works fine, but connecting the free Colab interface with paid VMs is still clunky. It's the kind of integration challenge that sounds simple until you try to actually build it.
Got your own implementation war stories? I'm always curious about the gap between vendor promises and campus reality.
Estimated reading time: 4 minutes
If you missed our March NET+ AWS Tech Jam, you missed a thought-provoking conversation about how leading institutions are completely rethinking their approach to cloud provisioning. Penn State University's journey from manual processes to cloud automation sparked insights that could reshape how your institution empowers researchers and students while maintaining financial control.
Beyond the "Build It and They Will Come" Fallacy
The discussion quickly moved past outdated cloud provisioning philosophies to reveal a fundamental truth: successful cloud environments start with understanding what users actually need, not what IT thinks they might want.
Shane Heivly from Penn State University described their eye-opening shift from what he called "2018-style manual provisioning" to a more sophisticated user-centric approach. This isn't just about technical workflows—it's about transforming how institutions conceptualize their relationship with cloud resources.
"The backwards approach is critical," noted one participant. "When you understand what researchers and graduate students truly need to accomplish, you design systems that actually get used rather than bypassed."
Solving the Higher Ed "Snowflake" Challenge
What makes the academic environment so challenging for cloud administrators is the extraordinary diversity of use cases. From high-performance computing clusters processing climate models to AI workloads analyzing literary texts, every research group presents unique requirements.
Rather than attempting to build one-size-fits-none solutions, forward-thinking institutions are creating flexible provisioning frameworks that:
- Recognize different levels of cloud maturity among users
- Provide appropriate guardrails without stifling innovation
- Integrate with familiar campus systems like ServiceNow
- Scale to accommodate growing demands
The Financial Control Breakthrough
Perhaps the most compelling part of the discussion centered on how automated provisioning is revolutionizing financial control—without creating administrative bottlenecks.
Early adopters have implemented sophisticated tagging strategies that enable granular cost attribution while empowering users with real-time visibility into their spending. Rather than discovering runaway costs at month's end, institutions now deploy automated monitoring tools that can alert users or even shut down idle resources based on predefined policies.
One participant described how their institution reduced unexpected cloud expenses by 73% in just four months using this approach—while actually increasing cloud adoption rates.
From Theoretical to Practical: Implementation Insights
What separated this Tech Jam from typical cloud discussions was the practical implementation roadmap that emerged. Participants shared specific tactics for overcoming common obstacles:
The "vending machine" concept emerged as a particularly compelling model, where users can self-service their cloud needs within appropriate boundaries. Rather than attempting to build comprehensive solutions immediately, participants advocated for starting with minimal viable products focused on common use cases, then expanding based on actual usage patterns.
Identity and access management strategies proved to be a critical foundation, balancing user autonomy with institutional security requirements through thoughtfully designed permission structures.
Building the Community Knowledge Base
The most valuable aspect of the Tech Jam was the rich exchange of real-world experiences that transcended vendor talking points. Participants shared struggles, successes, and everything in between—creating a knowledge base far more valuable than any white paper.
Multiple institutions shared how they've adapted their existing IT service management platforms to support cloud provisioning, allowing them to leverage familiar workflows rather than creating entirely new processes.
Making It Real on Your Campus
Ready to transform your cloud provisioning? The community highlighted several practical next steps:
- Arrange a consultation with your AWS Solutions Architect to evaluate your current provisioning approach
- Join the upcoming hands-on workshop series focused specifically on implementation strategies
- Connect with peer institutions through the Internet2 NET+ AWS community forums
- Access the shared resource repository containing sample workflows, policies, and lessons learned
The March Tech Jam reinforced that cloud provisioning isn't just a technical challenge—it's fundamentally about enabling research and education while maintaining appropriate controls. By focusing on user needs first and building iteratively, institutions are creating cloud environments that truly meet the unique demands of higher education. Here is the recording for you to view on-demand (unfortunately, due to user error, the recording started half way through).
Don't miss next month's NET+ AWS event. Take a look at our calendar for upcoming events that you might be interested in. These monthly sessions continue to bring together innovative thinkers in higher education cloud computing to solve real-world challenges.
Be sure to check out the other blog posts we've written. As always, feel free to send any feedback to tmanik[at]internet2[dot]edu.