sounds counter-intuitive but what Google is doing internally according to the WSJ
“With this approach, trust is moved from the network level to the device level. Employees can only access corporate applications with a device that is procured and actively managed by the company. In this setup, Google requires a device inventory database that keeps track of computers and mobile devices issued to employees as well as changes made to those devices.
After the device is authenticated, the next step involves securely identifying the user. Google tracks and manages all employees in a user database and a group database that is tied into the company’s human resources processes. These databases are updated as employees join the company, change responsibilities or leave the company. There’s also a single sign-on system, a user authentication portal that validates employee use against the user database and group database, generating short-lived authorization for access to specific resources.”
See presentation by Google at Usenix