Abstract
IBM Cloud Identity is a powerful SaaS platform that provides Identity as-a-service (IDaaS) solutions across the IAM domain that are now typically leveraged through on-prem products.
The comprehensive and detailed description of such Cloud Platform is available here: https://www.ibm.com/us-en/marketplace/cloud-identity/resources.
Capabilities like single sign-on (SSO) and multi- factor authentication (MFA) as well as a complete management over identities are easily to achieve with this Cloud offering. What we want to show in this blog is how the platform is also capable of offering advanced governance E2E scenarios, so enabling enterprises to implement on the cloud, reducing the total cost of ownership and avoiding to install, configure and maintain on-prem solutions that have been proved to be over-complex.
The goal of this blog is therefore to review an initial set of scenario that Cloud Identity platform can enable for governance, and possibly start a discussion about what needs to be included for governance in Cloud.
A sample initial governance scenario
A simple but meaningful scenario that can demonstrate the power of CI into the governance space is the capability of easily implement a governance access request scenario with the related provisioning of an account to a SaaS application target.
We will go here in a scenario that discloses the following capabilities inside CI:
- As a tenant administrator, how to manage identities and groups to shape an RBAC-based governance approach
- As an application owner, how to onboard and configure a SaaS application into CI, for enabling governance scenarios
- As an employee, how to request access to an application and access it.
How to manage identities and groups
Cloud Identity easily allow to define groups and users. These groups can be then used for modelling roles for and RBAC approach. The creation of users is a basic function of Cloud Identity; in the context of planning a governance scenario additional attention must be put in creating groups which represent roles.
As you can see above, here we can start by thinking at some roles represented by CI groups. Namely “IT dept” and “marketing”. These groups represent the starting point to build our roles.
We can easily add our existing users into these groups.
How to onboard and configure a SaaS application into CI
CI easily allows to bring inside application instances leveraging specific adapters from the catalog or creating a brand new custom application.
While she waits for her manager, John, to approve such request.
Summarizing
This brief article wants to be just an initial pointer to the governance capabilities already available on Cloud Identity.
Cloud Identity is a continuously evolving platform, so in the future we may expect increase capabilities to be delivered in the governance space, regarding fine-grained permissions management, re-certification, role mining, SoD. While appreciating the evolution of Cloud Identity into the governance space, this blog would also intend to start a discussion about what would be the optimal sequence of features to integrate and leverage in order to implement governance scenarios on Cloud.