IBM Security Verify

 View Only

How to implement a simple Governance scenario using IBM Cloud Identity

By Leonardo Rosati posted Tue October 15, 2019 11:34 AM

  

Abstract

IBM Cloud Identity is a powerful SaaS platform that provides Identity as-a-service (IDaaS) solutions across the IAM domain that are now typically leveraged through on-prem products.
The comprehensive and detailed description of such Cloud Platform is available here: https://www.ibm.com/us-en/marketplace/cloud-identity/resources.
Capabilities like single sign-on (SSO) and multi- factor authentication (MFA) as well as a complete management over identities are easily to achieve with this Cloud offering. What we want to show in this blog is how the platform is also capable of offering advanced governance E2E scenarios, so enabling enterprises to implement on the cloud, reducing the total cost of ownership and avoiding to install, configure and maintain on-prem solutions that have been proved to be over-complex.
The goal of this blog is therefore to review an initial set of scenario that Cloud Identity platform can enable for governance, and possibly start a discussion about what needs to be included for governance in Cloud.

 

A sample initial governance scenario

A simple but meaningful scenario that can demonstrate the power of CI into the governance space is the capability of easily implement a governance access request scenario with the related provisioning of an account to a SaaS application target.

We will go here in a scenario that discloses the following capabilities inside CI:

  • As a tenant administrator, how to manage identities and groups to shape an RBAC-based governance approach
  • As an application owner, how to onboard and configure a SaaS application into CI, for enabling governance scenarios
  • As an employee, how to request access to an application and access it.

 

 

How to manage identities and groups

 

Cloud Identity easily allow to define groups and users. These groups can be then used for modelling roles for and RBAC approach. The creation of users is a basic function of Cloud Identity; in the context of planning a governance scenario additional attention must be put in creating groups which represent roles.


As you can see above, here we can start by thinking at some roles represented by CI groups. Namely “IT dept” and “marketing”. These groups represent the starting point to build our roles.

We can easily add our existing users into these groups.

How to onboard and configure a SaaS application into CI

CI easily allows to bring inside application instances leveraging specific adapters from the catalog or creating a brand new custom application.




The great advantage of using Cloud Identity is that you do not need anymore to configure any adapter to connect your application before onboarding one of its instances. Here we are using the case of ZenDesk.


 To be noted that, CI also offers a useful help-in-context for easily configure advanced settings.


Attention must be put in the ‘Account lifecycle’ tab, which allows you to set provision policies. Cloud Identity allows to define how to provision and deprovision an account. It also offers a grace period in case of an account must be deleted/suspended



The most interesting panel, from a governance perspective, is the ‘Entitlement’ tab.


Here you can define a lot of policies around what identities can access ZenDesk:

  • You can add users and groups and define, for groups, if users belonging to them have automatic (birthright) access to the application
  • You can define what is the workflow for a user to access the application, if user’s manager, application owner or both have to specifically approve the access

 

How to request access to an application and access it.

Once the system has been setup, Cloud Identity allows employees to leverage this by requiring access and access the application in the same context.

 

Mary Jones, part of the ITdept team can request access to ZenDesk because ZenDesk is visible to ITDept.

She can also track the status of her request from CI


While she waits for her manager, John, to approve such request.


Once approved, because of the provisioning policies, the account is created on ZenDesk and Mary can access from her Cloud Identity page

Summarizing

This brief article wants to be just an initial pointer to the governance capabilities already available on Cloud Identity.
Cloud Identity is a continuously evolving platform, so in the future we may expect increase capabilities to be delivered in the governance space, regarding fine-grained permissions management, re-certification, role mining, SoD. While appreciating the evolution of Cloud Identity into the governance space, this blog would also intend to start a discussion about what would be the optimal sequence of features to integrate and leverage in order to implement governance scenarios on Cloud.

0 comments
7 views

Permalink