Managing identity within the modern workplace
In the first of my blogs about identity I wrote about governance. In my second blog I’m going to talk about managing identities within the modern workplace.
What is the modern workplace?
The modern workplace is an environment without physical or logical boundaries and can provide users with flexible working along with the ability to access and interact with corporate content from wherever is most convenient. This may include access from the convenience of home, from a public location, using public facilities such as an airport lounge, a commercial aircraft, or from anywhere else via mobile devices. Because content is stored and accessed from the internet, it is always available and accessible.
In addition, and from a business perspective, many benefits are created in this working practise, such as business agility.
Why is it important to adopt an access strategy for security?
When adopting a Cloud strategy as part of an overarching IT transformation program, or as an enabler to ’digital business’ objectives, the fundamental ‘access control’ shifts from that of a traditional firewalling of assets approach to that of identity management. This shift is so much so, that the term ‘Perimeter’ essentially no longer exists, and is broadly replaced by the term ‘identity is the perimeter’. Moreover, the security controls and tools that were once used for perimeter defence are now not good enough to provide enough control in modern IT solutions.
Currently, the strategic option for any business which has this dilemma is to look to adopt an identity and access management (IAM) strategy, which will allow a new perimeter around corporate access to be created, by strictly controlling identity access along with identity lifecycle.
As with traditional on-premises access strategies, this is especially important when it comes to controlling access for former employees and ensuring that these unauthorised users are not allowed continued access to corporate data within Cloud services after leaving the business. In principle, the only way to govern this area is to utilise a solution which stores and maintains access control through a centralised identity service, and one which fully provides lifecycle management.
In a scenario where Azure AD is used as a business’s main Cloud identity store, which is likely already governed by an on-premises AD via synchronisation; this only deals with half of the issue. The other half is how to control on-going access to Cloud services, whilst ensuring that security controls are in place to easily and quickly revoke it if necessary. This, in addition to bridging technical boundaries such as inter-forest connectivity, or inter-platform diversity.
Why do I need to plan my source of identity management for the future?
When adopting a Cloud strategy, it is important to review the current sources of truth for identity within your business, as this will provide an understanding of how the business is controlling and will control access to systems and data. Typically, and in most cases this is managed via a Human Resources (HR) process, either automated or via a manual process; noting that the former provides the most value both in terms of security and efficiency.
Another key consideration is that the current on-premises HR system may not be on-premises in the future and may actually be a best of breed SAAS application (such as Workaday, Ultipro or other). Moreover, as the adoption of line of business applications shift towards a Cloud-first strategy, the underlying identity and access management model should also be adjusted in alignment with this.
Whilst designing an IAM solution, it may also be useful or necessary to converge or blend user information from multiple data sources. For example, imagine that data may not only be contained within Active Directory alone and may instead be held within a Phone system, HR, and Active Directory. In this scenario, it may be useful to determine which data is relevant for which application and to then use this data meaningfully within Cloud applications and with Cloud identity lifecycle. This area is something which would ultimately be assessed during the selection criteria and design of such a solution.
All in all, the objectives or requirements within a business will dictate its long-term strategy; be that by providing more collaboration with partner organisations or by automating user lifecycle. However, with an ever-evolving Cloud landscape, one thing is for certain; a business’s identities must be managed now more than ever.
Identity. How can Silversands help me with this?
At Silversands, we understand the importance of selecting the correct long-term IT strategy within a business, especially in relation to the shift of architecture from that of on-premises to that of the Cloud. Additionally, Silversands has been working with identity systems for many years and understands the nuances and importance of this element within the overall foundations of IT solutions.
With the adoption of ‘Cloud-first’ strategies, or even for customers who are caught up by the challenges of unifying their disparate Directory infrastructures in readiness for a Cloud strategy; these are all areas where Silversands has the expertise and solutions to assist. Be that domain reconstruction because of a merger or divestiture or for a full identity management platform design or approach.
In line with this, Silversands has selected best of breed solutions to ensure that its customers can adopt an appropriate Cloud strategy, whilst ensuring that its architecture is optimised for security and aligned for maximum business agility.
Silversands has two product offerings which are suitable in this regard, Azure AD and Okta.
Azure AD, as most customers are already aware, is the backbone directory used by Microsoft for Office 365 and other Azure workloads. This is typically aligned with an on-premises directory using a synchronisation service known as AAD Connect or in some instances, Cloud provisioning. Typically, customers will utilise Single sign-on (SSO) by utilising either ADFS or via passthrough authentication and will sign into Azure to access these workloads. With this configuration in place, this essentially uses Azure AD as an identity provider (IDP) and ADFS as a chained IDP.
In this configuration, Azure AD is also capable of providing some identity management capabilities, in addition to providing access management/governance, attestation, provisioning and deprovisioning – all available with the Azure P2 license skew.
Azure AD also provides the ability to provide JIT provisioning capabilities for first and third party SaaS applications. Microsoft provides a list of pre-packaged applications which can be selected within the Azure AD gallery and configured for provisioning, assuming that each supports SCIM (System for Cross-domain Identity Management). In this scenario, Azure AD acts as a SCIM client but expects any integrated application to provide the SCIM server component. If this is not the case, the pre-built SCIM provisioning methods are not viable.
Microsoft does not have the most up to data catalogue in this regard, and typically this is where Silversands is engaged to provide assistance, in addition to designing the access and identity platform correctly.
Okta is a Cloud (SAAS) solution which has been developed specifically for Cloud architecture from the ground up, thereby making it uniquely positioned within the market. It provides the most fully featured Cloud identity solution, providing Single sign-on, Multi-factor authentication, and flexible lifecycle management. Its main selling point is being able to act as an abstraction layer for connecting desperate directories together, whilst providing translation between each. This abstraction layer allows Okta to integrate with any directory, be that Active Directory, LDAP/Linux, CSV, or using a hosted LDAP interface. This enables flexibility, facilitating identities from any existing solution, culminating in the ability to consolidate many different directory identities, or perhaps where directories are non-connected together.
Okta is also able to integrate with the best of breed security SaaS products, be that CASB vendors, IGA vendors, SIEM vendors, and so on (M&A).
What scenarios could these platforms help me with?
If a customer is planning to adopt Office365 or has already done so, the architecture to enable a customer to leverage the abilities of Azure Active Directory already exist and can be therefore utilised to deliver a Cloud access platform, assuming that an Azure P2 license will be procured or is in place already.
The next step within this journey will be to review requirements for ‘Cloud Access’ within the business, and in Silversands experience will include the following:
• How will access applications be secured (MFA, Conditional Access?
• Do the selected application vendors support modern SSO protocols (OAuth, SAML) and do they also support provisioning and deprovisioning (SCIM)?
• How will applications be managed (By role)?
• How will application access be attested?
• How will Guest access be controlled?
• How will Groups be controlled?
Imagine the scenario below wherein multiple infrastructures are in place within a business, which may exist due to acquisition, financial or geographic operational business models, but regardless are difficult to manage. Each of these business divisions have their own directories, representing its identities (users), along with independent systems and access controls to provide governance.
As you can image, this situation presents many challenges in terms of providing a holistic collaborative solution across the entire business, in addition to the adoption of centralised applications or Cloud technologies.
This situation is far from unique in Silversands experience and is one which has many variations and nuances.
To help resolve this scenario, and at a basic level, one possible solution is shown below and depicts the creation of a new identity layer which sits above each of the business divisions.
On the diagram, this has been labelled as an ‘identity abstraction layer ‘, and essentially provides a ‘virtual glue’ allowing centralised services in the cloud or on-premises to be delivered and managed securely from one place, with one identity and with single sign-on capabilities.
By providing this layer, cross-business collaboration is possible, in addition to providing a single directory of information for an entire business.
Additionally, the information contained within this abstraction layer can then be utilised to control or populate data within Cloud applications, which in turn will unify governance and compliance.
Conversely, and if we turn this diagram on its head, it may also be that the identity abstraction layer may be populated by a cloud identity – such as a SAAS HR solution, which in-turn will provision users and services within each required system, be that Cloud or on-premises.
In my third and final blog in this series I will be writing about specific governance around identities with a focus on synthetics (Bots, APIs, Machines).
For more information on Azure AD identity or Okta Cloud identity management or for technical expertise relating to mergers and acquisitions, please contact Silversands who will organise a follow-up activity with one of its Consultants.
Silversands is a Microsoft Gold Partner of over 30 years standing, which specialises in Microsoft 365 delivered across cloud (Azure) and hybrid IT infrastructures. We provide consultancy, support and user adoption services. We are running a series of webinars this quarter and our experts produce frequent blogs. So do follow us.