Silversands and Okta
With the number of businesses adopting a cloud first strategy, it is important to consider the long-term management of identities and access management; specifically how these will be governed within the cloud to ensure security is maintained.
Since identities will exist within many identity stores (such as Active Directory and within other non-Microsoft systems or Cloud vendors), maintaining security of each is fragmented and hence cumbersome to manage. To avoid this situation, a Cloud identity platform can be used to provide an abstraction layer for the aggregation of these identities along with access management capabilities. If this is left in its native form, this area could become a business’s weakest link in terms of securing digital identities.
To resolve this, Silversands has selected Okta, a best of breed Identity and Access Management (IAM) platform. This has been selected because it provides a holistic IAM solution along with it being the market leader. In addition to this, it is also vendor neutral, thus allowing Silversands to position this solution as an agnostic platform for customers who are multi-cloud adopters.
The Okta platform provides the following features:
The Okta Universal Directory provides single sign-on to applications federated with the Okta platform or to applications on-premises. This is another very important features to ensure that only a single password needs to be remembered by users, regardless of the complexity of the application sprawl both on-premises, or more importantly within the cloud.
Adaptive Multi-factor Authentication
It is important to consider how access to services will be protected from malicious password breaches, where users are using weak passwords across multiple systems, or where recycling of passwords is used.
The Okta Universal Directory platform assists in this area by including an optional module for enabling Multi-Factor Authentication (MFA) support. This capability provides out of the box MFA functions to provide protection for cloud or on-premises assets. It also provides the ability to integrate with an existing MFA solution, such as RSA, Yubikey and others, if relevant.
Okta provides an intuitive approach to MFA to ensure protection is applied where necessary, whilst also ensuring that it does not obstruct adoption by making the solution too invasive to the user.
The Okta MFA solution dynamically adapts security and authentication policies based on user and device context although for this to be possible the Okta mobile device management option will be required.
One of the key benefits of using Okta as an identity platform is that it provides a single, vendor-agnostic solution, which allows identities to be managed in a standard way, regardless of originating directory. For example, perhaps user data is stored within multiple systems, such as HR, telephony or a workforce management system. In this example, Okta can transform the data from these different systems and can extrapolate the information and inject it into a common directory, thereafter populating this within a new global application/system.
This data transformation is seamless to the user and is handled by the Universal Directory.
Okta provides this functionality by utilising its own transformation engine within the Universal Directory. This engine uses an Okta-created-language to determine how this data is merged, manipulated or injected into the different systems.
This solution can also provide a strategic approach for any customer, by providing an ‘abstraction-layer directory’ which can be configured to consolidate and govern access to cloud or on-premises central applications and to ensure that users are assigned access quickly as part of employee onboarding, or are revoked access as part of a termination or leaver process.
The Universal Directory component within the Okta cloud service is responsible for providing a centralised directory for businesses which perhaps have grown by acquisition, and this have fragmented management across multiple Active Directory forests, or within Multiple LDAP stores. It is predominantly used for providing single sign-on to cloud services, but can also be used for provisioning, as part of an identity lifecycle management program. In addition to this, it can also be used to govern group access to a business’s shared services, and can provision groups and users from the cloud to on-premises services, if desired.
The Directory itself is very flexible and can accept inputs from directories such as Active Directory, OpenLDAP or from other applications which manage identity workflows, such as a Human Resources (HR) system.