In an ideal identity lifecycle management world, applications and infrastructure would pull from a single source of identities, and organizations would then centrally manage the lifecycle within the directory. However, many cloud applications do not support
this.
In this piece, we look at additional ways to reflect changes in the central identity directory for cloud applications and infrastructure, the protocols required, and the associated benefits and challenges of each.
Challenges of User Management at Scale
When dealing with only a few applications, administrators or application owners can create or delete user accounts manually. With a few employees or with low employee turnover, manual efforts don’t take too long and don’t expose the organization
to too much risk. When the number of employees and applications multiply, however, the time and risk multiply as well. This could result in:
- Lost productivity, due to time delays and errors when provisioning accounts.
- Access management audit and compliance findings, since manual processes may lead to mistakes.
- Monitoring challenges due to low visibility into applications, accounts and permissions.
- Risk from insider threat and terminated employees using ghost accounts (i.e., accounts that remain active after the employee’s primary access has been ended).
- The solution is to configure applications to use a single source of truth for user accounts, either directly or through workflows that automate the manual creation/modification/deletion efforts.
Provisioning and Deprovisioning in the Cloud
There are four broad strategies for managing user accounts in web applications hosted in cloud IaaS:
- Manual. User management is often performed manually, at least initially, using the web apps’ user management control panel. In some cases, due to the web app being limited or outdated, manual user management is the only option.
- Pros: The positive of this approach is that it is nearly universal and does not require additional setup or integration.
- Cons: Manual provisioning takes time, so newly hired people have to wait on access, and manual deprovisioning takes time, so terminated people may continue to have access after they leave the organization.
- Integration. Most web apps offer a user management API that mirrors the functionality in the user management control panel. This API may be implemented with a representational state transfer (REST) pattern or comparable API architecture. To integrate
with the identity provider (IDP), organizations configure their IAM platform to monitor for changes in the IDP and make API calls to reflect those changes in the web application.
- Pros: The benefits here are quicker provisioning/deprovisioning without manual effort.
- Cons: The challenges include limited API support (some web apps expose only limited functionality), complex initial configuration, the need to monitor to ensure the integration is still running, and maintaining the integration through upgrades
of the IDP, IAM and web app.
- Synchronization. To address the challenges of integration, the Internet Engineering Task Force (IETF) maintains the System for Cross-domain Identity Management (SCIM) standard under RFCs 7643 and 7644. SCIM is a JSON-based and REST protocol that enables
identities in the IDP and in the web app to be synchronized. Microsoft Azure AD enabled this functionality and actively encourages application partners to implement SCIM.
- Pros: The benefits include a standard means of user management, which simplifies support and upgrade, and a fuller set of user properties available for synchronization.
- Cons: The disadvantages include limited SCIM support in the industry, complex initial configuration, and the need to monitor to ensure the integration is still running.
- Federation. The above three strategies result in duplicate user accounts in both the IDP and the web app’s identity database. An alternative is to configure the web app to rely on the user account in the directory using federated identity management
(FIM). When a web app is configured for FIM, the app relies on Open ID Connect (OIDC, built upon OAuth 2.0) or the Security Assertion Markup Language (SAML) for authentication.
- Pros: Because the user account exists only in the IDP, the benefit is simplicity without the need for manual or automated user management.
- Cons: The challenge is that various web apps implement SAML and OIDC in non-standard ways, which may lead to configuration and support issues.
All the above strategies apply to the cloud IaaS infrastructure itself as well.
Balance Lifecycle Management & Overhead
In order to try and get the best lifecycle management with the least amount of overhead, organizations should consider:
- Evaluating the web app user management interfaces. Determine the level to which they support API user management, SCIM or federation through SAML or OIDC.
- Using the highest level of protocol supported by the IDP, the web app and the IAM tool.
- Being aware of protocol and integration issues. These protocols are not implemented consistently and internet connectivity issues are common. Be sure to allocate time to monitor and support any integrations.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.