Enhancing IAM Automation: Why Proper Architecture and Backup Solutions are Critical

When building IAM automation for onboarding, and even more crucially, offboarding, it's essential to recognize a key oversight in many systems. Take a typical architecture of flow like Hibob-Okta, linking to numerous company services, including production environments like GitLab, AWS, GCP, and others. It's unclear why Hibob lacks backup or rollback capabilities, but the current scenario presents a significant risk. HR, responsible for filling in employee attribute fields, often makes mistakes. A single incorrect team or department name can strip an employee of all system accesses.

To mitigate this, disable the mass import from Excel in Hibob. Excel doesn't support mandatory fields crucial for Okta to recognize and allocate authorizations correctly. Moreover - some mandatory fields in Hibob might even be deprecated, which is a common scenario in high-tech industries.

To address these challenges, I started using HYCU as an intermediary layer. HYCU captures an image of all attributes in Okta. If a mishap occurs, you can set Okta to block attribute imports from Bob as a first step and quickly restore the entire system as a second step. The settings are highly flexible, allowing partial sector restoration and tracking aftershocks in complex IAM systems like AWS through a permissions map.

Further proactive automation to prevent such issues is crucial. I'm currently testing GitLab CI, which I'll discuss more in upcoming posts. Yes, it's a separate pipeline for all authentications and authorizations, but DevOps principles might be particularly applicable here. As we focus on product development, it's easy to overlook that the "version" of the entire company's authorization landscape changes daily. With hundreds of services involved, introducing a dedicated DevOps role to maintain an IAM system is essential.

#IAM #Automation #DevOps #CyberSecurity #Hibob #Okta #AWS #GCP #GitLab #HYCU #TechInnovation

Hire me