Optimizing Identity Governance and Administration(IGA) with Okta Identity Governance
Speaking in the Oktane 2023 ?was an unforgettable moment for me. It was on my bucket list, and I feel honored to be a speaker. I want to share my ideas regarding the details.
Identity Governance and Administration (IGA) is fundamental to security and remains crucial, no matter how advanced Cloud Native Security becomes.
Pamela Armstead simplified IGA in her article before today, so please look at it if you need clarification on any essential parts.
It's challenging to find success stories with the preface of IGA, as I've seen many cases where either a separate team was built after its deployment or productivity decreased significantly.
Recently, My team successfully deployed OIG(Okta Identity Governance) for IGA in over 60 applications that do not support SAML and SCIM.
Let's talk about the story!
What solutions did CHEQUER have before I implemented Okta?
During the time before Okta OIG(Okta Identity Governance), CHEQUER used an electronic approval system and "the Okta Group Rules" for the automated application assignment.
The funny thing is that CHEQUER employees believed that the application request process was fully automated, and they needed to know that my team was manually assigning them behind the scenes. It was as if a security team member was inside a vending machine.
Why did I pick Okta Identity Governance??
The answer to why CHEQUER picked the OIG(Okta Identity Governance)?is that Okta is the gateway to the CHEQUER Zero Trust Framework, making it a cost-effective and efficient unified management system. It eliminates the extra costs of solutions management, integration, and automation.
Where are We at within our deployment currently?
Lastly, How CHEQUER currently covers the IGA.
CHEQUER developed the 7:3 principle, where Okta Group Rules handle 70% of assignments during onboarding, and the remaining 30% are automated through OIG(Okta Identity Governance)? for on-demand provisions. This approach has been widely adopted as a leading practice for Korean innovative firms.
Additionally, based on one-and-a-half years of experience, we've developed our best practice for managing apps that don't support SAML or SCIM, which you may have considered a hurdle in adopting OIG(Okta Identity Governance).
Identity Governance and Administration is going in the longer term?
IGA's longer-term future!
领英推荐
IGA will transform with SaaSPM (SaaS Security Posture Management) . Okta is a critical Zero-Trust component that can connect all applications, specifically SaaS applications. Regarding Zero-Trust fundamentals, Okta can ensure SaaS apps' security configurations and identify vulnerabilities. The market is heading in this direction. If Okta did not pursue SaaSPM, CHEQUER would integrate it with our QueryPie CDPP solution(The Cloud Data Protection Platform) by ourselves. ??
Future plans for CHEQUER with IGA??
Regarding our future plans with IGA, I expect our organization to proceed smoothly.
Firstly, I want to use Okta's native features to avoid extra integration. Consequently, this will reduce any burdens on my team. CHEQUER has already placed all applications within the OIG(Okta Identity Governance)? boundaries using additional Okta workflows to automate apps that do not support SAML and SCIM. However, Okta's native features will allow our automation to decrease in the future gradually.
Secondly, while we manually generate PII Compliance Reports, Okta can provide this feature natively in the future. This will reduce additional automation costs.?
Finally, a dashboard correlating IGA with third-party security systems will show comprehensive security insights and quickly assess high-priority risks.
What is "the 7:3 principle"??
We figured out how to effectively apply the OIG(Okta Identity Governance) with our brainchild, the 7:3 principle. ??
This principle implies that we can initially cover 70% of the application's automation using the Okta Group Rules, with the remaining 30% randomly assigned to Okta Access Requests.
The Okta Group Rule is the meat and potatoes, and the OIG(Okta Identity Governance)? is an additional side dish. ??????
One key point I want to emphasize is improving the visibility of policies set in multiple places. Policies from
As you can see in the diagram, Okta is the gateway to our ZeroTrust Framework.?
Consequently, The SCIM is fundamental, as it is responsible for provisioning and de-provisioning IDs. Unfortunately, Many apps can't provide SCIM so far; however, these pieces come together like a puzzle with Okta Workflows.
Today, I'd like to share our know-how, and I would be honored to show you the demo video for the No-SCIM app integration with Okta workflows.
Today's example, CrowdStrike, is a well-known EDR solution, and CHEQUER integrated it with Okta, Splunk, and many other critical systems. Currently, CrowdStrike supports SAML but not SCIM. Most vendors support CreateUser and DeleteUser API by default. Implementing it in the Okta Workflows using CrowdStrike Open API is relatively simple.
Now, I'm sure you will have many different ideas. You can download the workflow file via the GitHub link that I provided and try it yourself.