Correlated Identities from IDN within CAM
Authored by Doug Fierro
A fundamental question we have been helping customers with for years is also a very basic one: who has access to what? This includes access to environments, applications, systems, and repositories across the IT landscape from an IT perspective. This was not a simple task before the accelerated growth of cloud adoption. The complexities of how cloud access is granted across multiple disparate platforms don’t make this job any easier now.
Even if you had a way to magically discover all the cloud access that exists across your different cloud infrastructure platforms – the “what” and “how” parts – it still does not answer the “who” part of our fundamental question being asked. That is because to determine someone’s identity in the cloud effectively; you need to correlate that cloud user, service account, or principal to a trusted system of record.
It so happens that SailPoint has been successfully correlating all types of electronic identities for many years now. As a result, our identity security offerings can connect to hundreds of target systems and application environments- including CSP platforms- and figure out how all those different access definitions map to a single identity. That makes it easy for purposes of visibility, administration, policy, governance, and compliance to quickly discover for example, that user “pragan” in the payroll system, the user “Patrick” in Box, the administrator user “FinAdmin,” and the AWS cloud user “test1” are all the same identity in your organization.
Leveraging our platform’s market-leading identity correlation engine, Cloud Access Management will soon display correlated identities for cloud users. There are several benefits to this integration that we will build upon over time:
- Bringing identity level visibility to Cloud Access Management. Example use cases include being able to view someone’s entire “cloud footprint” across multiple CSPs. And on the topic of greater visibility, wouldn’t it be nice to select that identity link in Cloud Access Management and view some identity attributes of interest as needed? That integration use case is also planned.
- This feature will also extend our existing capabilities for governing cloud access by spotting cloud users in Cloud Access Management that do not have corresponding identities registered in IdentityNow. If native cloud access is being granted that is not following established process and procedures; you want to know about it ASAP.
Future plans include the ability to create guardrails to monitor scenarios like this. Another governance feature being planned by leveraging correlated identity information from IdentityNow is to spot users with cloud access that are no longer active employees based on their current identity lifecycle state.
As an identity-first company, we have always believed that effective management and governance of any access when it comes to technology must consider identity to be successful. This is even more true within the cloud today, as identity becomes the new perimeter for securing access to cloud services and resources. But not to worry, SailPoint is still here to help you provide the answer to that same fundamental question that has always been challenging throughout the history of identity security: who has access to what and why.