“By 2025, 80% of enterprises will have shut down their traditional data center, versus 10% today.”
Except for a few critical processes that will remain on-premises, much of an enterprise’s workloads and data will be spread across a multi-cloud environment, with users accessing applications from multiple devices and locations–making it more difficult to secure, control, track and manage access to such applications and services. Without a comprehensive IAM plan, an organization could be more vulnerable to attacks and data breaches.
– – –
The Challenge of managing identities on multiple SaaS platforms
When a new employee joins a company, the organization often provides the employee with access to their corporate network, file servers, email accounts, and other assets. Since many SaaS applications are managed at a department level (Sales Operations managing Salesforce.com, Accounting Department managing QuickBooks, Marketing Department managing Marketo, etc.), access to these applications is often granted separately by the specific application’s administrator, rather than by a single person.
An employee termination is an even bigger concern. Organizations can centrally revoke access to email and corporate networks, but they have to rely on external application administrators to revoke the terminated employee’s access to each SaaS based application. This leaves the company vulnerable where critical business applications and data are in the hands of potentially disgruntled former employees.
A real cloud identity and access management service should be able to automate the provisioning of new SaaS applications as a natural extension of the existing on-boarding process. When a user is added to the core directory service (such as Active Directory), their membership in particular security groups should ensure that they are automatically provisioned with the appropriate applications and given the access permissions they need.
– – –
The Concept of Federated Identity
Federated Identity Management provides a solution to this problem by separating account management from the service itself. Identity Providers (IdPs) such as Okta, Salesforce, OpenAM act as the source of identity and account information for a user. That information can then be re-used across all services so that a user only has to remember one account name and password and the service providers no longer need to spend time on account management.
– – –
Managing User Identity
How MuleSoft Anypoint Platform can help map the different technology and protocols to create a seamless login experience for the user
Anypoint Platform comes with its own identity provider (IdP). When users sign up with Anypoint Platform, they are creating an Anypoint identity, which allows them to access the platform, call APIs, and register client applications through an API portal. In addition to its own IdP, Anypoint Platform supports customers that are already using identity management systems such as Okta or Salesforce. In such cases, customers can either use an Anypoint identity or delegate the authentication to external identity providers to sign users into Anypoint Platform.
When it comes to external IdPs, MuleSoft’s methodology is to support the integration via standard protocols such as SAML, OpenID Connect, and OAuth 2.0. IdPs that support one of these protocols can be easily plugged into Anypoint Platform and used for user authentication.
Source: MuleSoft Technical Blog
– – –
How does it work?
Here is a typical workflow of a User Identity Management through the Anypoint Platform using third party IdPs.
Source: MuleSoft Technical Blog
– – –
How MuleSoft Anypoint Platform can help identify and authenticate devices through API Policy Management
Similar to authenticating users, device identity is authenticating via a software, e.g., when one service invokes another service’s API.
Anypoint Platform includes Anypoint API Manager, which allows organizations to easily design, secure, publish and manage their APIs. Using the API Manager with its library of pre-built policies that can be layered on top of an API implementation, customers can modify the levels of security, compliance support, and quality of service to their needs.
– – –
Access management is the process of granting authorized users the right to use a service, while preventing access to non-authorized users. It has also been referred to as rights management or identity management in different organizations.
The purpose of access management is to provide the right for users to be able to use a service or group of services.
Typically, an employee’s role in an organization determines the permissions that an individual is given within the system. This helps ensure that unauthorized employees can’t access sensitive information or perform high-level tasks such as altering production applications or APIs.
If we consider the above use cases, there are three different models viz:
- Role-based Access Control (RBAC)
- Attribute-based Access Control (ABAC)
- Adaptive access frameworks that combine machine learning and advanced analytics.
Anypoint Platform delivers access management functionality using a multi- tenant iPaaS environment. To support a variety of customer needs, Anypoint Platform provides its own authorization service, which understands who the user is and what roles the user is entitled to. It employs an attribute-enhanced RBAC model where roles are created by grouping policies that dictate permissions. Organization administrators can create their own roles by changing attributes such as Environment, Business Groups, and versions of applications or APIs. These roles can then be assigned to users.
Anypoint Platform supports external or anonymous users that are not required to authenticate in order to interact with the Anypoint Platform. It enables users to expose external API portals for their organization, thus making their APIs visible to everybody on the web. Administrators can then enforce further access, through the identity verification process as described in the above section on Identity Management via the Anypoint Platform.
The administrators need to track all user actions within enterprise software applications in order to troubleshoot issues, understand user behavior, identify incorrect usage patterns, and detect security breaches or suspicious activity. Anypoint Platform has the ability to capture key facts about what is happening via logs and provides users a log analysis inside Audit Log. Administrators can access the history of all timestamped actions performed by users who have interacted with objects within their organization.
– – –
To address the increasing number and complexity of use cases and needs around IAM, solutions built using the Anypoint Platform has the capability to support the entire IAM workflow:
1. User Identity
2. Client Identity
3. Access Control
Ensure a future-ready IAM framework with MuleSoft Anypoint Platform that supports industry-wide standards which enable you to meet current, upcoming and evolving business needs.