Enterprise Sandbox: Test to Prevent IAM Rabbit Holes

January 11th, 2021   |     |  product & technology

Let’s imagine for a moment that it’s Friday afternoon, and you need to make a small change to a user’s access. “Maybe I can just make this small change,” you think to yourself. Even though your company has a strict no-deployment rule on Fridays, you think, “This is the IAM system, it’s different from code. This won’t affect anyone and the user will stop bugging me about it. It will be fine!”

Next thing you know, you’re working through the weekend because a stray mapping triggered off changes to three other departments.

Unfortunately, this scenario happens all too often, especially in complex organizations with many automations, rules and mappings set up. The things that usually reduce your workload can be weaponized against you when the effects of your changes aren’t tested against real data. Testing out changes to your Identity and Access Management (IAM) solution can save that headache, time and money.

Many times, simply the question, “How do you test?” is enough to make one realize the inherent risk in deploying untested changes to the IAM system. Over that last year of developing the Enterprise Sandbox, we’ve learned that the vast majority of companies are making changes without testing!

Often the conversation goes like this:

Us: “How do you test?”

Customer: “We currently don’t test before deploying… can I set up a free test account to do the testing?”

Us: “Absolutely, we have a free developer account you can start up for testing purposes, but it’s limited to a small number of features and apps, and you won’t really get a true test, especially if you have extra features, mappings or automations enabled.”

Customer: “Oh…. then how do you make a copied test environment?”

How the Enterprise Sandbox Works

If you want a testing environment that is the closest to production that you can get, then what you want is the Enterprise Sandbox. But how close it is, exactly, and why is it not exact? This is another frequently asked question - how does the Enterprise Sandbox actually work?

The Enterprise Sandbox is a script that runs on your production environment piece by piece, and copies it over to a brand new environment while it disconnects any security risks. First, it copies over your subscription, and each of the unique features that you have enabled (like SmartFactor, for example). Then, it copies all policies, roles, connectors, etc. without copying certificates, or Active Directory connections (things that would potentially affect your production environment if there was a duplicate), and it keeps all of the data intact. When it gets to users, it copies all of their attributes, settings and mappings, but WITHOUT copying over their MFA device information for security.

In a nutshell, it copies data, without compromising security.

When you add the Enterprise Sandbox into your plan, a new area of the admin console unlocks. From the UI, you can initiate a new clone with the click of a button, which will give you a fresh copy of the data from production every time. You can also see the history of past clones, and directly access the sandbox to add your development team as active sandbox users, and start testing as a team.

After you’ve tested your changes in the Enterprise Sandbox and confirmed everything is working as it should be, you can confidently deploy those same changes to production. If you want to be really advanced, you could use our API to create the set of changes in your sandbox, confirm, then apply that exact set of changes to production.

Learn more about the Enterprise Sandbox

The Enterprise Sandbox has been a lifesaver for many of our customers - some have even said they have surpassed their boss’s expectations by implementing a continuous testing model. How will you increase your quality, security and user experience this year? Ask your account manager what the Enterprise Sandbox can do for you.

OneLogin blog author
About the Author

Kayla is a product manager at OneLogin with a passion for balancing user experience and strong security practices. With 10+ years of experience in Silicon Valley, ranging from small startups to corporate giants like Walmart.com, Kayla loves to champion data, customer feedback, and advocacy.

View all posts by Kayla Gesek

OneLogin blog author
About the Author

Kayla is a product manager at OneLogin with a passion for balancing user experience and strong security practices. With 10+ years of experience in Silicon Valley, ranging from small startups to corporate giants like Walmart.com, Kayla loves to champion data, customer feedback, and advocacy.

View all posts by Kayla Gesek

Secure all your apps, users, and devices