Skip to main content

3 Requirements to Automate Cloud Provisioning

Cloud Provisioning: 3 Requirements to Automate Cloud Application Provisioning & User Account Management

Download PDF

 

Provisioning & User Account Management

Organizations are bringing more and more cloud applications into service, requiring they onboard their users to tens if not hundreds of SaaS providers. Provisioning and managing these user accounts manually across all domains is a labor intensive task prone to errors, and in many cases unmanageable. This is further exasperated by the sophistication of today’s enterprise cloud applications, straining IT administrators who don’t have the time to become experts on every cloud application. Adding, changing, or removing users via each cloud app’s administrative console is not only time consuming, but impractical. Resolving who has access to what applications, and who is authorized for different entitlements within any particular application is a complex process to manage and govern.To automate these cloud provisioning activities across all user accounts requires the following:

Federate User Identity

Aggregate user identity and authentication data to streamline access processes

Digital business has become more distributed, sharing cloud infrastructures and applications through numerous multi-tenant service providers. And with the growing number of applications available, the task of managing identity and access controls across these points of service becomes more complex because each cloud application has its own unique user identity store and associated data structures.

For organizations to successfully manage their user accounts across all these applications, they need to begin by federating numerous user directories and cloud app user stores, and reconciling them against a chosen directory of record or single source of truth. A cloud identity-as-a-service or IDaaS provider is tasked with federating identity and access policies, and applying rules to resolve. From this, they’ll have complete visibility into their users, roles, applications, and behaviors.

Historically, IT has used Active Directory (AD) as its repository for employee-related data and policies, however many organizations are also adopting cloud-based HR systems such as Workday. Sharing or replicating information across these disparate systems, each with unique data structures and user roles, requires attribute mapping and real-time synchronization.

OneLogin serves as an independent user identity store incorporating a powerful mapping engine that accommodates the complexities of each separate cloud application schema, and serves as a gateway or point of federation between the singular on-premises directory to the hundreds of unique cloud applications placed into service on behalf of the organization’s users.

Support Open Standards

Remove complexities and costs associated with proprietary API’s

In the absence of standards, proprietary API’s have served as a means to extend identity and access management (IAM) services to individual cloud apps. However, this has forced IAM teams to track dependencies between connectors and application versions to ensure that connectivity to their cloud applications is not broken. Lack of standardized access and provisioning API’s means vendors and customers alike will incur unnecessary cost and project risk.

Open standards promote greater vendor interoperability and drive industry innovation. By removing the cost of implementing proprietary integrations, customers benefit from the savings associated with vendors’ ability to code once to a standard, and the reduced project risk resulting from accelerated deployment cycles.

SAML or Security Assertion Markup Language provides a federated identity standard that applies secure tokens to authenticate users without repeatedly prompting for each application password, thus enabling secure SSO and thwarting brute force hacking attacks. SCIM or System for Cross-domain Identity Management offers a standardized API interface for user management including account provisioning.

OneLogin has a history of industry innovation and support for open standards, being the first to offer real-time synchronization to Active Directory and free SAML toolkits in 2011, as well as SCIM support in 2013.

Centralize Account Management

Provide a single point for managing user accounts across hundreds of cloud apps

Centralized management provides the organization a single console from which to manage user accounts and application policies as well as report against users and application access. As a service that bridges on-premises directories like AD and every cloud application, IDaaS providers streamline IT workflows by automating user account provisioning to these targeted cloud applications and generating actionable reports. These reports can leverage the aggregated data collected, including information about applications accessed, failed login attempts, etc. which can drive business optimizations and security analytics. From an IT governance perspective, IT can now provide answers to questions like “who has access to what?” and “who has accessed what?”

With centralized management and automation come additional security benefits, including the ability to establish specific roles and policies that define user entitlements to certain areas and functions within a cloud app. This process isolates sensitive data to only those users permitted to access these services. Other provisioning capabilities include the ability to push changes to a user’s role or status, which immediately revise or revoke their access privileges.

OneLogin centralizes user account management, and provides the ability to automate application provisioning based on user role, authorize application entitlements based on user or application policies, and revoke user access when necessary from a single OneLogin console.

The case could be made that cloud services are only as good as the provisioning practices supporting them. If IT has no centralized way to grant and revoke employee access to hundreds of cloud applications, managing users can be labor intensive and introduce added risk. OneLogin supports the ability to create, manage, and govern access to a growing number of cloud applications as well as retain, suspend or delete user data based on policy. By automating user onboarding and offboarding processes, organizations can streamline access control based on role, department, location, title and other attributes, reduce IT involvement while improving security, and accelerate time to productivity.