The integration of One Identity's primary IAM tools, Identity Manager and OneLogin, enables you to reduce risk and reduce vulnerabilities based on utilization intelligence.
[MUSIC PLAYING]
Consider most of the applications in your enterprise. To create a robust role-based, policy-driven access model Identity Manager helps by performing provisioning needed for all of the applications and system accounts that your employees might need.
Using system roles Identity Manager can collect many access objects into one governable container. So, for example, this Zoom application on the user's OneLogin dashboard represents more than one thing, as to all applications. Not only does the user need a OneLogin account and the correct entitlement to create this application on their dashboard, but they also need a Zoom account and entitlements on that account as well.
Identity Manager uses system roles to put all of these access items into one container that you can govern as a unit. Here is a super risky application, just to make an extreme example. This application includes accounts across several systems as well as a number of permissions and entitlements that are also high-risk. Identity Manager will provision all of these for any user who acquires this application, such as by access request or through a role assignment.
However, from the end users perspective, this is just one item. And, in fact, if you take the SSO platform by itself, the user logging into the app really is all of the detail and control that's available. So when the user clicks on this tile to login to the super risky application, the SSO tool by itself doesn't know that in the background there are several accounts with high-risk entitlements or permissions available.
What it does know, however, is exactly when the user has logged into this app. That data is stored in an event log for every user for every app in OneLogin.
With deep integration between OneLogin and Identity Manager this event data can be used to guide governance decisions and reduce standing risk. Imagine a user has requested this hypothetical super risky application but doesn't ever use it. Do they really need it? Without integration between SSO and IGA tools, the best you could do would be to just remove the app from their SSO dashboard. But that would leave all of those accounts with high-risk entitlements just sitting there waiting for somebody to breach.
But with Identity Manager and OneLogin working together, this intelligence that the application has not been used can be used to inform the IT or compliance team that there is unnecessary access that may represent a vulnerability.
Here a compliance policy is used to trigger compliance violation if any user has not used an application in the past 90 days. One user has not used the Zoom application in the past 90 days. The exception approver can approve or deny the exception to this policy. The same policy-- applications unused in 90 days-- can drive an access review on a timed or ad hoc basis. This access review runs automatically every month and allows the reviewer to certify access. Critically, if the reviewer denies this access, the downstream accounts and entitlements will be revoked in addition to the app itself being removed from the user's OneLogin dashboard.
By revoking the target system access, this persistent vulnerability is removed, which reduces your organization's risk profile. It's not enough to just govern the app on the SSO launchpad. The risky part is the system account and privileges or entitlements that are associated with it. Only through deep integration between SSO and IGA tools, like we have at One Identity, can you be sure that the risky access is removed in response to behavior intelligence.
[MUSIC PLAYING]
