On April 24, 2024 FuseLogic organized an informative event on Identity Governance at the speed of business. Location: the offices of our partner AWS in Amsterdam. That location was well chosen, since we recently activated this partnership and could announce the first Okta/FuseLogic transaction for one or our clients was processed through the AWS marketplace.
The advantages of Okta in the AWS marketplace
After welcoming our visitors, FuseLogic’s managing director Leon Oud explained what the advantages of our partnership with AWS for our customers are. Besides the fast and easy acquisition process through the AWS marketplace, companies profit from very competitive pricing, and on top of that earn credits that can be used for other AWS services.
The speed of business
Next, Leon talked about how we turned our 17 years’ experience into a proven methodology that helps businesses accelerate identity management and identity governance by leveraging their existing data.
As an example he mentioned a nationwide chain of 300 DIY shops that are run by around 40 franchisees, resulting in the fact their thousands of employees are managed in 40 different HR systems. Initially, the agreed project scope was to connect each and every HR system to Okta, with an estimated overall lead time of a year. When we dug a bit deeper into the IT systems of the DIY chain we found a central planning system which was used for all employees at all stores. Using this system as the ‘source of truth’ instead of the 40 HR systems shortened the project from a year to no longer than one month. The result of our pragmatic approach: a significant shorter time to value and a truly happy customer. After this initial quick go-live, all HR systems were connected over time without any disruption.
Leon highlighted another good example of our ‘speed of business’ approach at one of the leading fashion houses in the Netherlands. Their US-based headquarters needed extensive reports on ‘who’ was entitled to ‘which’ applications in order to review and certify correct usage. Where the duration of an Identity Governance project like this typically is in the range of 1 year to longer, we achieved this within 4 weeks thanks to the combination of FuseLogic’s expertise and Okta’s products.
What is Identity Governance and Administration?
Roland Kokx is one of our consultants who has over 13 years experience in Identity Management, of which 10+ at FuseLogic. In his presentation he explained how he has witnessed the role of IAM shifting over the years from ‘access of employees to apps’ to ‘being in control’. He explained that Identity Governance is about controlling people’s access to apps, data and cloud services. That always comes with a modelling exercise: businesses have to develop some frame of reference upon which they can judge if particular access is right or wrong. It also requires an ability to report on all the granted access. As Roland said: ‘there’s not much value in being compliant if you can’t prove it’. And the central question for the customer is always: how do I do this?
Which approach?
After this introduction, he talked about the different ways organizations can approach Identity Governance. The classical top down modelling approach often becomes very complex, slowing down the implementation and ongoing management of IGA. Roland: ‘It’s easy to be in control and by that, slowing down your business. But being able to follow the speed of business is a key success factor for a successful IGA implementation.’ Role Based Access Control (RBAC) can work well, but only if the HR application and apps used are prepared to support it with the right data sets and technology. This may sound easy enough, but more often than not, RBAC proves to be a poor fit for an organization.
Reasons for Access
Because of the limitations of the classical models, FuseLogic has developed its own ‘reasons for access’-approach which is integrated, data driven and automated. It’s a fully integrated approach because we link the process of modelling access directly to the Okta toolbox, which drives speed and flexibility. It is also purely data driven. We don’t try to answer abstract questions on ‘who should have access’. We use existing data in existing applications, aggregate that data and use it for statements on ‘right and wrong’. Important to note is that we use the data ‘as is’ instead of trying to improve it upfront, resulting in quickly delivering tangible results. We automate this process as much as possible, where the level of automation is dependent on the quality of the data.
Full automation for all access rights is practically impossible, but the data always shows some relationship between the user and the application access rights of that user. We use that to streamline the request and approval process. The objective always is to limit the number of requestable items based on data, to improve speed and efficiency and user experience. For example we make access rights requestable to specific users, and don’t show what they er not entitled to. That is an often seen quick win when we implement reasons for access.
Identity Governance and Administration in practice
Joost Koiter, Okta practice lead at FuseLogic, showed in a demo how this all works in practice. He showed how easy it is to configure approval flows, depending on the specific need of the organization. Access requests can be approved or rejected via email, or directly in Slack or Teams. Every step and action is captured and stored in order to prove that you are ‘in control’.
Next, Joost showed how to improve the configuration in Okta step-by-step in order to improve a company’s application access policies. The examples he gave were an IT manager changing the access policy for TOPdesk, or a sales manager for allowing access to Salesforce CRM. They could also specify how access must be granted to their applications: automatically or via a request – with or without approval. He also showed how to introduce so called ‘business roles’ where a person with a certain role (e.g. Sales) gets access to a combination of Salesforce and HubSpot.
Finally, Joost showed how the access certification process works, in order to get proof that you are in control. Access certification campaigns are an integrated function within Okta IGA, that allows application owners to build and run certification campaigns on the application level. All data is captured and stored centrally for easy access in case of audits, and improved efficiency and data quality because no manual work and Excel sheets are needed anymore.
Joost concluded the session with some final advice: start with existing data, even if the quality is relatively poor. When you start with a general catalogue of everything requestable, application owners soon will see the value of adding data to streamline that process. It’s a very pragmatic start to drive value. And it’s continuous improvement, where the organization itself can decide where additional value can be added by further utilizing any source data.