Content of Figures
It's fair to say that the identity and access management (IAM) market is mature. Most large organizations now have an IAM environment that manages on boarding and off boarding of staff, provides an authentication facility to control access to protected resources, and supports a level of governance over the use and management of identity data.
But with the increasing complexity of IT environments and the burgeoning adoption of APIs, standard IAM suite solutions have sometimes been found wanting. What was once a simple “is the requesting user in the appropriate AD group?” is now “is the user a staff member, is he an approved developer, has he passed the Python proficiency test and is 2 FA required?”
The maturing market is also widening, IAM is increasingly recognized as being essential to cyber-security and organizational efficiency. Companies are increasingly wanting to exploit the benefits that a properly deployed IAM environment can afford. They want the efficiency of an approval workflow engine that provides benefits in better security and lower costs, they want the access control of an authorization service based on real-time identity attributes and context variables, and they want the governance that can be achieved via a proficient identity management solution.
What they don’t want is a rigid product offering that either provides much more functionality than they really need, or a solution that doesn’t fit their current operation and requires them to change to their business processes. And they don’t want an IAM solution that’s too expensive.
The key requirement these days is agility. Customers might have a need for a basic identity manager solution to on board staff but without the need for an approval workflow initially. They need to be able to add this on in the future. For authentication their initial requirement might be for coarse-grained access control but with a future aspiration for role based, or even attribute based access control. Governance may not be specified as an initial requirement but support for a reporting and audit function is highly desirable.
Tremolo Security have an ideal product offering for this diverse and changing marketplace. It has the ability to satisfy a single and complex requirement, or to provide all the major functionality of a complete IAM solution.
2 Product Description
Building on the extensive experience of its founders, Tremolo Security have taken a different approach to identity and access management. They are not constrained by cookie cutter definitions of identity management, nor are they restricted to the traditional solutions that we have come to accept as “standard”; they provide functionality that can be shaped into a solution to fit a diverse range of requirements. And it’s attractively priced.
OpenUnison is a flexible IAM product suite that can support a single IAM function or provide a complete IAM solution. It can be interfaced to an organization’s existing identity stores to provide a virtual directory service, it an provide on-boarding services with approval workflow, it can authenticate users to relying applications and it can report on IAM workload. It can be deployed as a discrete solution or it can be integrated into an existing IAM environment to satisfy a specific component of the IAM task.
OpenUnison is provided under an open-source license but clients can engage with Tremolo for management and support services.
The OpenUnison product provides both identity management and authentication services but it is not an identity manager in the common understanding of the term. It maintains no identity repository, it relies on a client’s existing directory or database infrastructure. If an organization has an AD deployment OpenUnison will connect to it as a source or sink of identity data. Identity queries or access control requests are therefore actioned on real-time data.
As an authentication service OpenUnison supports a wide range of interface protocols from LDAP lookups to SAML assertions. A single OpenUnison instance can support single-sign-on to its relying applications.. Adding an OpenUnison solution to an existing IAM environment can be used to simplify a business process by providing access to identity data.
OpenUnison provides four main IAM components:
- Identity Manager
- Reverse Proxy
- Virtual Directory
- Audit Logs
This can be graphically depicted as follows:
These equate to four main IAM functions:
Provisioning Typically a new user accesses the on-line service request page and requests access to applications required for them to perform their jobs. The new hire’s manager is requested to authorize the granting of the requested entitlements. OpenUnison writes the appropriate entries to the corporate directory or database, or directly to an application identity repository (Application B in the diagram above).
Authentication When a user requests access to an application a redirect to the authentication proxy service generates a look-up on the directory service to retrieve the requisite data from the appropriate identity repositories. A response to the replying application provides the appropriate access token and/or the requisite data. For legacy applications that maintain their own data repository the access token is typically returned in an HTTP header.
Identity query OpenUnison normalizes identity data access via a service that exposes a single protocol such as LDAP for identity reads and writes, but connects natively to each connected data source. This means that the Identity Manager and the Authorization Service only need to maintain a single protocol service.
Governance OpenUnison provides a full logging facility that can be accessed by a log aggregation service, or dashboard application, to report on and depict provisioning load and authentication events at any point in time.
A variety of deployment models are supported. For cloud deployments a Kubernetes installation is typical. For an on-premise or hybrid cloud deployment VM packages are often used. In many cases multiple deployments will exist, each fulfilling a specific physical or logical requirement. One instance might provide approval workflow for provisioning to an on-premise identity data store, another deployment might provide access control to relying applications in the cloud. If multiple OpenUnison instances are deployed, each providing authentication to their connected applications, a session management facility will be required to support SSO across instances.
The features OpenUnison provides include:
- A customized access screen for each user can be deployed displaying the applications to which they have been granted access.
- A self-service function is provided allowing users to request access to applications they need for their job. Each access request will be forwarded to the appropriate approver.
- Integration with existing identity data repositories is facilitated via the virtual directory service facility that supports popular protocols such as LDAP and JDBC.
- A password reset feature is provided that supports multiple validation mechanisms such as challenge-response questions.
- API management and security is facilitated with extensive authentication token support.
OpenUnison is offered under two licensing models:
Fully open source software. This allows organizations to establish a OpenUnison instance on a trial or pilot basis in order to test the product’s capabilities and to understand the level of competence required to effectively exploit it.
There is no direct cost for this option.
- OpenUnison with support
Open source code but with support services. Under this option Tremolo Security support is available to assist in the deployment of the product and integrating OpenUnison into the organization’s IAM environment.
The license cost for this option is based on number of users.
To best exploit the capabilities of OpenUnison a DevOps competence is valuable. The product documentation provides step-by-step instruction for the installation and configuration of the product but a technical understanding of the environment and a proficiency in scripting is beneficial. Building familiarity with the OpenUnison product and deploying trial instances to test the product’s capability is facilitated via the open-source availability of the software.
Tremolo have coined the phrase “just in time” to define their approach to IAM. The solution does not rely on data updates or batch processes. In fact the code is modularized and stateless and relies on message queues for communication. It is comprised of atomic components that perform their functions when invoked. This means that a OpenUnison deployment is highly scalable. Each deployed function provides a single task, maintains no state information and communicates via asynchronous message queues. OpenUnison can therefore be deployed to meet instances with modest performance requirements as typically required in a workforce identity management environment or it can be scaled-up to meet the more demanding performance requirements of a consumer identity access management (CIAM) environment.
An OpenUnison deployment will challenge a traditional approach to IDM. For instance, is a feed from the HR system with information on new hires really required? Why not let each new hire request the system access they need for their jobs and rely on the approval workflow to collect the required approvals for access entitlements?
For deprovisioning: why require a manager to wade through attestation reports to re-certify staff access? Why not rely on an automated “inactive account” procedure to disable accounts after an appropriate period of time?
OpenUnison invites customers to configure their IAM infrastructure to suit their unique requirements, it is highly scalable and able to accommodate multiple deployment patterns.
3 Strengths and Challenges
The OpenUnison IAM solution is built on the company founder’s long experience working in the identity and access management sector. It recognizes that every organization is unique, it is unrealistic to assume any one solution will fit all requirements, and that requiring a customer to modify their operations to suit a particular IAM solution is often difficult and sometimes impossible.
OpenUnison is a modular and flexible offering that imposes no architectural constraints. Tools within the product each perform a specific function, servicing other components in the IT environments e.g. writing identity attributes to the enterprise directory or retrieving a record from an electronic database to respond to an LDAP request.
To properly leverage an OpenUnison implementation a DevOps capability is required. To “go it alone” (option 1 above) developers will be needed to develop functionality to integrate the software into the corporate infrastructure. Under the Open OpenUnison with support option, DevOps staff will also be required to integrate the solution into corporate infrastructure.