KuppingerCole Report
Executive View
By Graham Williamson

Tremolo Security - A Different Approach

It’s time to consider a different way to manage and use identity information. We tend to deploy identity management suites and change our processes to suit. But this can constrain us and restrict our agility in deploying identity management services. Tremolo Security breaks the mold and asks us to focus on the task to be performed, and then to deploy an optimal solution.
By Graham Williamson
gw@kuppingercole.com

Content of Figures

  1. Figure 1 OpenUnison Environment

1 Introduction

It's fair to say that the identity and access management (IAM) market is mature. Most large organizations now have an IAM environment that manages on boarding and off boarding of staff, provides an authentication facility to control access to protected resources, and supports a level of governance over the use and management of identity data.

But with the increasing complexity of IT environments and the burgeoning adoption of APIs, standard IAM suite solutions have sometimes been found wanting. What was once a simple “is the requesting user in the appropriate AD group?” is now “is the user a staff member, is he an approved developer, has he passed the Python proficiency test and is 2 FA required?”

The maturing market is also widening, IAM is increasingly recognized as being essential to cyber-security and organizational efficiency. Companies are increasingly wanting to exploit the benefits that a properly deployed IAM environment can afford. They want the efficiency of an approval workflow engine that provides benefits in better security and lower costs, they want the access control of an authorization service based on real-time identity attributes and context variables, and they want the governance that can be achieved via a proficient identity management solution.

What they don’t want is a rigid product offering that either provides much more functionality than they really need, or a solution that doesn’t fit their current operation and requires them to change to their business processes. And they don’t want an IAM solution that’s too expensive.

The key requirement these days is agility. Customers might have a need for a basic identity manager solution to on board staff but without the need for an approval workflow initially. They need to be able to add this on in the future. For authentication their initial requirement might be for coarse-grained access control but with a future aspiration for role based, or even attribute based access control. Governance may not be specified as an initial requirement but support for a reporting and audit function is highly desirable.

Tremolo Security have an ideal product offering for this diverse and changing marketplace. It has the ability to satisfy a single and complex requirement, or to provide all the major functionality of a complete IAM solution.

2 Product Description

Building on the extensive experience of its founders, Tremolo Security have taken a different approach to identity and access management. They are not constrained by cookie cutter definitions of identity management, nor are they restricted to the traditional solutions that we have come to accept as “standard”; they provide functionality that can be shaped into a solution to fit a diverse range of requirements. And it’s attractively priced.

OpenUnison is a flexible IAM product suite that can support a single IAM function or provide a complete IAM solution. It can be interfaced to an organization’s existing identity stores to provide a virtual directory service, it an provide on-boarding services with approval workflow, it can authenticate users to relying applications and it can report on IAM workload. It can be deployed as a discrete solution or it can be integrated into an existing IAM environment to satisfy a specific component of the IAM task.

OpenUnison is provided under an open-source license but clients can engage with Tremolo for management and support services.

The OpenUnison product provides both identity management and authentication services but it is not an identity manager in the common understanding of the term. It maintains no identity repository, it relies on a client’s existing directory or database infrastructure. If an organization has an AD deployment OpenUnison will connect to it as a source or sink of identity data. Identity queries or access control requests are therefore actioned on real-time data.

As an authentication service OpenUnison supports a wide range of interface protocols from LDAP lookups to SAML assertions. A single OpenUnison instance can support single-sign-on to its relying applications.. Adding an OpenUnison solution to an existing IAM environment can be used to simplify a business process by providing access to identity data.

Functional Components

OpenUnison provides four main IAM components:

  • Identity Manager
  • Reverse Proxy
  • Virtual Directory
  • Audit Logs

This can be graphically depicted as follows:

Figure 1: OpenUnison Environment

These equate to four main IAM functions:

  • Provisioning Typically a new user accesses the on-line service request page and requests access to applications required for them to perform their jobs. The new hire’s manager is requested to authorize the granting of the requested entitlements. OpenUnison writes the appropriate entries to the corporate directory or database, or directly to an application identity repository (Application B in the diagram above).

  • Authentication When a user requests access to an application a redirect to the authentication proxy service generates a look-up on the directory service to retrieve the requisite data from the appropriate identity repositories. A response to the replying application provides the appropriate access token and/or the requisite data. For legacy applications that maintain their own data repository the access token is typically returned in an HTTP header.

  • Identity query OpenUnison normalizes identity data access via a service that exposes a single protocol such as LDAP for identity reads and writes, but connects natively to each connected data source. This means that the Identity Manager and the Authorization Service only need to maintain a single protocol service.

  • Governance OpenUnison provides a full logging facility that can be accessed by a log aggregation service, or dashboard application, to report on and depict provisioning load and authentication events at any point in time.

Deployment Models

A variety of deployment models are supported. For cloud deployments a Kubernetes installation is typical. For an on-premise or hybrid cloud deployment VM packages are often used. In many cases multiple deployments will exist, each fulfilling a specific physical or logical requirement. One instance might provide approval workflow for provisioning to an on-premise identity data store, another deployment might provide access control to relying applications in the cloud. If multiple OpenUnison instances are deployed, each providing authentication to their connected applications, a session management facility will be required to support SSO across instances.

The features OpenUnison provides include:

  • A customized access screen for each user can be deployed displaying the applications to which they have been granted access.
  • A self-service function is provided allowing users to request access to applications they need for their job. Each access request will be forwarded to the appropriate approver.
  • Integration with existing identity data repositories is facilitated via the virtual directory service facility that supports popular protocols such as LDAP and JDBC.
  • A password reset feature is provided that supports multiple validation mechanisms such as challenge-response questions.
  • API management and security is facilitated with extensive authentication token support.

License Options

OpenUnison is offered under two licensing models:

  1. OpenUnison
    Fully open source software. This allows organizations to establish a OpenUnison instance on a trial or pilot basis in order to test the product’s capabilities and to understand the level of competence required to effectively exploit it.
    There is no direct cost for this option.
  2. OpenUnison with support
    Open source code but with support services. Under this option Tremolo Security support is available to assist in the deployment of the product and integrating OpenUnison into the organization’s IAM environment.
    The license cost for this option is based on number of users.

To best exploit the capabilities of OpenUnison a DevOps competence is valuable. The product documentation provides step-by-step instruction for the installation and configuration of the product but a technical understanding of the environment and a proficiency in scripting is beneficial. Building familiarity with the OpenUnison product and deploying trial instances to test the product’s capability is facilitated via the open-source availability of the software.

Differentiation points

Tremolo have coined the phrase “just in time” to define their approach to IAM. The solution does not rely on data updates or batch processes. In fact the code is modularized and stateless and relies on message queues for communication. It is comprised of atomic components that perform their functions when invoked. This means that a OpenUnison deployment is highly scalable. Each deployed function provides a single task, maintains no state information and communicates via asynchronous message queues. OpenUnison can therefore be deployed to meet instances with modest performance requirements as typically required in a workforce identity management environment or it can be scaled-up to meet the more demanding performance requirements of a consumer identity access management (CIAM) environment.

An OpenUnison deployment will challenge a traditional approach to IDM. For instance, is a feed from the HR system with information on new hires really required? Why not let each new hire request the system access they need for their jobs and rely on the approval workflow to collect the required approvals for access entitlements?

For deprovisioning: why require a manager to wade through attestation reports to re-certify staff access? Why not rely on an automated “inactive account” procedure to disable accounts after an appropriate period of time?

OpenUnison invites customers to configure their IAM infrastructure to suit their unique requirements, it is highly scalable and able to accommodate multiple deployment patterns.

3 Strengths and Challenges

The OpenUnison IAM solution is built on the company founder’s long experience working in the identity and access management sector. It recognizes that every organization is unique, it is unrealistic to assume any one solution will fit all requirements, and that requiring a customer to modify their operations to suit a particular IAM solution is often difficult and sometimes impossible.

OpenUnison is a modular and flexible offering that imposes no architectural constraints. Tools within the product each perform a specific function, servicing other components in the IT environments e.g. writing identity attributes to the enterprise directory or retrieving a record from an electronic database to respond to an LDAP request.

To properly leverage an OpenUnison implementation a DevOps capability is required. To “go it alone” (option 1 above) developers will be needed to develop functionality to integrate the software into the corporate infrastructure. Under the Open OpenUnison with support option, DevOps staff will also be required to integrate the solution into corporate infrastructure.

Strengths

  • Open-source code with the option to purchase support
  • Highly flexible deployment options due to stateless functions
  • Encourages trial of OpenUnison functionality via the provision of open-source code
  • Support for all mainstream data access protocols
  • Extensively documented with step-by-step procedures for configuration and deployment

Challenges

  • Educating customers in the opportunities the open-source approach affords
  • Ensuring sufficient dev/ops capability in the client-base
  • Keeping current with rapidly changing development environments

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top