Opal and Okta work better to provide a supercharged IAM solution
Opal and Okta work better together to deliver a comprehensive identity and access management solution. Opal integrates with Okta for central integration, but extends its functionality with workflow orchestration. In a future blog post, Opal will deep dive into the actionable insights use case.
At Opal, we focus on working with security leaders, from high growth startups to the Fortune 500. As the bedrock of most security programs, identity and access management (IAM) is a journey and can be broken down into major maturity phases:
Our customers have been using Opal and Okta together to implement a holistic IAM strategy in their security journey. With over 7,000 integrations, Okta is the leading provider for how users authenticate into applications using SSO and MFA. By integrating with Okta, Opal imports users, groups, and Okta applications. Opal supercharges the integration experience with its own connectors in order to integrate with granular application resources and access levels for complex systems such as AWS, GCP, Salesforce, and more. Resources are the individual components within applications such as RDS databases for the AWS application. Access levels are the specific permissions such as Read Only for the Github application. Overall, Opal and Okta provide employees with catalog of granular permissions and admins can configure context-based access policies.
Identity providers, such as Okta, connect with applications and Human Resources Information Systems (HRIS). Okta grants access to a core set of applications based on organizational information, such as department, team, and cost center. This is known as birthright access.
While this is useful to ensure that employees have day-one access, this type of access is static. With identity providers, removing access is often manual and rarely performed. At many companies, employee access only accumulates over time - increasing the risk for insider threats. In 2021, 51% of Twitter employees had privileged access to production systems and data. The fast changing nature of enterprises means that mapping access based on static attributes isn’t sufficient for complex needs.
Instead, companies need to compliment central integration with workflow orchestration to grant dynamic and just-in-time access - in other words access that is granted and revoked on an as-needed basis.
Using Okta and Opal, companies can tackle complicated process challenges:
In order to orchestrate access, companies need varying granularity from applications to permissions. With Opal and Okta, employees can browse Okta apps, Okta groups, but also native permissions using Opal’s connectors, such as Read Only RDS database from AWS or Sales Engineering Role in Salesforce. Ultimately, this offers transparency, flexibility, and security as employees can request specifically for what they need - nothing more and nothing less.
Rather than granting static access all of the time, Opal limits the amount of access given by leveraging context-based access. The most obvious form of context is through access requests. Opal makes just-in-time access frictionless. Approvals are delegated to system owners and admins with the most context. Provisioning is automated with Slack.
Opal can also automate regular occurrences of context-based access. One of the most common workflows is to automate on-call access. Rather than granting longstanding privileged access to a large group of engineers or manually revoking access with calendar reminders, Opal can integrated with on-call providers like PagerDuty and OpsGenie. With this integration, you can automatically grant privileged access to engineers who are on-call and revoke access when they are off-call!
Once granular AWS permissions are bound to Okta groups, Opal extends its native integrations to unlock powerful privileged access management workflows.
Leveraging the power of self-service and delegated management, Opal enables organizations to set up powerful governance policies. For Okta groups and apps, Opal allows admins to configure guardrails such as:
Best of all, enterprises can configure policies at scale using Opal's APIs.
Designed from the ground up for compliance teams, Opal enables organizations to kick off self-service access reviews with a compliance dashboard. Reviewers are dynamically assigned based on admin or manager and are notified via Slack. Once they are in the platform, reviewers have a guided journey to change accept or modify access. All changes are automatically propagated via Opal and are captured in an auditor-friendly report.
Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.
Want to see it yourself? Contact firstname.lastname@example.org or book a meeting here for a personalized demo.
Lance Larsen and Todd Thiel discuss their backgrounds and experiences in dealing with AWS – ranging from topics, such as scalability, IAM challenges, AWS SSO / IAM Identity Center, contextual access, and unified systems for AWS.
Opal and PagerDuty have partnered together to automate on-call access management