Identity and Access Management - IAM
Description
Cloud platforms like TrustNest are more exposed to internet than on-premises environments. Zero Trust architecture is often used to mitigate this by-design vulnerability. Identity and Access Management is a pillar in this architecture; making sure users and applications are well authenticated at any time.
TrustNest Identity and access Management supports the following use cases:
- Use Case A: Management of Thales employees and contractors developing directly on TrustNest (deployment of cloud resources as developer and devops)
- Use Case B: Management of Thales employees and contractors accessing to Function SaaS Services (Software Factory, PostIT, O365 thalesdigital.io tenant)
- Use Case C: Management of Thales employees, contractors and partners accesses to SaaS services (product developed on TrustNest)
- Use Case D: Management of any external accesses to SaaS services (product developed on TrustNest)
Release Note
Reading the Release Note is a good way to measure the reactivity and the velocity of a team. It shows also the main concerns of the engineering team behind the scene.
Please, before moving forward, make sure you have properly identified your use case. Any demand or exception will be rejected by default. A writen CISO validation with a full architecture case is required
Use Case A: user management for Cloud Resources deployment
The deployment of cloud resources into TrustNest are currently reserved to Thales employees and contractors only.
The identity is managed by an internal Azure Active Directory (thalesdigital.io).
Users allowed:
- thalesdigital.io
- thalesgroup.com (+country identity)
Technical accounts:
- Service principal (to get a cloud identity)
Use Case B: user management for Function SaaS services access
The identity is managed by an internal Azure Active Directory (thalesdigital.io).
Users allowed:
- thalesdigital.io
- thalesgroup.com (+country identity)
Technical accounts:
- Service account (to get an identity like a user but limited to specific IP - mostly used by CI/CD pipeline)
Note: It’s completely forbidden to use a technical account per a user. Audit are and will be performed! Nominative accounts with MFA must be used to be protected against secret thefts.
Use Case C: Thales and Partner management to SaaS services (except: function)
The identity is managed by an external Azure Active Directory (ID/Name confidential)
Users allowed:
- thalesdigital.io
- thalesgroup.com (+country identity)
- identity under partner domain name (contract, onboarding & offboarding required)
Technical accounts:
- forbidden
Use Case D: External Access Only
The identity is managed by a dedicated Azure Active Directory B2C (per project).
Users allowed:
- any
Note: For security reason, the federation with thales identity is not allowed. This means any thales employees need to use a personal identity to access to this service.
Next Steps
Request a thalesdigital.io account
Ask for a service account creation
Warning: only available for use case B
Ask for a service principal creation
Warning: only available for use case A