preloader

Identity and Access Management - IAM

Description

Cloud platforms like TrustNest are more exposed to internet than on-premises environments. Zero Trust architecture is often used to mitigate this by-design vulnerability. Identity and Access Management is a pillar in this architecture; making sure users and applications are well authenticated at any time.

TrustNest Identity and access Management supports the following use cases:

  • Use Case A: Management of Thales employees and contractors developing directly on TrustNest (deployment of cloud resources as developer and devops)
  • Use Case B: Management of Thales employees and contractors accessing to Function SaaS Services (Software Factory, PostIT, O365 thalesdigital.io tenant)
  • Use Case C: Management of Thales employees, contractors and partners accesses to SaaS services (product developed on TrustNest)
  • Use Case D: Management of any external accesses to SaaS services (product developed on TrustNest)

Release Note

Reading the Release Note is a good way to measure the reactivity and the velocity of a team. It shows also the main concerns of the engineering team behind the scene.

Detailed Release Note Page

Please, before moving forward, make sure you have properly identified your use case. Any demand or exception will be rejected by default. A writen CISO validation with a full architecture case is required

Use Case A: user management for Cloud Resources deployment

The deployment of cloud resources into TrustNest are currently reserved to Thales employees and contractors only.

The identity is managed by an internal Azure Active Directory (thalesdigital.io).

Users allowed:

  • thalesdigital.io
  • thalesgroup.com (+country identity)

Technical accounts:

  • Service principal (to get a cloud identity)

Use Case B: user management for Function SaaS services access

The identity is managed by an internal Azure Active Directory (thalesdigital.io).

Users allowed:

  • thalesdigital.io
  • thalesgroup.com (+country identity)

Technical accounts:

  • Service account (to get an identity like a user but limited to specific IP - mostly used by CI/CD pipeline)

Note: It’s completely forbidden to use a technical account per a user. Audit are and will be performed! Nominative accounts with MFA must be used to be protected against secret thefts.

Use Case C: Thales and Partner management to SaaS services (except: function)

The identity is managed by an external Azure Active Directory (ID/Name confidential)

Users allowed:

  • thalesdigital.io
  • thalesgroup.com (+country identity)
  • identity under partner domain name (contract, onboarding & offboarding required)

Technical accounts:

  • forbidden

Use Case D: External Access Only

The identity is managed by a dedicated Azure Active Directory B2C (per project).

Users allowed:

  • any

Note: For security reason, the federation with thales identity is not allowed. This means any thales employees need to use a personal identity to access to this service.

Next Steps

Request a thalesdigital.io account

Use postIT dedicated form

Ask for a service account creation

Warning: only available for use case B

Use postIT dedicated form

Ask for a service principal creation

Warning: only available for use case A

Use postIT dedicated form

Subscribe to an environment !

Start using one of MCS service by subscribing to a managed kubernetes, an APIM subscription key or a landing zone…

Subscribe
*