Mike Tierney
I'm here with TJ, who wears a lot of hats here at Clear Skye. Among them, he's our CTO and he's going to talk about something you work with and talk to customers about all the time. Tell us what we're talking about today?
TJ Gryziec
Yeah, absolutely. Often one of the business objectives related to identity governance and administration is reducing the amount of standing privileges that an end user has. We implement things like access reviews and access requests and approval processes to hopefully mitigate who has access to what at any given time. If your account's ever compromised that the amount of damage an individual can do with that compromised account is limited by the amount of access that you have within that account.
So often times when an individual is going to need additional access it’s around the change process which is happening within ServiceNow.
So you may be requesting access to perform a certain change. You need access during the time of that change window, and then you would of course want to have that access revoked later on once the change is completed.
I really wanted to cover sort of walking you through what that looks like leveraging Clear Skye IGA and Servicenow's operation dashboard workspace within ServiceNow itself.
Mike Tierney
Let's do it.
TJ Gryziec
Awesome. Let's go ahead and jump right in. Starting off where many it folks live is within the service operations workspace. From here you're tracking things like incidents and problems. If you want to perform a change and you're working for an infrastructure team, you may come to this dashboard to start the process or kick off that change request.
We’re going to go through that same process here.I'm going to go ahead and click on the plus over the top left of my workspace and from here I have an option to create a new change request. Let's go ahead and do this from the new change request. We can pick what type of change this is. In this case, it'll just be a normal change. That means it's going to go through a series of approval processes for the different individuals within the system and we'll go ahead and scope the details of this change now. With Clear Skye, a change that we often do as we move our deployment into the production environments is setting up the infrastructure to support that that deployment. Mid servers within ServiceNow are leveraged to communicate with systems on Prem.
What we'll do here is we're going to go to fill out a basic change and configure it, get it approved as it relates to setting those assets up within your organization.
First off for short description, I'm just going to go ahead and outline that we're going to be installing a new mid server for Clear Skye IGA. The description of this would be production deployment requires additional mid servers. We'll just say production deployment and I can almost use the same exact description.
Hopefully you folks at home are providing more detail within your change request, but this will get us through the demo. So at this point I can go ahead and save. That gives me some basic details about my change and then we have a few other screens that we'll need to fill out as we start to set this up and scope out the impact and assignment of it. The first thing that we're going to do is define what's involved in this change. I’ll go ahead and click on add scope.
And the first thing that's going to be involved, of course, is Clear Skye as a business application within your environment. We'll go ahead and specify IT services as the selection for service. We can do other things like service offerings and categories etcetera.
This is going to help in reporting and risk assessment of the change itself, and I'm going to go ahead and hit save, which should then assign that initial configuration item to the affected CIs.
Now Clear Skye’s not the only thing involved in this change. We need to go ahead and specify the server the mid server's going to run on. We need to specify ServiceNow itself because we may need administrative privileges there to perform this this change. I'm going to hit the add button over on the right side and we'll start off by adding the server that we're going to be installing this on. I'll just type Linux and these are available. You may be using Discovery or other components of ServiceNow to pull these in and so we'll add that one. And then lastly, I'll also add the ServiceNow service itself. Now I have my three affected Cis in the system.
This is usually where the story ends for most customers of ServiceNow. When it comes to getting access to those resources, you may have to go to an external system or if you're doing it within ServiceNow, you may still need to go to the portal and request that access.
When it comes to Clear Skye, because we're native to the platform, we can actually just kick the process off directly from here. Let's say that when setting up a mid-server, I'll definitely need local admin access to the server.
That it's going to be deployed to, and I'll probably even need admin access to the ServiceNow instance to be able to set this up and configure the mid server for load balancing. And from here I can just click request.
Mike Tierney
So before you click that TJ does we like to talk about that our UI is Servicenow's UI and if Clear Skye IGA is installed, you won't necessarily know it's there. But this is an instance where you can see our presence is so tightly embedded. That request access button - that's Clear Skye, right?
TJ Gryziec
That's exactly right. As we click this button, it's leveraging the data within the Clear Skye application that exists within the ServiceNow platform. As part of an identity governance implementation, the first step you'll do is connect systems, you know directories and applications, databases that may be sitting within your organization's network, and then things also in the cloud. We're going to aggregate all those security data points and we're going to correlate them to data within the ServiceNow platform. In this case, we've associated our privileged items within the CMDB to the security groups and permissions that exist within Clear Skye IGA to support this seamless integration so that the person filling out the change doesn't have to worry about any of those things. They'll select the items they need access to, they'll hit request access and you'll notice over here that we've now updated the required access related to the change that we're currently working on.
In this case, you'll notice that I need an Active Directory security group.
I can look at the risk of those different types of entitlements. For example, if this was domain admins, there would be a critical risk associated with it, and that may influence the decision that's made of whether who were assigning this change to or even whether it gets approved or not within the change window that we're working on. We can also influence the risk assessments of a change request itself, so if you have critical access that has a lot of risk, that could be reflected within the risk assessment of a change request.
Mike Tierney
And that's all pulling from what we call the identity warehouse, right?
Purpose built tables within a customer ServiceNow instance that come with the Clear Skye IGA product that allow us to do things like this.
TJ Gryziec
That's exactly right, yeah. And when I'm talking to ServiceNow, folks, I often say the identity warehouse is the CMDB of access data. The Who, what, when, where, who has access to what across all of your applications will now live on the platform with these other processes that we're seeing here.
From here I can see my different entitlements. What this user going to receive access to all within the ticket itself? Now that we're done with that, we're going to move just into the assignment. I'm going to go ahead and assign this request. We're going to go ahead and assign it to the ITSM engineers. We're going to go ahead and assign it specifically to able tutor who received the access at the time of approval.
Let's go ahead and calculate some risk here.
We do see a low risk related to this change.
It's all additive in this case, so you're not changing any production systems.
So that I think reflects correctly in the type of change that we'll be performing today.
We can also specify a schedule related to this change, so let's go ahead and say that we'll do this tomorrow around the same time as a start date, and then we'll also specify the end date for this as tomorrow. And let's give ourselves 4 hours to complete the change.
It doesn't mean that it's going to take four hours. Usually this takes anywhere between 5 and 20 minutes. But we're just not sure where we'll fall into that window.
You'll see as we can go ahead and time box the access that we have for that change so that they only have it for the time that it starts until the time it ends and then it gets revoked right away through the Clear Skye IGA application.
Now that we've set our schedule, I'll go back to my change request.
We can see all of our details We know the affected CIs impacted by the required access now available to us based on Clear SKye data and now we can go ahead and submit for approval. If I go to view activity we should start to see more data appear here. I know who my approvers are going to be in this case.
So let's switch over to Luke and we'll just refresh his list of approvals. Now they'll often receive an e-mail that they may reply to. They may be monitoring this through the portal, but I'll just open up this change here for this instance.
When I open up the change, I do have the availability to mark as approved, but I can also scroll down and look at all of those details, including the required access. As a change approver, I can assess whether we want to give this person admin access to ServiceNow or whether this is a good idea all within the change itself and have that influence the decision.
I'll approve.
We move into that scheduling state and I can shift back over to my original change form if I refresh this, we should see those updates come through. I can see the details now in that scheduled state.
I was able to select what type of access I needed based on the impact and the scope of my change. I was able to see that as an approver and what the risk of those different points of access would be to that individual.
Once it gets scheduled, if we go over to the related records, you'll also notice that some IGA requests got generated that are associated to the change itself. And if I were to click in you can see that we're going to grant access to Able Tutor.
There's a ton of intelligence within Clear Skye that's going to go ahead and determine whether Able Tutor has an account? Does one need to be created?
What type of account based of the type of access?
All of those details that can be configured within Clear Skye.
But the thing I want to draw attention to is that we've actually mimicked the schedule of the access that the individual have, that they're only going to receive it when that change window opens.
And then it will be taken away as soon as that change window is closed. If they have to re request access, they may have to extend their change window etc.
But we're making sure that they only have the access for the time that they need and no longer than that within the system. And then we also keep track that someone requested this, and the scope and impact.
This was the approved state based on that access and now once it comes time where the rubber meets the road, we can also go ahead and highlight what requests and what's been done from an access provisioning perspective. So if later on down the line you wanted to understand who had access to ServiceNow Admin, you'll have a full list of every single change that needed that type of access for every single deployment.
And we didn't slow down the change process at all.
I didn't have to go to another portal.
I didn't have to go anywhere.
It's all embedded directly into your ServiceNow instance into those processes. You're already working and it's seamless to the individuals who work on these things from day in and day out.
Mike Tierney
That is very impressive.
That's, I think a really good view into the way having an architecture like you see up here on the screen where your IGA solution is embedded into your workflow platform, into ServiceNow, enables things that are top of mind for a lot of people, like combining just in time provisioning and proper change management.
