Feb 11, 2022
Product Update: SSO, Cluster level authorization, OAuth 2.0 and more security features
2022 brings a significant revamp in the authentication and authorization capabilities of Imply Cloud. In response to our customers demanding finer grained access control, better integration with 3rd party identity providers, more secure API access and more self service capabilities, we are introducing Imply Identity. With this new service, dozens of new security features such as Single-Sign-on support, OAuth2 integration, cluster-level authorization, unified accounts across regions, multi-factor authentication, password strength and expiration requirements are now available. In this post we will discuss them in detail.
Until today, Imply Cloud users had to create an account using an Imply username and password to access Imply Cloud. IT Admins had to use Imply’s interface to add and remove users and manage access control. This created risk and overhead on the IT side, who are used to manage users and permissions with Identity providers such as Okta or Google Account SSO. Using Single-Sign-On (SSO) with Imply Identity, customers can now integrate any OIDC or SAML based Identity Provider (IdP) with Imply Cloud. Once an Identity provider is configured, every Imply Cloud user can authenticate with one click using the configured identity provider, thereby eliminating the need to store and remember usernames and passwords. IT admins can create groups with the desired permissions in the IdP and map these to Imply Cloud roles. Adding or removing users is as simple as assigning or removing them from the Imply app in the Identity Provider’s management console. The latter is a huge improvement for small data platform teams that want to enable everyone in the organization either to access business insights in Imply or to create their own clusters and build analytical apps.
To learn more about enabling Single-Sign-on for your Imply cloud deployment, check here.
Single account for all of Imply Cloud
Most Imply customers have more than one Imply Cloud account either because they have a multi-region deployment or because they have development, test and production environments. In order to access each account these customers were required to have a different username per account. Using the latest update, each Imply customer is assigned an organization and all the Imply Cloud accounts now appear as environments in the organization in Imply Identity. A user can use the same username to access any environment. Furthermore, a user with administrator privileges can easily assign same or different permissions to a user across deployments.
OAuth 2.0 support
In the past, developers building custom applications on Druid used to have a single token for all users using their custom application due to the difficulty of managing access. The custom application itself would control user access. Other applications that integrate with Druid would each have to do this as well, leading to a proliferation of access policies across multiple applications. Using the OAuth 2.0 integration, you can now create API clients in the Imply Auth Console and define access policies centrally within Imply. Any application integrating with Imply will have the same policies applied without any additional effort. This leads to a significant reduction in the amount of custom development needed to build on top of Imply as well as a large step-up in security since policies are defined in a single location.
To get started with securing your APIs with OAuth 2.0, check our documentation.
Many of our customers are small teams within large organizations. These teams are tasked with providing a central data platform for the rest of the organization. They want to enable other teams to use Imply, start and administer their own clusters and manage data without compromising security for their own deployments. As a result, they need the ability to set policies that restrict access to a cluster. Using Cluster-level permissions, Imply admins can set access control policies at the cluster level. They can configure a policy whereby any new team creating a cluster only has access to their own cluster and not other clusters. Or has administrative permissions to their cluster and read only permissions to the cluster of a 3rd team.
To get started with Cluster level permissions, check our documentation.
Multi-factor authentication, password policies and more
Even though we added support for SSO for Imply Cloud using Imply Identity, we understand that many of our current and prospective customers will continue to use Imply usernames and passwords to access Imply. Therefore in this product update, we added many capabilities to harden the security of this authentication mechanism. Specifically, Imply admins can force users to use multi-factor authentication to access Imply. They can also set policies regarding password length and complexity. They can ask users to change their password at a specific cadence, lock users out after a certain number of failed login attempts or log them out after a period of inactivity. Finally, Imply admins can see a list of all currently active users accessing Imply and choose to log anyone out.
All of these capabilities are available today. If they have not yet been enabled for your organization, please contact your Account Executive.