To ensure the security of Single Sign-on (SSO) data, an effective security strategy must encompass crucial SSO management functions like backup and restore, change detection, and sandbox seeding, despite the inherent benefits and streamlining provided by SSO as a security tool.
Single Sign-on (SSO) is a great security tool that significantly reduces your attack surface while providing a consistent, streamlined sign-on process for your company and customers. But even great tools need safeguards. To adequately secure your SSO data, your security strategy needs to address SSO management functions such as backup and restore, change detection, and sandbox seeding.
Platforms like Okta and Microsoft Azure offer widely-adopted products with powerful SSO capabilities. But while SSO has become the most critical application to almost every organization’s operations, there are few mechanisms in place to protect it from internal and external disruption. And when disaster hits, your organization needs to move as swiftly as possible to help you return to business as usual. To help protect mission-critical SSO access and functionality, we developed the MightyID Resilience Platform, enabling targeted backup, restore, migration, and failover capabilities.
In working with large or complex Identity Access Management (IAM) environments, we have found that a crucial requirement for any SSO solution is the ability to conduct precision-targeted restores of SSO data. In this blog post, we’ll explain why this capability is so important, and how MightyID enables you to meet this requirement with a level of granularity, automation, and ease of use that is unique in the industry.
Don’t Use a Sledgehammer for a Thumbtack: The Need for Targeted Restores
In the event of a disruption in service in your IAM environment, your urgent priority is to get your business running with as little downtime as possible. The question becomes: How do you restore your problem SSO data quickly and effectively without rolling back every change since the backup?
In a few scenarios, organizations will need to restore all SSO data as it existed at some prior point in time (e.g., two weeks ago). This need might arise in situations where:
- Your entire SSO data environment has been corrupted or inadvertently deleted, e.g., deletion of tenant.
- You realize that substantial errors have been made in updating SSO data for a significant percentage of your SSO environment such that a full restore is best.
While the ability to restore a full historical snapshot of your SSO data is valuable and important, it can be cumbersome, manually intensive, time-consuming, and damaging to operations to re-create all the legitimate SSO data changes that have been made since the date of the backup that is being restored.
To restore 10 users, you don’t want to rollback a whole day of changes for everyone!
In most cases, you only need to do a partial restore of one or more specific SSO data elements or applications. For example:
- You realize that recent changes to one user’s account have been inadvertently deleted or corrupted, and you just want to restore that user’s SSO data.
- A group was accidentally deleted, and you want to recover that group and all associations to it.
- A script changed one or more values for many applications, but you know which apps were affected.
In these cases, performing a full restore of your SSO data is overkill and would involve an excessive amount of work to re-enter all changes made since the date of the backup being restored. To address these partial-restore scenarios, you need a surgical tool to restore only those SSO data elements you want to recover and nothing else.
MightyID Partial Restore Feature
The good news is that MightyID lets you perform precision-targeted partial restores of SSO data for specific users, groups, applications, or settings, such as policies, rules, templates, etc. Our easy-to-use, automated tool allows you to designate one or more SSO data elements from any of these data types and restore them with one convenient request, even down to specific attributes of users. With this laser-focused approach, you avoid the substantial amount of work that would have been required to recreate your current SSO environment after a full restore.
Below is an example of the MightyID “Restore a backup” screen being used to configure and run a partial restore. In this screen, the requestor has designated:
- Which backup from which tenant to restore.
- The destination tenant to restore onto, to support sandbox environments for testing or controlled changes to production.
- How to resolve duplicate objects, in this case choosing to merge attributes of duplicate objects, preferring the source (backup) data when. E.g., both have different phone numbers for the same user, so use the backup’s phone number.
- The specific SSO data they would like to restore, in this case 3 users, 3 groups, and 3 apps, with all their associations.
Restore a Backup Screen Example for Partial Restore
MightyID Full Restore Feature
While MightyID’s precision-targeted partial restore capability is one of the important features that sets it apart from other available tools, it is also capable of performing full, automated restores when the need arises. Full restores are executed using the same, easy-to-use screen that is used for partial restores. Here’s an example of copying the production tenant to a sandbox environment, so you want to first remove any existing users in the tenant and then mask user personal data to remove risk and compliance concerns:
Restore a Backup Screen Example for Full Restore
Other Benefits During Recovery
In addition to only restoring what you want, MightyID alsoonly restores what has changed, providing much faster recovery. If an intendeduser wasn’t modified, we don’t try to change it.
This tool also allows you to verify your scope estimate by reporting on what changes were made. You can see if your estimation of impact was correct, by checking how many objects were added, how many were changed, and details of the changes.
The Bottom Line
Sometimes, less is more. MightyID’s flexible, automated solution lets you recover only the SSO data you need, which allows your team to spend less time restoring SSO data and more time on other important initiatives.
We Can Help
If you have questions about MightyID’s granular restore capabilities, or would like help implementing it in your organization, just give us a call at (949) 387-6148 or email u sat email@example.com.