We often tend to want it all and we want it now. Lost in this mindset is time and activities required to reach fruition. Similarly, I see this with identity management. Customers seeking vendors in the earlier stages want it all. They also assume they should have it all on day one.
Specifically, I am referring to user provisioning automation. In successful identity management implementations, automated user provisioning goes through four phases.
User Provisioning Automation Deconstructed
The first phase of user provisioning automation does not relate to technology. This phase hones in on an organization’s hierarchy and human resource infrastructure. Before you can automate manual tasks, you must know your users. This means you know everyone’s role and the privileges associated to it.
To remove security risks users must access only the information they need. Automated user provisioning requires identifying your enterprise systems along with access privileges. In defining your systems, roles and access, you can secure the activities of the employees, vendors and contractors who access your networks.
The time required to deconstruct user roles and privileges is frequently undervalued. This can result in delayed ROI and utilization. Once your infrastructure is determined, you’re ready to automate new hire onboarding.
User Provisioning Approval Workflow
After establishing role-based user provisioning, automating approvals signals the second stage. Automated approval workflow improves an organization’s operational efficiency. It off-loads manual tasks that take managers away from priority business operations. Approval workflow also enables IT to focus on more critical security risks.
Automated approval workflow enables control based on preset permissions. It prevents human error. When incorrect access is granted, approval workflow enforces accountability. For the right access control, a solution must be flexible. Organizations must be able to modify individual and group approvals at a granular level. When new accounts are automated, approvals are streamlined. Their fulfillment becomes timely and cost effective for even complex enterprise environments. Without approval automation, simple routine operations represent an unnecessary re-occurring cost.
Leverage User Provisioning Audit Logs
To assert governance, audit logs lead organizations into the third stage. Audit logs are generated for the full lifecycle of a privilege or entitlement or role. This starts with the initial request and continues through each step of the workflow approval to the request’s granting. An audit log contains an event’s time-stamp, the event type, error code, user’s identity, and resources accessed. Audit logs contain data used for data mining, error checking, and analysis.
Leveraged in the third stage, audit logs capture all user provisioning activities. However, the utilization of this information may take several months. By tracking user access, an enterprise does not practice governance. More than reporting access, an organization must enforce governance over its operations. While logs record administration, it doesn’t mean all necessary actions were taken. Particularly, this relates to de-provisioning and may take time before your fully engaged.
Automate De-provisioning to Remove Security Risks
Automated user provisioning gives control over all accounts tied to a user’s identity. De-provisioning user accounts is pivotal to information security. In stage four, terminated user access is automatically removed from all systems. Terminated accounts and enterprise data cannot be exposed to unauthorized access. For security, you should de-provision access to on-premise and cloud applications immediately.
The de-provisioning process remains a vulnerability for many organizations. Automatic de-provisioning prevents terminated users from accessing your network, systems, and groups. This should apply equally to employees as well as consultants and suppliers. For many organizations, consultant information is not stored with employee HR data. An automated user provisioning solution must support multiple de-provisioning feeds. This applies equally for attestation certification audits.
Automated user provisioning enables strong information security control over access. Certainly, user provisioning automation reduces access risks and enables operational efficiencies. Yet, organizations often want too much too soon. When deploying an identity management system, many factors influence the outcome. Organizations must honestly assess their resources, alignment and existing state.
Before anticipating a leap-frog of the stages, ask the following. Are your enterprise roles, privileges and groups already defined? Have HR, IT and the business units signed-off on the access maps? Are resources allocated to take your organization through the deployment stages? If so, how many and for how long?
Think through automated user provisioning in stages. Apply a security focus when working through role and privilege needs. When you have no automated processes, start with functionality easiest to implement. With a holistic approach, you’ll get what you want sooner and cheaper too.
Get the Top 10 User Provisioning Best Practices Workbook
Enable user provisioning software rapid planning, strategic decision-making, and technology innovation. Jump start your user provisioning and identity management initiative. Learn from IT security experts and address the challenges that derail projects.