- Application and organisation onboarding processes for balanced IAM growth
- Provisioning for joiner processes
Streamlining identity and access management is essential to exploiting your organisation’s assets and employees’ productivity.
Individual business stakeholders and departments have widely different understandings of how identity and access management (IAM) processes function in the organisation. Each has (or think they have) different IAM processes. For example, the HR team may have user onboarding processes for basic infrastructure applications which are different from the helpdesk team’s. Implementing a huge array of overlapping or redundant IAM processes is not only expensive but leads to confusion among users. Often there are disputes around who owns or should own which area.
Implementing existing convoluted and legacy business processes is never a good idea. It leads to brittle customisations that may not provide the necessary performance and flexibility. They are also difficult to maintain and upgrade. However, making sure that only the employee’s manager and the application owner are required to review and approve access requests greatly simplifies the access request approval and onboarding processes. Taking time to step back, simplify and streamline IAM processes can significantly reduce costs.
Some enterprises treat IAM as back-office processes that don’t deserve priority or attention. The result is a terrible user experience that leaves employees frustrated. Organisations regularly relate episodes where users have needed to wait two or three weeks before they have all the necessary access to be productive.
Too often enterprises underestimate the importance of providing users (especially business users) with smooth, seamless IAM processes that they can see the value of and use easily. For example, adding self-service or improved identity management – such as provisioning or attestation – to access management projects, compensates users for any behaviour changes or perceived inconveniences related to the new access management system.
When you interview business stakeholders about their business pain and frustration around IAM, you hear the same complaints over and again: too many passwords; too much time spent waiting for the right access to applications and data; and too slow a process for onboarding a business partner. The inability to access applications in a timely fashion will affect your company’s ability to serve your customers well.
Application onboarding into theIAM process means creating the necessary connectors for an IAM system to automate the creation, deletion and modification of the user in the application’s user repository, in accordance with changes in the IAM centralised provisioning system.
Organisation onboarding means extending the IAM system’s automated delegated administration, attestation, automated self-service, access request and approval services to cover a particular organisation, such as a procurement department. As the scope of your IAM system increases, you need a way to prioritise applications and organisations. In addition, defining the metrics you need to track at the time you onboard the application, organisation or resource will help to communicate the success or failure of the process as well as communicate business value.
For example, good metrics focus on cycle time spent on working with (requesting, reviewing or changing) entitlements in applications before and after the implementation of the automated IAM process.
Organisations should identify applications that store toxic data. You should onboard into the IAM ecosystem first applications that contain toxic data such as personally identifiable information (PII), financial data, company intellectual property (IP) or applications that fall under Sarbanes-Oxley or other compliance mandates.
Now, identify task-oriented workers or those with lots of sensitive access. Many organisations report success when they target departments with simple, task-oriented jobs for initial IAM onboarding. The employees in these departments include call centre workers, factory floor workers, field workers and others where the job is task-oriented and requires access to only a handful of applications.
The next stage is to create an inventory of unstructured data, portals and file shares that contain toxic data. While some enterprises allow individual departments or groups to govern access to file shares, network drives – and today, cloud-based storage and collaboration
systems – without any control, this is quickly becoming the exception, not the rule.
Unstructured content such as documents, spreadsheets, presentations, videos and photos contain toxic data. You must gather an inventory and classify this information so you can control and prioritise which data assets, portals and cloud storage mechanisms you onboard into the IAM environment. Limiting and enforcing access control is critical to stemming the tide of data breaches.
Joiner processes allow for the appropriate provisioning of users with the necessary application access rights and data they will need to perform their jobs. Not only is the first employee or business partner experience important, but having solid processes for user onboarding helps with IT identity administration efficiency, compliance and security.
Organisations should pay attention to careful background checks and vetting. Your company is only as good as the people who work for it. Sloppy background checks and identity verification processes will undermine the credibility of an otherwise robust IAM set of processes. Be sure to onboard only those users whose backgrounds your team or HR has thoroughly vetted and make an HR employee responsible for each background check.
We are all familiar with the “create my new employee’s access just the same as John Doe’s access” edict often issued by managers. Companies most successful with this policy define enterprise job roles or job description-related access and at least attempt to ensure that joiners get access based on uniform job roles. Cloning users leads to too many unnecessary and inconsistent privileges that pose a security threat. If a manager does not know what his or her user needs to access according to the joiner’s job description and title, the company has much bigger problems than identity management. You should not allow users to gain access to any business application without the explicit approval of the manager (the application owner will want to approve, of course).
Managers need to know what their employees are doing. Even if you don’t have an automated process for user account provisioning, you can have a user ID-naming convention in place. This will help avoid stale and uncorrelated application accounts and you can implement it easily when you do implement an IAM system. Common conventions include: 1) first initial plus last initial plus employee number; 2) an “E” or “C” prefix based on whether the user is an employee or a contractor, plus a unique employee number; and 3) re-use of a mainframe user ID-naming convention or some other existing naming convention. The user ID should not contain any non-English or special characters, you should limit it to eight characters because of legacy systems and it should be immutable, so that it can serve as a primary key for correlating users.
This is an extract of the Forrester report, Simplify Identity And Access Management Processes To Reduce Costs, Increase Business Efficiency and Make Users Happy by Andras Cser. Andras is a principal analyst at Forrester and will be speaking at Forrester’s upcoming Security & Risk Forum EMEA 2013 in London, June 10-11).