Growth in the number and size of account repositories in the enterprise drives much of the business case for Identity and Access Management (IAM) tools today.
Analysts estimate by 2020, the number of discrete account repositories that require administration will have increased by 60% since 2015. While Enterprise IT may have IAM tools deployed, simply automating manual processes for account management does little to reduce risks, because discontinuities in processes will still allow the same issues to occur.
In this post, we will explore 4 key practices to ensure effective application of automation to account management without replicating the same issues caused by manual processes.
Identity and Access Management Is Rooted In Relationships
Establishing key controls that address account management issues and reduce risks start with the user. An identity is the representation of a person who is known to an organization. Repositories require representations of every person who is authorized to interact with an organization’s environment. Creating an identity is usually the starting point of an identity life cycle. In most organizations, Enterprise IT will need to support multiple ways of creating an identity, so there will be multiple identity life cycles. From here, our recommendation is to model each identity’s organizational relationships as roles tied to specific identity life cycles.
The identity life cycle controls how and when the associated relationship role is assigned and removed from an identity. For example, an employee’s identity life cycle would be tied to the external employment process through an HR system so that the employee’s role would be added to the proper identity when the employee starts. It would be removed on the employee’s termination. A contractor’s identity life cycle may by initiated by a manager making a request via an input form, and then that life cycle may rely on an expiration date for removing the contractor’s relationship role.
Don’t Take Design Lightly
Poorly designed identity life cycle processes increase risk and defeat the purpose of automating account management with identity and access management products or services. Problems with identity life cycles can be difficult to detect, leaving Enterprise IT unaware of them until they are uncovered by auditors. One specific example is improper role removal, when a relationship role might be improperly removed from an identity. This could happen in a variety of ways- perhaps an HR feed was truncated by a processing error, causing employee roles to be removed from identities, even though the people remain active employees. Another side-effect of poor identity lifecycle process design is the Zombie Role. This is a relationship role that is still associated with an identity long after the person’s relationship with the company ended. A common example is a contractor that was never tagged with an expiration date.
keep reading >