Provisioning access for new employees can be a time-consuming exercise without the proper processes and tools in place. Even more challenging and important is de-provisioning user access when roles change, or people leave the organization. In the last IAM Best Practices blog, Tom Malta discussed the value in establishing and maintaining unique identities and its importance in establishing proper access controls and visibility throughout a user’s entire lifecycle. This blog will focus on helping organizations decide where to start on their journey to automating the provisioning process and more importantly de-provisioning of those unique identities and how to align with business priorities and risk goals.
Your business priorities and business goals can help determine where to start with automating provisioning and de-provisioning. What is your goal?
- ROI – Reduce manual time spent creating accounts and granting access
- User Experience – Onboard faster, new user’s time to access
- Risk – Address audit findings, comply with regulations, protect most sensitive data
If your main focus is ROI and/or user experience, then your focus will be on provisioning of access. Start with identifying your personas across the organization, and then identifying what applications, what level of access is required, the teams responsible and the processes to add/remove/modify. Obviously, your baseline persona is going to be general population roles and the applications the all of your employees will access, for example, company portal, company store, incentive apps, benefits apps. Every organization is different, but the next level of focus on applications, roles and access could relate to regions, divisions, functional areas, job-level, full-time, contract, seasonal, etc.
However, in most organizations, the main driver for automating provisioning/de-provisioning should be risk reduction and improved security, given that the overwhelming majority of data breaches are traced back to compromised credentials. Going one step further, automating the de-provisioning process should be the primary focus for risk reduction. Inappropriate access, whether access to sensitive data that has remained after a user has transferred roles or an employee has been terminated, can result in significant reputational or financial damages.
In addition to the focus on de-provisioning (vs provisioning), focusing on risk changes how you approach the implementation. Instead of starting with your users, start with the most sensitive data and applications – what applications are considered mission critical or subject to SOX controls? What data is considered sensitive to your organization, perhaps your intellectual property, or what data is considered personally identifiable information (PII)?
So, where should you start? While it is all about aligning to your business priorities, given the environment we live in today – we will collectively spend $123 Billion on cybersecurity, only to lose $6 Trillion in damages – it is important for every organization to view automated provisioning, and more specifically de-provisioning, as an exercise in risk reduction. To be successful in this effort, your starting point regardless of priorities should be to 1) centralize the teams who will be focusing on the people, process and technology of implementing provisioning/de-provisioning, 2) identify a single source of truth for identities, roles and access and 3) make your identities unique for long term traceability and visibility, as discussed in the previous blog.
It’s the basics that matter, but behavioral analytics and AI are emerging trends in this space, as well, enabling dynamic provisioning/de-provisioning of access based on user behavior. For example, if an employee has transferred and has not accessed an application in a prescribed period of time, access for the application will be removed automatically.
While provisioning and de-provisioning can improve user satisfaction through easier access to applications and faster on-boarding and improve ROI by reducing the resources required to manage access across user populations, the biggest driver in our world today is the risk of a breach.
About the Author: Julie Talbot-Hubbard, General Manager, Global Vice President of Digital Identity and Data Services at Optiv, has held key transformative CISO and Data Leadership positions where she established and aligned global security and data strategies while leading the implementation of Security and Data capabilities to reduce each organizations cyber risks exposure while enabling them to maximize their data to grow revenue, product evolution and consumer delight. Julie is a member of the IDSA Executive Advisory Board.