Automating Identity Lifecycle Management

241 VIEWS

· ·

The identification of every user making a request to a given system is vital to ensuring that action is only taken by, and information only returned to, those who need it. This happens in two steps: first, the requester is identified (authenticated), and then that identity is used to determine which parts of the application they are allowed to access. These identities can include systems that need access in order to perform background processing, or they can be assigned to a person like an employee or a client.

Now that we know why identities matter, it’s essential to realize that people are not always customers for life, new employees will be hired, and other employees will decide to leave. All of these activities require that identities have a lifecycle wherein they are created, modified, and eventually retired. This can be done manually across the few systems that exist in small organizations, but as organizations expand, identity lifecycle management becomes a much more daunting task.

Identity Management Use Cases for Automation

There are a nearly infinite number of scenarios in which automation can be used within an organization’s identity lifecycle management practice. Below is a list of some of the higher value and easier-to-showcase use cases which quickly prove that the ultimate value of automation is well worth the initial time investment that it takes to fully automate your organization’s processes.

New Employees

You’ve probably started a new job and had to wait days or even weeks to get all of the access that you need in order to do the work you were hired to do. Automation will help streamline this process so that companies have everything ready on the new employee’s first day of work.

When new employees are brought into an organization, there are many things that need to be done, and requests are not always made in a timely manner so that things are ready when needed. These tasks include adding new employees to the corporate directory and the payroll system, granting them access to business applications, assigning them desks, and ordering and delivering their laptops, uniforms, phones, and more. All of these tasks can be individually automated and then combined into workflows that can be run on-demand or scheduled to run at a specific time prior to the employee’s start date.

Outgoing Employees

When employees leave an organization, they no longer need access to the company’s systems or other property, and it’s a best practice to remove their access as soon as possible. Automation enables organizations to identify and suspend such accounts with a nice clean record of when it happened for auditing purposes.

By taking advantage of automation, especially in the event of a termination, there won’t be any scrambling to remember which systems they may have had access to. Instead, the process will be routine and applied consistently. If an employee is just moving to a new role in the organization, the automation can be set to clean up the old permissions after a transition period so that the employee can still help their former department train the new hire.

Attestation

In the world of regulated industries, access to sensitive systems and data must be routinely revalidated. With automation, businesses can generate reports to ensure that only the right roles have access to the right systems. Automation can also prevent access drift, where people are granted access outside of the proper channels. With more advanced automation, you can create interactive reports and require the system owner to acknowledge that the data in the report is accurate for auditing and compliance.

Privilege Escalation

There are times when people need more access than normal to perform specific functions. This is often handled unofficially, and there might be no record, no cleanup, and (often) no prior approvals. This isn’t because people want to be sneaky; it’s often done at the last minute in order to fix a problem, or because no one knows who owns the system and it’s easier and faster to just escalate privilege than it is to figure out who to ask. What if you could build a workflow that could automatically locate and ask the owner to approve or deny the request, then remove any escalated access that it granted after a specific amount of time?

Separation of Duties

The separation of duties policy ensures that no one person controls all aspects of a task; for example, no single employee in the accounting department can create a supplier, submit an invoice, and also pay that invoice. Depending on the type and size of an organization, it might have rules about the separation of duties. It’s incredibly time-consuming to check specific roles manually, but it can be done quickly with some basic automation. In addition, remediation can also be handled automatically.

Not only does introducing automation into your identity management workflow just make sense, but it’s also the only way that you can really be consistent when actively processing changes to identities and when confirming that no changes are happening outside of the defined process. In addition, automation will reduce access drift, wherein unused accounts do not get removed or people gain new access when they switch roles without losing their old access privileges.

All of these benefits will help reduce the available attack surface for potential security breaches and make complying with industry regulations and laws much easier. That includes privacy laws, which have become high profile in the last few years. These laws — like HIPAA, PIPEDA, and GDPR — often impose sizable fines, even when organizations involuntarily disclose personally identifiable data. The source of these leaks is often unused accounts or accounts that have been granted too much access.


Vince Power is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. He has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management, and test automation. You can find @vincepower on Twitter. Vince is a regular contributor at Fixate IO.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *