It all starts with provisioning. Unfortunately many CIOs struggle with a confusing array of tasks that form the provisioning process within their organisations. There’s usually some automation that creates an AD record but much of the access control to applications is done manually. A new staff member must fill in application forms or call system administrators to get provisioned into the systems they need to do their jobs; this is not only very costly, it’s wide open to abuse.
There are several issues to be addressed while deploying a provisioning facility:
An approval workflow to control the account creation process is essential. No one should get access to a protected resource (computer system, computer application or sensitive document) without a time-stamped, auditable approval being granted. The workflow should also record the expiry of such access, if applicable.
A self-service function should be available. This means that staff members should not have to fill-out forms that are then retyped by someone else into the target systems being provisioned. The initial request, and subsequent changes, should be initiated and approved via the workflow process. No manual intervention should be required other than a manager clicking on approve or deny when they receive a machine-generated approval/notification message.
The workflow should interface to the authoritative source for identity data. This will typically be the HR system for staff biographical and positional data, and the contract management system for contractors. Details such as telephone numbers should come from the PABx if appropriate, but should populate the ‘contact directory’ once collected (many organisations simply let staff maintain their own contact details because mobile phone numbers are usually the most important).
A record of approvers is required. In some cases this will be a person’s supervisor, in some cases it will be the resource owner. In some cases multiple people with need to approve a person’s access; modern provisioning system accommodate this requirement.
Attestation reporting is an important component of a provisioning system. Reports of staff member’s access rights should be periodically sent to managers within the organisation, to be checked. It can be combined with a re-certification process that will automatically time stamp the verification of a staff member’s access rights or disable access that has not be re-approved.
Entitlement management is important in some environments. Applications often maintain their own repository of user IDs for those staff with access rights. In this case automatically setting those access rights should be considered. If the application is AD-aware i.e. uses AD groups, this is quite simple. If an access control list is maintained within an application it is more difficult; in this instance the provisioning workflow must maintain a decision-tree for entitlements and have an interface to the application in question to be able to write-back to the access control list database.
Provisioning remains the most important aspect of an identity management system, the effort required to get it right probably represents an excellent return on investment for most organisations. Eliminating manual effort will not only save organizations money it will significantly improve security and reduce the risk associated with access to protected resources.
This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness.
As a major trend in the IDM sector, consumerization has become easier and exponentially more important. Digital transformation will literally put a significant segment of the SME market out of business and propel a significant number of SMEs to new levels of prosperity.
Federated authentication is essential for businesses. It's the only way to effectively manage external access to business systems and it's absolutely necessary in order to manage authentication to SaaS apps. if you don't want to expose your identity records to potential compromise.
Access Control is the core of the identity and access management task. Once we have correctly provisioned user data into the enterprise’s identity service we need to leverage it for access control. The vast majority of organizations use role-based access control, but increasingly, access control based on attributes is gaining traction.
MC Press Online, LLC is the world's leading provider of educational materials for IBM Power Systems (System i, eServer i5/iSeries, and AS/400) professionals. Our mission is to deliver hands-on, nuts-and-bolts information about current and significant new technologies in the IBM field, so you can be more productive on the job and get more out of your career.
MC Press offers books, ebooks, and electronic publications that take you inside the technology, so you can find out how to best leverage the power and potential of your IBM platforms. Our books cover a wide range of topics--from hands-on, how-to programming to the most advanced communications, connectivity, and security issues facing the industry today.
For the latest news, analysis, in-depth technical articles, programming code, case studies, product reviews, and much more delivered to your email inbox, take a look at our free electronic publications: Online Newsletters.
To pick up valuable tips from your peers, check out the MC Press Forums, and don't forget about our MC Press Buyer's Guide, where you can find computing and technology solutions for all your IT needs.
