Dark Present but Brighter Future for AD Account Lifecycle Management

From onboarding new hires to quickly removing access of fired employees, tracking promotions, third-party access and an organization in constant flux, account lifecycle management can turn into a security nightmare for enterprises. High maturity – high level of automation – is a universal solution to these headaches, but this usually requires significant investment of time and resources from the organizations. To assess organizations’ level of maturity in managing account lifecycles, One Identity commissioned Dimensional Research to conduct a survey of IT professionals. The survey revealed that many organizations are struggling with automation, leaving them with error-prone manual workflows, provisioning and role management.

In the organizations surveyed Active Directory is by far the most popular choice as a source for authoritative identity information. Microsoft’s solution dominates with 62% of respondents considering AD the most authoritative source of identity information in their organization. Aggregated, HR systems are a distant second, while Azure Active Directory, Microsoft’s other (and very different) directory service completes the podium.

Stages of automation

The key question in our survey relates to the level of automation organizations achieve when provisioning, adjusting, or terminating user accounts. The results are staggering: only a tiny fraction of respondents said they achieved fully automatic provisioning of all users across all systems within their enterprise, meaning 92% require some amount of error-prone manual intervention during the provisioning process.

When checking for workflow maturity across all processes (connect provisioning, access requests, approvals and access certification), reality strikes again. Although vendors and experts spent the better part of the last two decades talking about the security implications of workflow automation, only 10 percent of respondents claim to achieve full automation. A majority of the surveyed population, 60% say they achieved automation in some scenarios, 23% have entirely manual systems – and 8 percent lack identity management workflows completely.

Maturity of role management follows a similar pattern. Only 12 percent of respondents integrated it with provisioning across the entire enterprise and all users, with a majority of 55% only achieving role management integrated for some systems and/or some users. Another 21 percent use some form of role management but not integrated with any other systems.

Looking at different aspects of AD Account Lifecycle Management, workflow and role management are consistently the most mature fields, while provisioning, a critical part of identity management is severely lagging: while for provisioning automation a majority (58%) of respondents belong to Stage 1&2 (fully or mostly manual), this number is much lower for workflow (31%) and role management (33%) maturity.
The global survey results confirm that the highly regulated industries, financial services and technology companies lead the field in maturity, with larger companies being ahead of smaller ones. Interestingly, the status of the respondent matters little, with higher ranking IT professionals offering similar answers as lower ranking ones.

Hope for more

The brightest finding of the survey: although the maturity levels are far from ideal, organizations are determined to change this, with 46-54 percent (depending on lifecycle activity) indicating increasing investments in AD account lifecycle management, and a tiny minority of 3-4 percent see a decrease in investments.

About the Study

Conducted by Dimensional Research, One Identity’s “2019 State of Identity and Access Management” study surveyed 1,005 IT security professionals from midsize to large enterprises on their current experiences, trends and approaches to Identity Governance and Administration (IGA), PAM and Identity SaaS. The study consisted of an online survey of IT professionals in midsize to large organizations with responsibility for security and who are very knowledgeable about IAM and privileged accounts. A total of 1,005 individuals from the U.S., Canada, U.K., Germany, France, Australia, Singapore, and Hong Kong completed the survey.

Related Content