As organizations are looking to streamline processes and enhance security, pursuing automation in identity and access management is a key area businesses can target. By pursuing automation in identity and access management, IT teams can free up time to work on more important tasks, and reduce the friction required in managing team member and vendor access across necessary accounts, data and applications.
What is identity and access management automation?
Automation in identity and access management is the process of automatically provisioning or de-provisioning users to applications and data by synchronizing with a source of truth, such as an HR system.
In practice, it’s meant to be a seamless process that manages the full employee lifecycle. When a new employee joins a company, HR creates a record for them. That record is then automatically created in the company’s central identity management system. The employee’s information (such as their job title, department and manager) is replicated and used within rules, or mappings, so that they will have an account within certain applications based on their department and job role. Once that step is complete, the employee will automatically receive access to the applications they need to do their job based on their role.
For example, this framework of automation in identity and access management could allow user accounts to be provisioned automatically when users are assigned to a department in an HR system. If set up correctly, the rules could automatically set a user account up to:
- Connect to their department
- Create an account within the department
- Assign them to roles, groups or and other necessary applications, or permissions/entitlements as necessary
Additionally, the rules will define the employee’s level of access. For example, a marketing director should have a higher level of access equivalent to that role’s needs. An employee handling product marketing may need a different, lower level of access.
When an employee leaves an organization, automation in identity and access management has the functionality of removing all the access that was granted to them during their time at the company. It can automatically disable their account within their department and the company as soon as HR marks them as someone who has left the company.
In between being hired and leaving a company, automation in identity and access management can automatically provision or deprovision team members based on attribute changes that occur. For example, a promotion or responsibilities change. When employee information is updated in the HR system, it flows through to the rest of the company and can automatically assign or unassign access as necessary, depending on how their role has changed within the organization.
How did the old guard provisioning of accounts work? What are some common pitfalls of provisioning identities, accounts and applications associated with it?
When using Active Directory, LDAP directory or similar solutions, everything had to be done manually. If a new employee was hired, HR would create a record for them in the HR database. Then HR would have to send a ticket or email to the IT team with instructions to create an account for the new user in Active Directory manually. When inputting the new employee’s information, IT would have to ensure that all their information was spelled correctly and hope that the information they received from HR was spelled correctly to start. On top of that, manual data entry already tends to be prone to errors.
After manually entering the new employee’s data, IT would have to manually assign the employee to multiple groups based on their department and job title. Sometimes, IT would copy information from an existing employee from the same department and modify the attributes to speed up the process. The process of assigning groups is important because it affects what the new employee can access within the company’s environment.
The problem with Active Directory is that it could be limited to what it could log users into based on what it was integrated with. If a system that the new employee needed didn’t integrate with Active Directory, IT would have to manually access that application and create an account for the new user to grant necessary access.
Then, if a user had role changes, getting a notification of the change from HR was not always guaranteed. A notification is necessary for IT to begin the previous process of updating employee information in all related systems. On top of that, if a user left the organization, IT would have to remember to disable them in all non-integrated applications the employee had access to.
So, the primary danger of manual data processing is that the system can easily break down. If IT teams weren’t notified that an employee’s role was to be updated, the employee wouldn’t get access to what they need for their role. If the user wasn’t automatically reassigned, they would have to manually request the change. And even after their role was updated, they could potentially still have access to assets that they no longer need. Unnecessary access became an even bigger problem when employees left the organization. IT could sometimes forget all the assets the user had access to, leaving the organization open to cybersecurity threats.
Are there any disadvantages of automated identity and access management?
If an organization’s data is wrong, or if the logic to the automation is configured incorrectly, then automated identity and access management could take unwanted actions and cause problems. If unknown actions are taking place automatically without IT’s knowledge or input, they may have a harder time figuring out where issues in the provisioning or de-provisioning process exist.
For example, say there’s a company in which all employees have accounts within a certain environment. There were mappings set up to ensure that people in different departments were assigned to certain assets, and when a new employee was onboarded, they were automatically assigned to numerous assets.
For example, if a company undergoes a merger, their processes change. As a result, the mappings that had been developed over time are no longer working as they should, but also weren’t removed or updated.
Since managers were unaware that onboarding processes weren’t working as they did in the past, new employees began not receiving the access and devices needed to get their work done. Because the company overlooked their automation configuration, they were unprepared for the merger and are now stuck trying to quickly figure out if they need to change their data and/or mappings and figure out what their new processes should look like.
This type of chaotic situation doesn't always come from a merger. It could result from a company deciding to move departments around or making other internal changes. Changes like that can break automations if they're based off a specific hierarchy that existed previously and wasn’t updated for the change.
However, making edits to mappings is often much easier than making manual changes across individual users.
Why is IAM a good candidate for automation?
The work of updating user attributes and manually creating users is essentially data entry. So, without automation, organizations are paying their IT teams to do basic data entry instead of using their higher set of skills to do more useful tasks.
One way to solve this problem would be to allocate an employee at the admin assistant level to handle data entry. However, that person would have to be allocated to multiple systems, which might not be possible, nor advisable. Or users could be assigned full high-level or administrative access from the start to handle their tasks within necessary systems, but that violates the principle of least privilege and leaves an organization open to risk in case of a breach.
The best solution is to automate the tasks based on the attributes of a user.
What are some benefits of the automation of identity and access management?
There are several key advantages and benefits to automating their identity and access management processes.
- Fewer human errors: Humans are error prone. If someone must enter the same data across multiple applications, information can potentially get added incorrectly.
- Lower IT costs: Automated IAM means that hiring additional IT team members to manually do data entry is unnecessary.
- Saved employee effort and improved productivity: When errors are made, it takes time and money to reverse the problem. With automation, the manual on-boarding or off-boarding process is much less error prone.
- Compliance that is easier to maintain: Automated identity and access management keeps track of who has access to what at any given time. So, it makes the task of giving up-to-date access easier. Additionally, if the de-provisioning process is automated, it makes auditing reports much easier by proving that users who leave the organization no longer have access to business applications and data.
- Eliminate deprovisioning nightmares: Automated de-provisioning can automatically disable a user’s access to a device or asset once they leave the organization or if they haven’t accessed select assets over a pre-determined time period.
- Improved security: When access management is automated, it helps ensure that users only have access to what they need when they need it, no matter what stage of the employee lifecycle they’re in.
- Enables the business to work on more important priorities: When IT and other teams don’t have to focus on manual data entry, helping employees reset forgotten passwords, provision and de-provision employees, etc., their time is freed up to work on more important projects.
What is the ideal state for an organization’s IAM posture?
If someone is hired, an ideal state would entail HR making sure initial data is correct about an employee so that, by the time their data reaches the IT team, it is completely correct and can trigger additional actions. That information launches the user creation within an IT system. Configured rules ensure users are automatically assigned, provisioned into their accounts and applications, and sent emails to help get them in and register their MFA.
Automation in Identity and Access Management will also send out alerts if a user hasn’t logged in to their account for a set time period. If no action is taken, the user’s access will automatically be disabled. That way, the company is proactively ensuring that users don't have access to unnecessary assets. And when users leave the company, their access is automatically cut off across the board and their resources (such as content or records) are automatically reassigned to their manager or replacement.
Implementing automation in identity and access management is an excellent initiative for organizations with goals of streamlining team efficiencies, increasing overall security without impacting their user experience or increasing costs. When implemented correctly, it enables organizations to have a seamless process that manages the full employee lifecycle. Getting your IAM to a state in which employees only have the access they need when they need it is a critical step in adapting to an ever-evolving threat landscape with unparalleled visibility, control and protection, and another step towards unified identity security.