How Lack of Delegated User Administration and Integrated Workflow Will Sink Your Identity Management Initiatives by LTrunk3487


									How Lack of Delegated User Administration and Integrated Workflow Will Sink Your Identity Management Initiatives

This document examines ways delegated user administration and integrated workflow with centralized controls can save an IT organization time and money, leading to increased userproductivity and creating more secure IT computing environments. Think a moment about the processes needed to grant user accounts in your organization. Think about new employees who require new accounts or existing employees who need new access within your computing environment. How many steps are involved with this process? How many people and phone numbers must you call or email to make the request? And where are all the people involved with the process located? Are those people local to your team, or must the request transcend business units or lines of business? If the answers to any of these questions make you shudder, or if your Help Desk and employees feel pain every day simply to give and gain the access they need to do their job, then it’s likely your identity management processes are highly un-automated. Phone calls to empty desks and voicemails await approval for account requests. Multiple levels of approval are required for the completion of a simple access request. Or even worse, individuals doing the approvals are in areas of the business far removed from the requestor, approving access requests for systems and requestors they simply don’t know. These complicated and un-optimized approval processes don’t happen on purpose and they don’t happen overnight. As an enterprise grows, so do its processes as well as the people and personal interests involved with those processes. And so over periods of time and stages of growth, the “old” mechanisms for access request and approvals cease to scale properly with the size of the organization. Approvers find themselves rubber-stamping requests for teams and business units outside their scope of control. Even more painful are the highly manual steps involved with unautomated approval systems. Phone calls to approvers cease to be an efficient medium for gaining approval. Approvals by acclamation don’t fulfill regulatory requirements now placed upon enterprise organizations. Lacking documentation, the entire process grows impossible to manage, which ultimately creates a security risk to the entire organization.

OVERVIEW ........................................................................................................................................ i What Are Delegated User Administration & Integrated Workflow and Why Should You Care? ..1 The Cost of Doing Nothing..................................................................................................2 The Pain of User Administration .....................................................................................................2 The High Cost of Managing Identities.................................................................................3 Multiple Points of User Administration...............................................................................3 Administration Point Hierarchies ........................................................................................4 Manual Notification and Approval ......................................................................................4 Security Risk and Ad Hoc Permissions Management .........................................................5 Compliance Controls ...........................................................................................................5 Tools Exist to Manage Delegated User Administration & Integrated Workflow ...........................6


What Are Delegated User Administration & Integrated Workflow and Why Should You Care?
How can an organization move beyond complicated and un-optimized account access approval processes that no longer scale, take too long, and require too much manual intervention? How can organizations eliminate processes that today lead to “rubber-stamping” approvals, weak security controls and very large risks of non-compliance with various regulations? There are software tools that address these problems. Software with automation components have the ability to augment existing processes with documented and regimented gates and goalposts that ensure proper approval by the correct personnel, correct rights assignment, and a speedy completion to pending requests. With the right software in place it is possible to set the correct level of centralized control while similarly enabling the decentralization of responsibility along with a quick approval timeframe. Fully realized, these components eliminate costly mistakes that can occur when manual access changes aren’t completed properly. Let’s start with the concept of delegated user administration. In large organizations, the sheer number of business units, teams, and individual team members inhibits the ability for any one group of people to recognize the needs of everyone. Gone in large organizations are the abilities for the Help Desk alone, or in cooperation with a team of managers, to recognize the worth and validity of all rights requests as they are made. Nearly all rights requests require some form of approval prior to assignment. So the problem lies with the complexity of the organization itself. Creating and managing spreadsheets of accesses crossed with approvers becomes operationally impossible as the organizational structure grows complicated. With fluid personnel turnover and team composition, the task of determining who reports to who can be a near impossibility without the proper automation in place. Thus, as an enterprise scales, one effective solution is to offload the responsibility for access approvals away from centralized Help Desks and to the teams themselves, with systems that also enforce consistency across the organization and centralized control of policies and processes. Delegated user administration with centralized controls empowers the team and its managers with the capability of internally handling and resolving the need for access – but ensures consistency across the organization. In fully realized implementations, the actual granting of that access becomes a part of the approval system as well. This gives individual teams and business owners the ability to better understand, manage, and handle their own access needs, knowing they are also adhering to organizational policies and regulations. It also alleviates centralized Help Desks from the onerous task of tracking the “right” people and the “right” systems to provide the “right” access. The enabling force behind delegated user administration is a solid workflow engine that handles and enforces corporate policy, team policy, and the policies of application and system security within a secured, transactional interface. That interface, accessible from the desktops of teams and business units everywhere within the computing environment, delegates the responsibilities for user administration. Its stringent workflow improves the speed of assigning access while at the same time ensuring that accesses are being granted appropriately using the proper approval channels.


The Cost of Doing Nothing Automation components exist that provide the correct level of control over these processes. Lacking those components adds an administrative cost to the organization. By doing nothing to automate the workflow of and delegate the responsibility for user access, the enterprise is exposed to a set of liabilities that impact its efficiency, agility, and security: • Efficiency—Lacking automation systems and forcing centralization of user account control unnecessarily overburdens Help Desk assets with costly requests. This pulls technical talent away from the task of solving IT problems and relegates them to administrative workers tracking accesses and approvers. Agility—With centralization in place, as the organization grows, it becomes more unwieldy to support the needs of distributed teams, multiple business units, and systems across the business network. This incurs a cost due to an extension in the amount of time needed to fulfill access requests, reducing employees’ timely ability to get their jobs done. Security—Using manual systems for access control such as paper-based forms or overthe-phone requests, there is a greater capability on the part of disgruntled employees to game the system to their own ends. The element of human error also adds the potential for inappropriate access assignment.



The Pain of User Administration
When organizations maintain unautomated mechanisms for access approval and identity management, they experience an unnecessary level of pain. This pain exists as a component of the organization’s complexity itself. Due to the regular movement of employees throughout an enterprise, static systems for identifying employees and their managers, such as spreadsheets, grow stale the moment they are generated. Dynamic systems that enable down-level managers to receive, approve, and enable the accesses of their own direct reports are necessary. This enables the distribution of access responsibility as well as authority. Understanding this, let’s take a look at a few of the pains seen in organizations that don’t automate. We’ll see in the following sections that there is a high cost to organizations who don’t automate these critical processes. That high cost relates to the operational complexities of managing access in a large environment as well as the loss of agility that comes with delays in resolving requests.


The High Cost of Managing Identities Every individual within an organization requires an identity to gain resource access. The management of those identities, however, grows ever more unwieldy as the number of identities increases. When an organization is made up of 100 individuals, maintaining their personnel data is difficult, but still manageable task. Help Desk employees can manage that identity information as part of their daily tasks. But when that organization’s membership scales to 1000 or 10,000 or 100,000, the sheer magnitude of individuals limits the efficacy of even the largest Help Desk staff. This problem grows even worse when adding in non-typical users such as customers, partners, and contractors who are not under the direct control of the organization. Identity data is made up of a number of elements. Employee physical location, personnel data, contact data such as phone and email address, team membership, business unit membership, and manager and subordinate information; all these pieces are necessary elements to keep current for every employee in the organization. In addition to all this are the access needs of the individual. Every employee requires access to data and applications in order to do their jobs. In unautomated organizations with centralized approvals, the determination of what accesses and which data unnecessarily extends the quantity of time required to complete any request. This problem is further exacerbated in organizations that manage large numbers of partner and external contractor identities. These quasi-trusted individuals require extra due diligence in terms of managing their identities due to their status as non-employees. Ensuring their data is current is important. Ensuring that their accesses are removed at the conclusion of their activities is critical. Managing both of those requirements by centralized Help Desks with no intimate knowledge of a non-employee’s role within the organization is challenging and could be considered a risk to operational security. Multiple Points of User Administration Adding complexity to the problems identified so far is the dynamic nature of centralized IT itself. With multiple IT personnel assisting in the completion of an access request, there is the potential for requests to get “lost” in the system. Their approval status, their approver information, or even the request itself can go unnoticed for extended periods. When this occurs, it can cause schedule slippage or work stoppage on the part of the requestor until a resolution is obtained. At the very worst, one IT person can fulfill a request that another has yet to determine the correct approval. From the perspective of the users, they see an unorganized operation. Multiple faces and voices appear responsible for the completion of their requests. When proper tracking isn’t included within IT’s workflow system, status requests can go unanswered. Above all, the incorporation of multiple personnel in the process can lead to inappropriate resource access.


Administration Point Hierarchies More challenging are the situations in which multiple IT teams exist within the same organization. When teams span business units or when partner companies are involved directly with work on the network, the process to complete an approval can cross multiple hierarchies of administration. An employee’s IT team may need to contact another elsewhere in the organization to complete the access request. Workflow systems between IT teams may not be interconnected to allow for an automatic transfer of the necessary information. Manual request transfers can miss critical tracking information that enables traceability back to the original request. These fragmented points of administration cause confusion and introduce the potential for mistakes and inappropriate access approval. Moreover, multiple hops can cause major problems with deprovisioning an individual’s access when they change teams or leave the organization. When accesses are no longer needed, IT may not have the information or authority it needs to properly and quickly revoke those permissions. One resolution to this problem may be the further centralization of access control, but the story thus far recognizes this as a step backwards in effective control. Manual Notification and Approval In organizations that lack automated workflow, manual notifications and approvals can become a major problem. Consider the case of a system that involves manual notifications through an IT Help Desk. An access request can go a little like this: • • • • • The requestor calls into the Help Desk, identifies themselves, and requests access. The Help Desk identifies the proper approver. The Help Desk contacts that approver. If they are not present to answer the call or email, the request awaits their return. Once the approver returns, they must contact the Help Desk to approve the access request. The Help Desk then grants the access, notifies the user, and closes the request.

At every step in this process, there are points where human error can force the request back to the first state. The user can request the wrong access. The Help Desk can unwittingly document the request incorrectly. The approver can be away for an extended period. The wrong approver could have been located or no approver with the correct approval for access and employee can be identified. Throughout this entire process, the only documentation of the actions of any parties is within the Help Desk ticket itself, an omission that may not stand the test of a security or compliance audit. With automated systems that enable delegated administration, team leaders become the central points of access control. Team leaders and managers are often directly responsible for both the employee and the systems and accesses they require. Thus, they localize the approval for both the access and the individual. In situations in which they don’t, the team leader can approve for the individual while the system can automatically transfer the resulting approval to the secondary individual responsible for the access. All of this is possible when a unified and holistically available workflow system handles the logic behind the scenes.


Security Risk and Ad Hoc Permissions Management System accesses are the keys to an organization’s data. Thus, controlling that access is the best possible way to ensure the protection of that data. When manual systems are set into place to control access, they introduce the ability for malicious users to game the system in order to gain desired accesses. Collusion between employees and managers, though rare, could lead to data disclosure, destruction, or compromise. Self-identification of approvers allows a single individual to choose who approves their request. Unsecured mechanisms for handling approvals can open the door to internal attacks. Even worse is the idea of ad-hoc permissions management. Here, when overworked IT personnel cannot successfully locate the access requested, they make a best effort towards granting that access. When this process invariably fails, requestors find themselves awash with unneeded or inappropriate accesses while at the same time not getting exactly what they need to do their job. Also a risk with these situations is the lack of documentation that can occur with ad-hoc request completion. Having no record of completed requests, deprovisioning becomes difficult and environment security can be impacted. Internal auditing mechanisms are critical to preventing these forms of misuse. It is critical that organizations implement good management solutions that audit and collect in a consistent format not only completed requests, but also denied requests, approvals, and deprovisioning actions. These solutions enhance security while at the same time fulfill tight industry and regulatory compliance requirements. Compliance Controls Last are the problems of compliance. As stated earlier, when technical controls that incorporate automated workflow are not in place, necessary levels of documentation are not present in the system. Regulations such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), PCI, Basel II, EUPA, AIPA, PIPA, and SSA all require the incorporation of an auditable control to track the activities and accesses of an enterprise’s users. When the approval for an access request involves calling an approver for the access rather than traceable automation, there may be no measures in place to positively identify approvers. End-toend validation of the request’s validity cannot be ensured. This is not acceptable in the face of today’s industry and governmental regulations.


Tools Exist to Manage Delegated User Administration & Integrated Workflow
Tools exist that enable the right level of centralized control while at the same time providing decentralization of responsibility and necessary quick approvals. Swift and effective identity management is a critical component for the smooth operation of any company. As we’ve discussed, in large and growing organizations, the complexities of centralized identity management makes its operation challenging in practice. Tools are required that can separate the responsibility and authority associated with identity management to individuals responsible for the employees themselves. CA Identity Manager is an enterprise-scalable solution that can accomplish that task. CA Identity Manager provides the infrastructure to both centrally establish these policies and approval workflows, but decentralize the approval process itself. CA Identity Manager provides an easy-to-use framework for the assignment of resources and accesses to users. With it, policies can be enabled that provide a framework for the requesting, approval, and granting of access to network resources. Once in place, CA Identity Manager provides network-based tools to employees and managers to quickly make and approve requests. Policy-based enforcement means that user account and access assignments are administered cohesively across all domains and scopes of management. This has the effect of reducing the total turnaround time on requests. CA Identity Manager incorporates a suite of tools that work hand-in-hand to ensure the highest levels of security for user accounts through their life cycle of provisioning all the way through removal.


To top