Implementing an identity provisioning process with technology, however, does not come without its challenges. In this tip, I'll discuss some of the challenges I have seen organizations face and explain how to overcome these obstacles and deliver an
Here are some "must do's" when attempting to implement identity provisioning systems within an organization:
Overcome process automation challenges
Most organizations already have processes in place to grant users access. When you introduce the technology aspect, however, there are three areas of those processes that need to be examined and potentially altered:
- The request for access;
- The approval process;
- The provisioning or completion of the access.
Here are several issues that must be addressed before implementation:
- Does the request process still fit the business need? – More often than not, the request process has evolved over time, accumulating specific business rules along the way (i.e. requirements of more than one signature for approval, or additional questions by the administrator to get to the actual request information). Transferring these business rules as is, without validation, may propagate obsolete requirements and result in user dissatisfaction. Before any technology is implemented, an organization should evaluate their current request processes and identify where corrections or improvements can and should be made.
- Ambiguous requests – Many organizations allow users to request access to systems via "free-form" text fields. This arrangement allows the requester a great deal of flexibility in making a request for access, but requires human intervention to analyze, interpret and resolve. Request of this nature cannot be automated and will continue to require time and ultimately money to process. These types of requests should be eliminated by providing the end users a comprehensive listing of access privileges to select from. Organizations should evaluate and modify requests for such systems prior to automation.
- Approval issues – Is a manager required to approve all requests for user access? Do some requests require alternate approval flows? What about the upper level of management? Who approves their requests? Is there escalation if approvers are not taking action within a specified period of time? All of these questions need to be answered before moving forward.
- Lack of consistency in the provisioning of resources – I have dealt with organizations that have decentralized administration capabilities. Administrators in the U.S. create users one way, while administrators in Europe or APAC use a different method. This can hamper any attempts to automate the provisioning process. Now I am not making any statement on the validity of centralized vs. decentralized administration, as they both have their merits, but I will stress the importance of consistency of the tasks being executed. Without consistent processes, you cannot turn it over to a machine to do the work.
Manage scope and reduce complexity
To begin, you need a roadmap that defines how you will address the provisioning issues and when. Not everything can or will be done at once, so a phased approach is recommended. Start with one or two well defined, consistent systems and automate the provisioning. You can couple that with a phased approach for your different types of users -- perhaps starting with employees first, then contractors and finally clients. Each business may be different, but reducing the releases to a manageable scope is the key here. This concept of incremental deliverables, or agile methodology, has been proven to be effective in showing immediate value and helping to build momentum.
Now, of course, there will be technical challenges. Organizations, for example, will face the over-abundance of identity data/repositories. Reducing that complexity can dramatically reduce automation implementation as well as simplify the environment and make it more resilient and efficient. Directory consolidation or virtualization, along with single-sign on implementations coupled with a user provisioning deployment, are common. Again, the key here is to reduce the complexity of the environment that needs to be provisioned to.
Evangelize, educate and train
Change is difficult for many people, whether you are an administrator who now has a computer doing part of your work for you, or you are a user trying to gain access to a system through an entirely new process. On one implementation, we marketed the slogan "simpler, faster, better." This slogan was evangelized throughout every phase and release and headlined every document, email communication and table tent. What it helped to deliver was the value that users would get from the new tools and processes that were being delivered. Because identity provisioning affects all users in an organization, this type of project cannot be a back-office, technology project. You must raise awareness, provide training and education to all those affected (users and administrators) and ensure that from day one, users will be able to use the system.
Identity management provisioning best practices
Here are some additional tips on making identity provisioning solutions successful in your organization.
Implementing an identity provisioning strategy in your organization is not a trivial one. There are many challenges, obstacles and hurdles to overcome, even when planning for the project. The best advice I can give you is to think it through, progress methodically, and strive for value along each step.
About the author:
Peter Gyurko is senior consultant at Solstice Consulting, a firm that helps make companies more successful through custom software development, technology platform implementations and business process optimization. Peter specializes in identity and access management having led the IAM practice at several major financial institutions. Peter held numerous technology positions prior to entering the consulting field, including portal product development manager and sr. technical architect. Peter has fifteen years technology experience in the financial industry.
Send your feedback to Editor@searchsecuritychannel.com.
Join us on LinkedIn.
This was first published in June 2010