By Greg Keller Posted August 5, 2016
The stakes are high in the modern office as a result of vast decentralization. While this is not a bad move, there are many underlying problems that arise due to IT resources being stretched thin between on-premises and the cloud.
Managing remote employees, virtual machines, SaaS apps, WiFi networks and operating systems, such as hello and OS X, can make it hard to keep track of your company’s identities. Provisioning and deprovisioning access to this core with a seemingly ceaseless list of IT resources can cause some major issues if your systems and workflow are not up to speed.
It is here that a solid IAM workflow comes in the clutch.
Defining an Identity Access & Management (IAM) Workflow
The simple definition of an Identity and Access Management (IAM) workflow is the series of operations that your company has fixed to manage identities across the organization.
Beginning with the onboarding of a user, IAM workflow encompasses the provisioning of access to all resources, the management of the identity during their time in the directory, and – in the end – the termination of the identity and the deprovisioning of access to all resources.
Complications are inexorable along the way. The dynamic activity of access control within an institution can lead to it being a notable cost center. Pinpointing the proper identity management infrastructure to build will come as a result of selecting a solid and sensible workflow within your organization.
Creating the right IAM workflow for you
What works for one organization may not work for you. Finding the perfect match does not happen overnight, it takes trial and error before you can fashion an IAM workflow that suits you. There are, however, some best practices and guidelines that can help push you in the right direction.
Read on below to see how the four key areas of identity management workflow can be broken down:
The inception of a user. There are two ways this can happen, either activated from an HR system or manually through the identity management system.
In the on-boarding process the provisioning of the user within the central systems of the company kicks off the action – primarily this begins within the email system. Moving forward the user is connected to the proper groups, creating access rules and account access provisions.
Automating the process of provisioning accounts makes life easier for IT, however it drastically raises the cost of solutions. The more automated provisions, the more complex the system, and the higher the cost of the overall solution. It is important for IT organizations to weigh the cost versus benefit when deciding to automate the onboarding process. Different measures of automation exist, and each one can lead to significant benefits for the IT organization.
To learn more, check out the 7 Things IT Must Address when Onboarding New Employees.
Following a user gaining initial access, there are constant changes that occur. Changes typically center on a user’s rights, which may be contracted or expanded. In addition, a user’s information could need modification.
The threat to IT lies in the fact that these continuous changes occur spontaneously and often, which can be rather threatening to productivity. For both IT and end users, the need for password resets can be frustrating and distracting from important tasks.
The size and scope of an organization plays a key role when determining the most efficient method in dealing with these constant user changes.
FYI: There exist IAM solutions that take the resetting of passwords, addition of SSH keys, and addition of multi-factor authentication away from the hands of IT. The task is completed by the end user, with no need for IT support or help.
IT Resource Modifications
Another constant source of changes is the addition and removal of a myriad of IT resources, ranging from devices and applications to networks.
Even when employee growth remains stagnant, an organization experiences constant change to the infrastructure. It is inevitable that machines will malfunction, users will need new or different apps, and modifications will need to be made to access rights. Overall, these issues can be solved or transitioned effectively with more automation.
One example of automation can be seen when an organization’s Infrastructure-as-a-Service servers are scaled and then connected back to the central identity core. When new devices are rolled out, the image that is installed on those devices can be pre-populated to connect to the identity infrastructure.
Automation may not work in all cases, for example when adding new applications. However, open API’s may expedite the process. This can be seen when new applications that can support the LDAP protocol can be connected back to the organization’s user store without the need to manually create accounts.
The full understanding of what can and cannot be automated is not common, but masterful use of automation can be the single most effective way to simplify and streamline your IAM workflow.
Learn more about why you should automate manual user management.
The identity lifecycle comes to an end with the offboarding of a user. The credentials are erased and the user’s account access is eliminated from all systems.
For IT, the challenge comes from finding every single system the user had access to. In some cases, the many places the user’s credentials were migrated are not in plain sight (this is often the result of a little thing called ‘Shadow IT’).
Adding to the problem is the fact that IT may not have the complete ability to off-load users automatically. Just like onboarding, the ability to automatically offboard can becomes a rather pricey process, the result of expanding the footprint that you wish to automate.
Check out our complete guide to offboarding here.
Become the Boss of Your Identity & Access Management (IAM) Workflow
While the lifecycle may remain constant from organization to organization, the method of how to implement the workflow is largely different. How you implement is reliant upon the details of the workflow and how and who will be integrated within. As your workflow is being organized it is important to ask yourself how you would like to run your identity management process. This can act as an overarching guide for what solutions would be most helpful in automating and securing that process.
Answer these questions to see how you can start:
Designing the Workflow.
What does it look like from start to finish? Map it out. Who is involved in what aspects? What are you able to automate and what will have to be manual? Do you need to integrate with other solutions, such as an HR system?
Onboarding / Offboarding.
How will you ensure that your users are onboarded properly and have access to everything that they need? Just as importantly, how will you terminate access everywhere upon a departure?
What are you comfortable having end users do themselves? Reset their passwords? Upload new keys? What do you want to still retain control over?
APIs for Integration.
Do you need to automate some portions of your access control process? If so, you’ll need to have an open platform with APIs that you can work with.
You Are Now Ready to Design Your IAM Workflow
There is always room to learn more, and here at JumpCloud we have endless resources. The best place to start is with our 2016 IT Guide to Onboarding and Offboarding Employees. Inside we breakdown the process into four steps, point out the security risks you will need to heed along the way, and we dive deeper into how you can put automation into place to really reap the benefits.
We try to remain objective, but if we didn’t love our product, we never would have built it. JumpCloud’s one-of-a-kind Directory-as-a-Service® (DaaS) is the single best way improve your IAM workflow. It’s essentially a unified cloud directory that allows IT to achieve centralized control over a wide variety of users and IT resources.
If you want to know more about how DaaS can help improve your IAM workflow with end user password resets and automation based on events, then try it for free or take a minute to reach out and contact us here.