Identity and Access Management systems can help organizations to realize
significant value and Return on investment (ROI), as described in the examples
below. Listed below are short examples of just a few ways in which this can be
realized.
-
New Hire Automation
-
Automatically Deactivating / Removing Users’ Accounts
At Termination
-
Automatic Roles Assignments
-
Automating Customer and Vendor Registration and Role
Allocations
-
Sarbanes-Oxley (SOX) Compliance and Roles Provisioning
-
Simplifying Delegated Administration
-
Groups Management
-
Password Unlocks and Reset Using Self Service Without
Help Desk Intervention
-
Password Synchronization Automation
When a new employee is hired, the employee needs a list of IT resources:
Network account, email account, ERP account, Remote access token, phone
extension – the list goes on. A central Identity Management system will
automatically create those accounts, create the correct access
permissions to the multiple databases and applications needed by the employee,
allocate the needed passwords, activate the telephone extension and open the
needed voice mailbox, generate a purchase order for a computer (if needed), and
any other system-related function as appropriate, according to predefined
rules.
Back to Top
When an employee is leaving the company, it is important to deactivate the
resources that the former employee is no longer entitled to use. These
resources might contain proprietary information, or might grant the former
employee access to restricted premises. An Identity Management system will
automatically deactivate such resources. It will disable remote access,
cancel the ability to enter the organization’s physical premises, and
deactivate database and application access permissions as appropriate,
according to predefined rules. The Identity Management system will also perform
the more trivial tasks such as closing email and NT accounts and disconnecting
the former employee’s telephone extension.
Back to Top
Most ERP systems are role-based with each role allowing the user to view a
certain screen or perform a certain task such as "issue an invoice" or "create
new vendor". With large ERP systems, hundreds of users are created, deleted,
and modified every month. Each time a user is created or the user profile is
changed new roles are added and/or old roles are deleted from the user’s
account. This task is cumbersome and requires a fair amount of manual labor. A
central Identity Management system can automate this process based on the
business changes happening to the user.
Back to Top
As a large organization streamlines its supply-chain and ordering processes,
more and more customers and vendors acquire access to the organization’s
information systems, resulting in a proliferation of user accounts on what used
to be the organization’s internal information systems.
The more quickly that a customer can register and acquire access to the
organization’s catalog, the more independent they can be in solving problems
regarding access, passwords, and registration, the more likely they are to use
the system to buy more. An Identity Management system will automate the
registration process as well as other processes associated with the user.
An Identity Management system can also implement user policies such as allowing
a customer from a given location to purchase only for the same location, thus
avoiding wrong orders or other sources of negative customer experience.
Back to Top
Compliance for sections 302 and 404 of the Sarbanes-Oxley act (SOX) requires
that users’ access permissions and privileges on "high risk" applications
(those containing financial or other sensitive information) be monitored.
Several SOX-compliance tools are currently available, and their main functions
are to analyze potential Segregation of Duties (SoD) conflicts, and to resolve
conflicts found by re-allocating the ERP roles or by entering a mitigating
control.
Following the SoD analysis, an approval workflow should occur, with roles
provisioned to multiple target systems. In this area, SOX tools are generally
lacking and Identity Management servers excel.
Here are a few examples:
-
Once the new roles are defined by the controller they should be provisioned.
The approval workflow prior to provisioning the roles may be long, and it may
include multiple steps. SOX tools currently cover this area poorly.
-
Security-threatening "back doors" are created when ERP administrators can
directly provision roles to users without first going through the SoD check.
-
ERP role provisioning must be synchronized with the provisioning of other
resources on other systems that may be needed by the user. The SOX compliance
tools will not be able to do this.
By integrating an Identity Management system with a SOX tool, the project will
generate a higher return on investment (ROI), mitigate an organization’s risk,
and solve the associated audit issues.
Back to Top
Multiple customers, suppliers, and partners have the right to access your
information systems in order to perform daily tasks such as updating inventory
status, delivery status, and issuing purchase orders. Managing these users’
accounts may require considerable effort and might create security risks such
as in the case of human error.
An Identity Management system enables the delegation of the account management
associated with these external users to their IT managers, thus eliminating
your management costs, while ensuring the systematic enforcement of security
policy.
Back to Top
Organizations are creating digital groups for web applications, for news
distributions, for access rights, for email distribution lists, etc. As more
groups are created on multiple systems, managing them and the users within the
groups becomes a cumbersome task.
Identity and Access Management systems will allow you to centrally create
groups, automatically allocate users to groups based on their business
association, associate a bulk of users to groups based on their profile rather
than doing it one by one, add approval processes for creating groups or adding
users, automatically delete users from groups when they are terminated or when
they move departments or locations, automatically maintain users group
structure even if the user name or user ID changed in some authentication
system, and other related functions.
Back to Top
Users typically have passwords on multiple target systems. When a user’s
password is locked, or when a user forgets a password, the user will normally
call the Help Desk in order to reset or unlock it. A central Identity
Management solution will allow the users to unlock or reset their password
independently, via web interface, and without directly involving the Help Desk.
The return on investment (ROI) with this capability is significant and clear.
Back to Top
Single sign-on (SSO) provides significant value by increasing user’s
satisfaction and experience. Another way to realize a similar benefit is to
employ Password Synchronization. With Password Synchronization, users’
passwords are synchronized across all systems so that the user will only need
to remember one password. When that password is changed, the new password will
automatically propagate to all the systems on which the user has passwords.
With a central Identity Management system, Password Synchronization can be
implemented relatively simply. At the same time, the central Identity
Management system can also enforce the organization’s central password policy,
thus improving security and simplifying management.
Back to Top
To learn more about how to address your business and technical identity
management challenges, contact us.
|