For years many IT organizations have tried to avoid the elephant in the room - which provides a user access to specific data and applications based on their role. Their reasoning is sound; it’s difficult to engage the business in this area, and once doing so, even more difficult to implement role-based provisioning. The problem is, it is no longer possible to adequately secure the environment without Identity Access Management (IAM) solutions, and these are based on the concept of role-based provisioning.
Let’s discuss what this means.
Identity Access Management and Security
The digital and cloud revolution has made organizations a prime target for hackers. Not only can cyber criminals steal customer data, they can still steal personal identifying information (PII) from employee data that is housed in internal applications. With either intrusion, they can achieve the same purpose – identity theft.
Think about this for a moment and consider the employee information stored in the service management applications. Does it include home address information, personal emails, or more? If so, it may expose PII.
Now consider the Information Security Management practice in the organization. How is application access managed? Is it by a manager’s guess or by “model after”? Are applications really secure, meaning each individual is given the minimum access they need to do their job? The answer is frequently “no” unless the organization has adopted role-based access provisioning and implemented Identity Access Management tools. The sad truth is that, more and more frequently, this will lead to a material audit failure.
Role-based provisioning is an access management approach where access is defined for each functional role in the organization and can be granted by Identity Access Management (IAM) applications that are integrated with the HR system. Essentially, when a person is hired or when they change jobs, the HR system tells the IAM application to provision them for their role. In this way their initial access is properly provisioned at onboarding, and dynamically changes as their roles change. There is no longer a need for a manager to request any access or access changes for them (WOW!).
This is now considered best practice because of the growth of cloud-based service delivery and the increased risks that are inherent in a digital workplace.
How to Make This Work
Here’s a 3-step plan for adopting role-based provisioning:
Step 1: Work with HR to define organizational roles
The first step to adopting a role-based provisioning model is to work with HR on understanding the structure of titles and job families in the organization. In short, a common data point must be identified as the key data point that represents the role. The issue here, however, is that there could be thousands of titles. IT may need to work with HR to align job titles or job families to IT role profiles at the application level. While this is the first step, it’s important to note that this step is where most organizations give up. This can be a time-consuming task, but it must be performed.
Step 2: Align the roles in the IAM system, otherwise known as “configure the IAM system”
Once identified, the roles for each application can be configured in the Identity Access Management System (like Okta, SailPoint and others). This enables the product to grant access to people based on their role. In simple terms, the IAM system needs to know that a “Help Desk Analyst” gets a particular set of applications and the role granted within each application.
Step 3: Integrate HR to IAM
The final step is to integrate the HR system with the IAM system, which is generally a technical activity and typically expected by the IAM tools. Once done, when someone is hired, access will be automatically provisioned on their start date. When their job changes, an extreme pain point in many organizations, their access will be automatically adjusted on the effective date of the change.
Why Do This
Here is the business value of role-based provisioning:
- Improved experience for managers: No more access forms they don’t know how to complete!
- Better onboarding experience for new hires: All access is ready on their first day. When building a business case, remember to consider the financial benefit of this achievement.
- Better transfer/job change experience as access is adjusted automatically: Consider this in the business case as well.
- Access audit is performed by reviewing the IAM configuration by role and the overarching technical solution. It is no longer necessary to pull tickets to prove an individual has the right access.
- Lowered risk of compromised data due to insufficient access controls
While this approach has great business value, as it addresses a large pain point in most large organizations and helps secure private data, it can take a while to implement. The answer to that conundrum is that the sooner it’s started, the sooner the business value and lowered risk are achieved. It also is no longer a matter of “if,” as role-based access and automated identity management solutions are becoming a must for most organizations.
Phyllis Drucker is an ITIL® 4 Managing Professional certified consultant and information leader at Cognizant’s Linium ServiceNow practice. Phyllis has more than 20 years of experience in the disciplines and frameworks of service management, as both a practitioner and consultant. She has served HDI since 1997, itSMF USA since 2004 in a variety of capacities including speaker, writer, local group leader, board member, operations director and recently completed her term as Chair for itSMF International. Since 1997, Phyllis has helped to advance the profession of ITSM leaders and practitioners worldwide by providing her experience and insight on a wide variety of ITSM topics through presentations, whitepapers, and articles and now her new book on the service request catalog, Online Service Management: Creating a Successful Service Request Catalogue (International Best Practice). Follow Phyllis on Twitter @msitsm.