Take a Hike: Navigating Your Identity Governance and Administration Process Engineering Journey
Most of the clients that I speak to say they understand the importance of the processes for identity governance and administration (IGA). These clients typically talk about the familiar people, processes and technologies of identity and access management (IAM), and many of them even consider processes to be a critical element for their IGA program. Unfortunately, very few clients successfully put these ideas into practice, and developing efficient and effective IGA processes remains a near universal hurdle.
For example, I worked with a client that had challenges with its onboarding process. It took more than two weeks to onboard an employee or contractor, wasting time and causing lots of frustration. The client did not have any identity management processes documented, nor did it understand what was causing the delays. Even though the problem was obvious, the organization still struggled to address it. Why is identity governance so difficult?
A Road Map for Identity Governance and Administration
After working with dozens of IAM clients around the world, I have noticed consistent patterns for the ones that fail to develop effective IGA processes. First, they typically do the process definition on an ad hoc basis, so there is no comprehensive view of all required processes. Second, they don’t understand the full spectrum of people involved in these IGA processes. Third, they don’t have an approach to document the process details.
Companies can avoid these problems by involving stakeholders in a structured approach to IGA process engineering. I like to think of this as a hiking expedition: To avoid getting lost in the woods, it’s important to plan the trip, bring a map and get all hikers on the same page. Like hiking a tall peak without a guide, navigating an IGA process engineering journey on your own can be tough.
Define the IGA Service Inventory
Many companies do not realize the comprehensiveness of IGA processes. In many cases, IGA is only introduced as a solution for access recertification. However, when designing IGA solutions, it’s important to consider all IGA-related services to ensure interdependencies are identified early on.
Streamline the Joiner, Mover and Leaver (JML)
JML is the key foundation of identity life cycle. It controls the start and end of identities used in an organization. Therefore, the JML processes are the most important processes to get right. This is especially true for the leaver process.
I’ve seen many organizations loosely control employees’ and contractors’ access rights. When these users leave, their accesses are still active in critical systems, and the company has no visibility into accounts that belonged to users who’d left the company. This also results in orphaned accounts, which can lead to serious security breaches and issues for organizations. Work with HR to understand the onboarding and offboarding processes, then extend these processes further to cover the user ID account creation, distribution and removal processes.
Centralize the Access Request and Approval
One of the main challenges is that each application may have its own process, making it difficult for requesters to figure out which form to fill out for which application. To address this, first create a centralized access request portal where users can come to find the applications they need. Then, simplify and streamline the request form. Lastly, provide request tracking so users can easily find out where their request is.
One of my clients had four different methods for submitting access requests: an online form, email, phone and physically walking over to the administrator. These processes led to undocumented events of approvals or access provisioning. I quickly centralized the process into one request channel using the online form, which improved the auditing and improved the user experience.
Companies are also starting to introduce a cognitive access request chatbot solution. An access request chatbot can: learn various request types, forms and user behaviors during the access request process; assist users in finding the right access request forms; and even trigger access provisioning/deprovisioning events based on the chat session. This is becoming a cost-effective solution that improves the user experience and eliminates the need for complete migration of the legacy access request solutions.
Standardize the Access Recertification Campaigns
Consider two different types of access recertification campaigns. For nonprivileged user accesses, managers perform access reviews of their team members semiannually, also known as continuous business need. For privileged accounts, a privileged access review is conducted quarterly or semiannually by asset owners. Consider separating the access recertification campaigns for business applications and IT assets.
Define Role and SoD Rules With Business and IT
Many companies misunderstand the IGA tool’s capabilities for role and segregation-of-duties (SoD) management. These solutions can only provide ways to manage the role or rules once you have defined them. Start by establishing a separate business process for defining role or SoD rules. Perform the top-down organization definition and bottom-up access definition, then construct the role or rules on a spreadsheet. Then, once the business signs off on the role or SoD rules, define them in the IGA tool for use in processes.
Automate Access Provisioning and Deprovisioning Where Appropriate
Over the years, I’ve learned that not every provisioning or deprovisioning process can or should be automated. Consider automating the high-volume request items or using robotic process automation (RPA) to replace the manual activities. However, you should also consider maintaining manual processes for applications with very low request volume, nonregulated applications or where investment for automation is difficult to justify.
Prepare Compliance and Reporting
IGA reports are common requests for compliance audits. While most reports should be generated from the IGA tool, an audit may require ad hoc reports to run directly from certain application databases. It helps to predefine the process of generating ad hoc reports to ensure that they are created correctly.
Apply Threat Intelligence and Analysis
IGA data is key for insider threat protection. Analysis of the data can help prevent and detect insider threat activities. While many companies have not yet taken advantage of the data, a process can be defined to use it for analytics.
Analyze the Processes From the User’s Perspective by Identifying Actors
Once the process inventory is defined, conduct workshops with the right groups to define the processes. Typical key groups to involve in the IGA process definition include:
- Human resources. HR is the key group to involve for the joiner, mover and leaver processes. In some cases, the procurement team may need to be involved for handling contractor or consultant onboarding/offboarding.
- Application owners. Access request and approval or access provisioning process definitions will require application owners. Application owners may also be the approvers in many cases. It is not necessary for application owners to be involved in the process definition exercise, but they should be informed of the processes and trained in their responsibilities.
- Access administrators. A representative from the access administrator team should be involved in the process definition, especially the access request/approval and provisioning/deprovisioning processes.
- Information security. The IGA processes should be defined based on information security policies such as access revocation, audit/logging, etc. Information security representatives should be involved in the process definition or review to ensure accuracy.
- Tools. HR system, active directory and IGA tools could be actors included in the processes. Tool owners should be involved in the process definition to explain the system logics used for IGA.
Detail Activities in an Easy-to-Understand Format
Swim lane diagrams are the most effective format for IGA processes. Depending on the process type described in the first key step, appropriate actors should be involved in the workshop. Identify the key activities under each process type and describe the activities in boxes within the swim lane, corresponding to the actor. Avoid writing too much detail in each box and keep the activities high level. The details should be captured in the procedure document.
Hit the Road With As-Is and To-Be IGA Processes
Once you are ready, follow the road map above to perform the each of the steps for both as-is and to-be processes. As-is processes should be created first to identify any key issues, gaps or bottlenecks. Based on the findings, analyze the process for improvements, optimization and efficiencies. Then define the to-be processes, incorporating the improvements and any new requirements. This will help you develop the strategy and road map to take the company from the current state to the future state.
Going back to the client example described above, I was able to define the as-is processes using our three-step approach, which also showed multiple IGA tool sets involved in the processes. Until this process was defined, the company was not aware of the complication in its environment. As a result, the as-is process showed that there were over 20 steps with eight actors and two separate approval points included in the joiner process. This provided the insights required to address the client’s pain points related to onboarding and offboarding.
After understanding the processes, I recommended consolidating the IGA tools that were causing redundancies. Next, I consolidated and eliminated unnecessary approval and fulfillment steps with automation. As result, the to-be process was created, showing significant reductions in the joiner process to four steps and three actors. This also resulted in shortening the onboarding time to two to three days for the interim release. Additionally, zero-day readiness was enabled with the fully automated process for the future release.
Identity governance and administration services by IBM specifically cover these IGA process definitions for clients. Using our proven methodology, process templates and samples, we can accelerate the process definition effort for our clients. As a result, we help clients improve the effectiveness of their IGA adoption strategies and support migration of IAM programs to the next maturity level.