It all starts with provisioning. Unfortunately many CIOs struggle with a confusing array of tasks that form the provisioning process within their organisations. There’s usually some automation that creates an AD record but much of the access control to applications is done manually. A new staff member must fill in application forms or call system administrators to get provisioned into the systems they need to do their jobs; this is not only very costly, it’s wide open to abuse.
There are several issues to be addressed while deploying a provisioning facility:
Entitlement management is important in some environments. Applications often maintain their own repository of user IDs for those staff with access rights. In this case automatically setting those access rights should be considered. If the application is AD-aware i.e. uses AD groups, this is quite simple. If an access control list is maintained within an application it is more difficult; in this instance the provisioning workflow must maintain a decision-tree for entitlements and have an interface to the application in question to be able to write-back to the access control list database.
Provisioning remains the most important aspect of an identity management system, the effort required to get it right probably represents an excellent return on investment for most organisations. Eliminating manual effort will not only save organizations money it will significantly improve security and reduce the risk associated with access to protected resources.
This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness.
Graham Williamson is the author of “Identity Management: A Business Perspective”.
Sign up to get the latest on sales, new releases and more …
Subscribe to our newsletter and always be the first to hear about what is happening.
© 2021 MC Press Bookstore.