WIXLIB

WHITE PAPER8 Best Practices for Identityand Access ManagementIntroductionIdentity and access management(IAM) isn’t something you do onceand then forget about. It’s anongoing process, a critical part ofyour infrastructure that demandscontinuous management. Evenif you have a fully implementeddirectory, it’s never too late totake advantage of best practicesto help continuously manage thiscrucial part of your environment.A key insight about identity andaccess management is beginningto emerge in our industry:contrary to common practice, ITshould not be heavily involvedin identity management. Toooften, IT is placed in the roleof “gatekeeper” simply becauseonly IT has the tools neededto manage identity. But withthe right identity managementtools in place, IT maintainsthe tools and infrastructure,and the business controls theactual identities.Here are eight key practices,gathered from years ofexperience and informed bythis key insight, that will helpyou improve your identitymanagement system to ensurebetter security, efficiencyand compliance.Eight best practices for IAM1. Define your workforceYour organization’s workforce ismanaged by your personnel orhuman resources department.They also have to manageinformation about people whoare not employees, such ascontractors and consultants.

Most of these people requireaccess to company resources.management lifecycle. Typically,you’ll identify the following:The first best practice is to useyour HR systems as much aspossible as an authoritativesource of data for your identityand access management system.This will help you avoid repetitivework, errors, inconsistenciesand other problems as the IAMsystem grows. Ideally, you’llprovide some kind of managedfront-end, such as a web- basedinterface that can be used toverify the quality of the importeddata, revise data as neededand so on. A primary directory service(often Active Directory) A messaging system (suchas Exchange Server orLotus Notes) A primary Enterprise ResourcePlanning (ERP) system (suchas SAP)2. Define identitiesThe next best practice is toimplement a single, integratedsystem that provides end-toend management of employeeidentities and that retiresorphaned or unneeded identitiesat the appropriate time. Thisis where IT responsibilityformally begins in the identityOnce identified, these crucialsystems are integrated into theoverall identity managementarchitecture. Why focus onthese three kinds of systems?Primarily because they delivera “quick win,” providing identityintegration across the mostvisible and most-used resourcesthat users interact with on adaily basis. More systems can beintegrated later.In reality, each disparate systemwill continue to have its own useraccounts. Your integrated systemsimply maps identities to theseaccounts, and you’ll often use aweb-based front-end to managethat mapping process. Therewill be invariably a few identitiesthat can’t be automaticallymapped, and the front-end willallow those to be handled on anexception basis.3. Provide knowledge andcontrol to business ownersYou also need to regularlyanswer the question, “Who hasaccess to what?” IT coordinatesthe inventory of identities andpermissions and provides thatinformation to business dataowners and custodians. Again, aweb-based front- end is ideal forthis. The idea is to let businessdata owners manage accessto their data and to providecentral reporting and control overthose permissions.4. Implement workflowAlthough technology is alwaysabout embracing change,unmanaged change causesUse your HR systems as much as possibleas an authoritative source of data for youridentity and access management system.2

Permissionsrequire periodicrecertification—you need toreview who hasaccess to whatand determinewhether or notthey shouldstill have thosepermissions.problems. Implementing a“request and approval” workflowprovides an efficient way tomanage and document change.A self-service user interface(often web-based) enablesusers to request permission toresources they need. Data ownersand custodians can respondto these requests, helping thebusiness ensure appropriateaccess, while removing IT fromthe decision- making role inpermissions management.You might begin by definingdifferent kinds of permissionsets, each with its own workflows.This enables different kinds ofdata and tasks to be treatedappropriately, depending upontheir sensitivity. Take the time todefine who can control that list ofservices, who is responsible formanaging workflow designs, andso on. For example, financial datamight require more extensiveapprovals when changingpermissions than company-wideinformation (such as details aboutthe next company picnic), whichmight be changed with relativelylittle workflow required.5. Automate provisioningYou need to manage new users,users who leave the organization,and users who move or arepromoted or demoted within theorganization. Provisioning, deprovisioning and re-provisioningare often time-consuming manualtasks, and automating themcan not only reduce overheadbut also reduce errors andimprove consistency.These provisioning tasks typicallyinvolve connections to numerous3systems, including email, ERPand databases. Prioritize thesesystems so that the mostimportant and visible ones canbe automated first, and clearlydefine and document the flowof data between these systemsand your identity managementtoolset. Focus first on automatingthe basic add/change/ deletetasks for user accounts, and thenintegrate additional tasks such asunlocking accounts.6. Become compliantMany companies are now affectedby one or more industry orgovernmental regulations, andyour identity management systemcan play a central, beneficial rolein helping you to become andremain compliant. You’ll needto focus on clearly defining anddocumenting the job roles thathave control over your data,as well as the job roles thatshould have access to auditinginformation. Define compliancerules step by step, and assigneach step to a responsible jobrole. Integrate rule checking inyour identity management systemand workflow operations to helpautomate remediation of incorrectactions; this will help improveconsistency and security as wellas compliance.7. Check and recheckIn a well-designed identitymanagement system, permissionsare typically assigned to jobroles rather than to individuals,but organizations are still likelyto simply assign permissionsas needed and never reviewthem again. This practice invitessecurity risks.

With One IdentityManager, identitymanagement canfinally be drivenby businessneeds, notsimply by whatIT can do.Permissions require periodicrecertification—you need toreview who has access to whatand determine whether or notthey should still have thosepermissions. Define job roleswithin your organization thatcan recertify permissions, suchas system owners, managers,information security officers andso forth. Recertification can bedefined in a workflow in whichdata owners and custodiansreview a current permissionset and verify the accuracy (orinaccuracy) of that set. Theidea is to regularly make surethat the roles and people whohave permissions to resourcesshould continue to havethose permissions.This process should also includerecertification of job rolemembership to ensure that theusers assigned a given job roleare still performing that rolewithin the organization.8. Manage rolesPermissions are best assignedto job roles rather than toCorporateHRControlobjectivesindividuals. Making those rolescorrespond to real-life job tasksand job titles is a powerful way tomanage identities and access overthe long term. A certain amountof inventorying and mining willbe needed to accurately identifythe major roles within yourorganization, based at least, inpart, on the resource permissionscurrently in force. Throughuser self- service IT shoppingcart, users request access tothe appropriate resources andservices. This way, a user canrequest access to “non-personalhuman resources information”(for example) without needingto understand the underlyingtechnical details required to makethat happen. Once a user placessuch a request, the owner orcustodian of the affected datahas the opportunity to reviewand either approve or denythe request—taking IT out ofthe permissions managementloop entirely.You’ll also need to define whowill manage these roles in orderto ensure that roles are created,WorkflowsPoliciesOne Identity ries, email systems, ERP systems, Windows-, Unix- and Mainframe-based resourcesFigure 1. One Identity Manager provides comprehensive yet simplified identity andaccess management, which enables organizations to follow the eight best practicesfor IAM outlined in this brief.4

modified and deactivated only byauthorized individuals followingthe proper workflow.Choosing the right toolTraditional approachesUnfortunately, it’s unlikely thatyour business can rely on nativetools to effectively implementthese eight best practices. Yousimply have to deal with toomany native toolsets, such asMicrosoft Active Directory, SAP,PeopleSoft, Unix or Mac OS. Youneed a central place to managethe identities used by all of thesesystems, and you need to do soin a consistent, secure, efficientand controlled fashion. TraditionalIAM frameworks are oftenexpensive and require extensive5implementation, often makingthem impractical.Many companies instead opt foradhoc IAM, cobbling togetherhome-grown and third-party toolsinto a disjointed workaround thatbasically gets the job done—butat a high cost in efficiency andsecurity. Ultimately, identitymanagement becomes driven bywhat IT is capable of, and not bywhat the business needs.One Identity ManagerOne Identity Manager, a partof the One Identity productsfrom Quest, helps organizationsachieve effective IAM for lessmoney, and with markedly lesseffort, than previously possible.Employees enjoy full access totheir applications, platforms,systems and data throughouttheir time with the organization,and your organization doesn’thave to invest in long, expensivecustomizations or never-endingconsulting engagements. Youcan even enable line-of-businessemployees to manage the identitylifecycle process through selfservice, offloading IT overheadonto actual business data ownersand custodians. One IdentityManager also provides fullworkflow, including separation ofduties that are often lacking inIAM solutions.With One Identity Manager,identity management can finallybe driven by business needs, notsimply by what IT can do.