Previous blogs in this series have talked about the five fundamentals of a good IAM solution (as a quick reminder they are Authentication, Authorisation, Auditing, Architecture and Automation).
The 3As of Authentication, Authorisation and Auditing are a tried and trusted approach and many of an article has been written about them.
It is therefore slightly unusual to have automation listed, but it is often overlooked and not considered. Given the amount of credentials, requests and password resets having automated features within IAM is essential to reduce risk and provide a better user experience.
The Areas that need Automation
As much automation as possible is always a good thing as it minimises time to perform an operation, which is always good from a cost perspective. Equally the user experience is often better as it avoids frustration of having to wait for a human to do something.
Within IAM automation is key not only because of the time savings especially when dealing with a significant volume of requests but also it should be considered as part of the security process.
The key areas that need automation within IAM are
- Joiners Movers Leavers Process (JML)
- Access Requests
- Password Resets
Joiners Movers Leavers
This term is used to denote the process of creating accounts when a user joins an organisation, changes role and then leaves. In each of these situations the accounts and credentials need to be created or removed.
The volume of these requests can be overwhelming, even for small and mid-sized businesses. Statistics for the number of requests and the number of applications vary wildly. Most quoted figures can be taken with a pinch of salt as they are often used by marketing departments and vendors to bolster the message they are trying to give. Regardless, every organisation is different and the amount of time to create and delete accounts for each user is substantial.
The key issue though is security. Us humans are prone to mistakes and even the best of us can lose some attention to detail. Having an automated process can help ensure that the correct accounts are created and a user does not receive too many permissions.
For the leavers process, automation is even more important. Having accounts that are not deleted (or disabled) can occur license costs but also may never be deleted as they are not associated with a real person. These are known as orphan accounts or to remove any notion of sympathy zombie accounts. It has been known for disgruntled ex-employees (I am sure your organisation does not have any of these) have been known to use un-deleted accounts to steal data or to perform some mischief.
An automated process can greatly reduce the threat by deleting more of these accounts.
The joiners and movers process also benefits from automation by providing a better user experience. Users can very quickly be up and running with the access they require and thus avoiding any waiting for accounts before they can start work. As a new employee we all do like a little time to get our feet under the table, but from an organisation perspective time is money.
Access Requests
This is very similar to the JML process and is effectively an extension of it. Users will need more access generally because of a change of project or a special need or simply access to a new application.
Regardless of the reasons, the number of access requests can build up. The duration for these types of requests can take a little longer because they will likely require approval. (Put it another way, they should require approval).
Automating this can improve the user experience by speeding up access to a resource. As with JML there a potential cost benefits to increasing the speed of access.
Both JML and Access Requests are often part of an IGA (Identity Governance and Administration) product, but they don’t have to be. There are many other ways to achieve automation such as with scripts that don’t require additional purchases.
Password Resets
It can be argued that a self-service function such as password resets is not really automation. Irrespective as to what side of the fence you fall on that discussion the point is that removing the manual part of this operation has big benefits.
A common complaint amongst IT help desks is dealing with password resets, they are often numerous in number (especially after a long weekend or during to the holiday season, for some reason users tend to forget their passwords after a good break!!).
As well as reducing the number of IT Helpdesk calls, the self-service (automated) password reset removes a security risk. Without automation, an administrator has to set the password and then communicate it securely to the user. There is the risk that the administrator is not so honourable and that the communication process is not secure. The risk of compromised credentials increases with a manual reset process.
Summary
Automation is not often considered to be a fundamental part of an IAM solution, but by removing manual processes in the JML and Access Requests there are several important benefits.
Security is improved as it ensures greater accuracy and can alleviate human errors. User experience is improved as users are not waiting around for their access. Both have cost benefits by reducing the number of IT technicians and downtime for a user.
Password Resets are dubiously included as self-service is not often considered to be automation. However removing the use of an administrator, the user can automatically reset their own passwords.