The rapid adoption of distributed applications, architectures, and personnel — before COVID-19 and after — has found organizations viewing technology security through the lens of identity. What was once “permit this network to reach that network” is now “open it up to everywhere, but determine which user and device, from what location, are accessing which application and decide from there.”
The more security policy is driven by identity, the more identity must be managed.
- New employees cannot wait for days or weeks through “requested access” whack-a-mole before being productive.
- Employees no longer with the organization cannot have accounts remain active in the myriad of applications, for both security and financial reasons — the average employee is licensed for between $2,000 to $4,000 in SaaS services per year. Leaving unnecessary accounts provisioned is not only a security risk, but also creates unnecessary monthly spend.
- Privilege creep through promotions, demotions, and departmental transfers quickly leads to unnecessary, if not dangerous levels of access. Unnecessary access to payroll reports is one thing, but unnecessary access to systems affecting technology availability and stability can be quickly discovered by adversaries and exploited for financial gain (ransomware) or malice.
- External user identities from other organizations or business partners add additional challenges, not less.
The ability to effectively manage an organizational user identity from birth, when an employee (or external user) is entered into the HR system (or system of record), to expiration, is commonly called identity lifecycle management.
Historically and even today, identity lifecycle management (ILM) has been mostly manual, error-prone, and limited in scope to either a subset of users or a subset of applications. The proliferation of distributed applications, architectures, and personnel combined with rich API support has created a ripe opportunity for automating — same way, every time, with minimal human delay — the often time-sensitive and error-prone tasks.
Most commonly, ILM resembles a three-legged stool where each leg is a critical component, working with the other two:
- Orchestrator — The foundation of any automation at scale, the orchestrator is software (SaaS or on-premises) responsible for managing the execution of desired lifecycle policies and workflows covering access requests, access assignments, reviews, and expiration. Policies and workflows can be written as code or built using no-code/low-code visual drag-and-drop style editing.
- Pre-built integrations — There are thousands of applications in use today, each with its own “way” to provision and deprovision to create/read/update/delete (CRUD) users and entitlements (access rights and permissions). Prebuilt integrations to the many applications an organization uses, be they SaaS or on-premises, when combined with drag-and-drop orchestration, are critical to move an ILM initiative forward with any velocity.
- Governance — There is a need for visibility into “what is” and “what is not” in compliance with defined policy available via reporting, with optional automatic or manual remediation, and the ability to audit and enforce compliance mandates — specifically, segregation of duties, mandatory entitlement expiration, and access recertification.
Identity lifecycle management is a key pillar within the broader identity space. While single sign-on (SSO) and multifactor authentication (MFA) have delivered on providing increased confidence, control, and security to who and what are connecting, provisioning, deprovisioning, and managing access after authentication lands squarely with ILM and should be considered in the same breath as SSO and MFA.
Identity lifecycle management capabilities are not limited to specialized providers. Capabilities vary but market identity and access management (IAM) leaders have accelerated ILM development and focus, further strengthening the platform position and approach. Organizations should evaluate the ILM capabilities of their current IAM solutions against their own requirements and broader market.
AE Business Solutions partners with Okta Inc., the industry leader in cloud-delivered identity and access management solutions. Okta’s recently announced Workflows platform enhancement makes automating identity-centric business processes, including many identity lifecycle management tasks, simple, without code through a graphical interface. Okta is a market-leading provider of cloud-delivered single sign-on, multifactor authentication, lifecycle management, API access management, server access, and access gateway solutions.
