Upload
vvkkvvkk
View
215
Download
0
Embed Size (px)
Citation preview
8/2/2019 User Provisioning- Business Imperatives
1/11
WHITE PAPER: IDENTITY MANAGEMENT
User Provisioning:The Business ImperativeSEPTEMBER 2009
8/2/2019 User Provisioning- Business Imperatives
2/11
Table of Contents
Executive Summary
SECTION 1 2
Provisioning Challenges for Todays IT Departments
SECTION 2 4
The Need for a Comprehensive Provisioning Solution
SECTION 3 5
The Benefits of a Comprehensive Provisioning Solution
SECTION 4 7
Conclusions
ABOUT CA Back Cover
Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permittby applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CAliable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
8/2/2019 User Provisioning- Business Imperatives
3/11
WHITE PAPER: IDENTITY MANAGEMEN
Executive SummaryChallenge
The challenges facing those who manage and support IT users have never been greater
than they are in the current business environment. Todays IT manager needs to consider
that organizations have employees joining and leaving at a rapid rate, and that current
employees rarely remain in one position within the organization for any extended period
of time. They continually are changing roles and responsibilities and working cross-
functionally within the organization, and as such, entitlements need to be provisioned,
updated and documented in a dynamic manner that reflects the new realities.
Similarly, a constantly changing cast of non-employee usersbusiness partners,
suppliers, vendors and customersregularly need to access and utilize an organizations
data and resources. Making the job even more difficult is the looming specter of
regulatory and organization-mandated compliance and reporting protocols.
Opportunity
While improvised or manually provisioning users was once a way to ensure that each
received the proper rights and access, the sheer speed in the increase in users and
updates, along with the diversity of users, requires sophisticated and comprehensive
provisioning tools. This same volume of activity makes the documentation required by
internal and external auditors virtually impossible without robust and repeatable
processes and capabilities.
The IT department has the opportunity to address growing administrative costs by
streamlining, automating and documenting the user provisioning process while making
sure that group and individual rights are kept current and accurate, enabling all users to
better perform their jobs.
Benefits
Using provisioning tools with dynamic, scalable capabilities and flexible functionality
creates several tangible benefits to the IT department and the organization in general. Byutilizing user self-service options, fine-grained entitlement functions and supporting
diverse platforms, IT managers can reduce costs, improve service, better manage risk,
and meet the business needs of the enterprise through integration with other software
and applications.
A successful security management strategy helps ensure continuous business operations
by minimizing risk at virtually every level of the organization. Because IT budgets are
always tight, a successful security management system also can help IT stay within
budgetary constraints and increase operational efficiencies.
8/2/2019 User Provisioning- Business Imperatives
4/11
2 WHITE PAPER: IDENTITY MANAGEMENT
SECTION 1
Provisioning Challenges for Todays IT DepartmentsAs technology continues to fuel growth in organizations of all shapes and sizes, even the mos
dedicated and talented IT teams face challenges from the population explosion among theiruser communities. More users require more access to more applications than ever before.
In the past, adding new employees and updating passwords were considered time consuming
tasks, but not particularly mission critical to the entire organization. However, the changing
dynamics of the mobile, global economy, and increased scrutiny by internal and external
auditors, have dramatically increased the challenges facing todays IT department in the area
user provisioning.
Today, IT managers face a myriad of challenges to creating and maintaining user identities,
including:
An employee base that can grow or shrink virtually overnight
Employees who are constantly changing functions, or working cross-functionallywithin the organization
Temporary contracted and outsourced employees
Vendors and partners who need access to your applications
Customers who need access to your products and services
Compliance with internal corporate policy and external regulations
The Dynamic Workforce
The size, shape and makeup of an organizations workforce have never been more dynamic.
From a macroeconomic perspective, factors such as globalization, the growth of outsourcing,
the continued shift to knowledge-based employment, and even population fluctuations and t
aging workforce affect the potential makeup of an organizations user population.
On a more micro level, the reality of workforce migration is playing a significant role in
reshaping the workforce in most industries. The addition or departure of users on a regular
basis is clear evidence that organizations no longer remain one size for extended periods of
time. Mergers and acquisitions, layoffs and shutdowns, outsourced job functions and entire
divisions moving overseas, all mean that there can be significant changes to many users in a
very short period of time.
Where once it theoretically was possible to plan for new employees to be added on the first
Monday of the month (or terminated on the last), that predictability has been replaced by a
need to have a large group of new employees in the Beijing office online by next Thursday.Without powerful provisioning tools this need would become a major obstacle to productivit
The Challenge Within: Employee Movement and Promotions
Now that we have established that the employee base is constantly in flux, we need to addres
another challenge: the changing nature of the individual employee. Modern employees chang
job functions within an organization significantly more than they have in the past. As
organizations strive to reduce turnover rates and keep employees from job-hopping, one of th
benefits most are touting is mobility within the organization.
8/2/2019 User Provisioning- Business Imperatives
5/11
WHITE PAPER: IDENTITY MANAGEMEN
Marketing managers transfer into the role of business development; accountants transfer into
financial planning and analysis. This is great for human resources, and the organization as a
whole benefits from keeping talented people, but it presents a unique set of challenges for the
IT department to assign and maintain proper privileges. To do so efficiently and effectively,
user provisioning tools must provide a level of fine-grained entitlements that allow for specififunctions or rights to be added or removed, as well as some self-administration functions for
users and delegated authority to their manager to request and approve additional entitlemen
and resources. As with any steps in the provisioning process, it is also important to adhere to
corporate policy and document changes for future auditing purposes.
Do They Work For Us? Outsourcing, Consultants and Contractors
As mentioned previously, the movement toward a global workforce and the growing use of
contractors has created a scenario where the internal user doesnt necessarily reside in the
same office, building, country or even continent as the rest of the organization. These non-
employee workers also require the use of fine-grained entitlement policy setting based on a
variety of variables such as length of contract.
Partners, Vendors and Other External Users
In much the same way non-employee workers need access, the modern work force contain
external vendors, partners and suppliers that may be integral to the success of an operation.
As an example, consider a supply chain setting, in which there may be several vendors needin
access, each with specific requirements and separate entitlements. One vendor may be able t
get inventory status at certain times, but not at others. A second vendor may get pricing
information, but a third doesnt. Having rights assigned based on roles only, without specific
entitlements, may grant each user the same privileges. In our supply chain example, universa
providing inventory and pricing information to all vendors near the end of a contract may
weaken a negotiating position. The provisioning software must be capable of changingentitlements on the fly, or have automated functions that can adjust these privileges at
predetermined times.
Compliance
Looming over all of the challenges that face todays IT department is the need to continuousl
remain in compliance. A host of regulations and international standards have created an
environment where every step in the provisioning process must be made in accordance with
established corporate policy and documented for possible future audit.
For a provisioning tool to be useful in this environment it needs to facilitate an approved
workflow for all changes, provide appropriate checks and balances before granting entitlemen
and create an audit trail that will stand up to the most ardent scrutiny.
Segregation of Duties
Automating the control of policies to define segregation of duties helps enforces compliance
policies that prevent multiple users from having certain overlapping privileges, which could
lead to fraud or abuse. A provisioning tool's functionality needs to include an auditable proces
where requests for potentially conflicting duties can be detected to ensure that neither
financial controls nor private data are put at risk.
8/2/2019 User Provisioning- Business Imperatives
6/11
4 WHITE PAPER: IDENTITY MANAGEMENT
For example, you can prohibit users who issue checks from approving checks, or make sure
that employees responsible for depositing cash dont have the ability to alter bank statement
While this helps eliminate deliberate collusion and fraud, it also provides a safeguard to detec
innocent errors, which while not malicious, could be equally costly.
SECTION 2
The Need for a Comprehensive Provisioning SolutionThe IT manager now needs to efficiently add, remove and manage a variety of users (some
internal, some external) in a manner that provides them with the entitlements they need to b
successful in their work, while remaining compliant with all internal and external regulations.
Clearly, manual or improvised provisioning is only an option for managing a small number of
users, and many first generation provisioning tools lack the granular functionality, flexibility o
dynamic ability to make changes on the flyan absolute necessity to meet all the challenges
the enterprise mentioned in Section One. To affect the type of positive impact that executives
throughout the organization expect, the IT manager needs a truly comprehensive provisionin
solution.
What to Look For In a Comprehensive Provisioning Solution
There are several features that one must look for when choosing a provisioning solution.
Clearly the ability to automate certain commonly repeated functions, a level of user self-servi
and interoperability with many third-party systems, arent always an option. But a truly
comprehensive solution must meet several additional requirements and be able to satisfy the
needs of not just IT but also other stakeholders within the organization.
INTEGRATED WORKFLOW As part of an organizations compliance and regulatory efforts,
integrating workflows allows both the automation and enforcement of entitlement processesalso allows organizations to establish and specify administration policies for a variety of user
communities, both inside and outside the organization.
FINE-GRAINED WORKFLOW APPROVAL A comprehensive provisioning solution should offer
enhanced workflow capabilities that enable fine-grained entitlements based on particular
attributes or values. The solution must be able to work with individual business units to
establish specific approval processes and approvers, termination policy, modification
prerequisites and dependencies.
TABLE-BASED IDENTITY POLICIES A flexible policy model supported by table-based identity
policies can help simplify namespace administration for hundreds and thousands of possible
attribute values such as Active Directory (AD) groups, SAP roles and RACF groups. In an
environment where thousands of access entitlement combinations are required, table-based
policies simplify the user life cycle management process by combining role- and rule-based
user provisioning. By facilitating automated scheduled tasks, table-based identity policies
empower administrators to deploy or make a change to massive user communities with a
single push of a button.
SCHEDULED TASKS IT managers must be able to easily define and schedule provisioning
activities based on time as well as need. Tasks such as temporary role delegation, termination
or activation, should be scheduled and executed with as few manual requirements as possible
8/2/2019 User Provisioning- Business Imperatives
7/11
WHITE PAPER: IDENTITY MANAGEMEN
USER ADMINISTRATION DELEGATION By delegating user administration, IT can empower the
most appropriate people within the organization (and even those previously-discussed non-
employee users who may exist beyond the firewall) to authorize and assign entitlements that
help their team best accomplish its tasks on an on-demand basis. With IT at the center of the
command hub, users with proper administrative roles must be able to view and modify accesentitlements for users accounts at any given time. This centrally managed process for
delegating user administration can improve overall efficiency and is the most cost-effective
way to rapidly scale the provisioning process.
PASSWORD MANAGEMENT Password management services are still the most utilized function
in any provisioning solution. In our compliance driven environment, these services remain
among the most important. A comprehensive solution should include self-service, forgotten
password support, bidirectional password synchronization, centralized password composition
rules, flexible application of password policies, Graphical Identification and Authentication
(GINA) support and automated enforcement of periodic password changes.
INTEGRATED COMPLIANCE SUPPORT A comprehensive solution will tie entitlement policies intbusiness processes using workflow functionality to ensure that entitlement policies are
enforced, while serving as a watchdog to track current entitlements against current and past
activity for inconsistency or violation. In addition to segregation of duties, reporting is a key
aspect of compliance, as auditors require documentation and auditing of all controls to make
sure they are effective and in line with both external regulation and an organizations busines
policies.
SUPPORTING DIVERSE IT ENVIRONMENTS A key factor in the ease of deployment of a user
provisioning system is its ability to easily integrate into the organizations IT environment.
Solutions that provide out-of-the-box, standards-based and custom integration capabilities,
together with the flexibility of integrating into Web applications and portals of customers
choosing, go a long way in meeting this purpose.
The ability of a solution to integrate with many of the leading hosts/servers (Windows, Linux
Active Directory, SUN Solaris etc), groupware applications (Lotus Notes/Domino, Microsoft
Exchange), databases (Oracle, MS SQL, IBM DB/2), authentication systems (RSA Secure ID,
Actividentity CMS, Entrust PKI), mainframe systems (IBM RACF DB2 for z/OS, etc) and
standards and general interfaces (LDAP, ODBC, SPML, SDK, Universal Feed, Web
Service/WSDL, Connector Xpress for RDBMS, etc) can decrease dramatically time to value o
system implementation.
SECTION 3
The Benefits of a Comprehensive Provisioning Solution
Compliance Again
As stated previously, compliance is the driving force behind the majority of the advances in th
EUPA in Europe, AIPA in Italy, Personal Information Protection Act (PIPA) in Japan, Basel II an
FSA in the United Kingdom, Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA), the Federal Financial Institution
Examination Council (FFIEC) in the U.S., are facing regulatory compliance to become a
universal C-level issue.
8/2/2019 User Provisioning- Business Imperatives
8/11
6 WHITE PAPER: IDENTITY MANAGEMENT
When the auditors ask, IT must be able to easily create and provide reports that track any
or all entitlements provisioned, including the time, reason and persons who approved and
provisioned them. Likewise, they must also demonstrate when users were deprovisioned
following the end of a contract or termination.
A comprehensive provisioning solution provides IT with the auditing capabilities and robust
documentation to stand up to the scrutiny of even the most stringent of these requirements.
Cost Savings/ROI: Do More With Less
There are many tangible ways to measure the ROI of a provisioning solution, but perhaps non
is more compelling than the password reset function. Industry reports show that between
30% 40% of help desk calls are password related. Add in the cost of help desk support and
the frequency of use, the average network user can cost as much as $250 per year. In an
organization with 1,200 employees that number can reach $300,000 annually.1 Factor in the
additional non-employee users and partners/vendors who may be on your network, and the
potential lost productivity of both your IT staff and those locked-out end users, and the value
having a simple and self-administered password service suddenly becomes a lot moreattractive.
On a larger scale, enabling your employees, partners (and in some cases customers) to acces
the applications they require is the first step to improving business processes. In turn this hel
increase bottom-line organizational efficiency while meeting your business imperatives.
Not All PR is Good PR
One of the less easily quantified benefits of a robust provisioning solution is the value of
keeping your organizations name out of the scandal pages. Recent high profile security
breaches have revealed faulty and even negligent provisioning (and deprovisioning) practices
by some previously trusted brand names. Potentially disastrous headlines may reside with arecently laid-off human resources employee with a current password for personal employee
information, a former vendor with access to supply chain purchasing data or an unscrupulous
former contract worker with access to research and development data. Any loss of public
confidence in your policies and procedures can lead to loss of management confidence in you
people, and loss of shareholder confidence in your performance. Proper provisioning policies
and documentation can help keep blemishes from your organizations public image and keep
your management, customers and shareholders satisfied.
Roles and Rules: Making Sure People Get Only What They Need
With the growing number and types of users requiring access to critical applications, the line
between privileged and unprivileged user is not always clear. A comprehensive provisioningsolution will allow you to keep better control of all your users, documenting who requested an
authorized entitlements and privileges and why they did so. By implementing a workflow-
based policy for approvals, you can ensure that users get what they need to do their jobs
effectively and efficiently, within the boundaries of the corporate policies.
1 Source: Password Management: Gateway to Managing Identities , CA Inc., May 2007
8/2/2019 User Provisioning- Business Imperatives
9/11
WHITE PAPER: IDENTITY MANAGEMEN
In an extreme example, a mid-level accounting manager is terminated at 9:15 a.m. on a
Monday morning. Human Resources asks him to turn over his ID, and Security escorts him ou
of the building. But can you be sure that his access to sensitive corporate data has been
restricted? That same day, the IT manager who was sent the termination request late Friday
night has a dentist appointment and doesnt arrive until 11:15 a.m. Even a two-hour lag timecould provide a disgruntled and recently dismissed employee ample time to breach the
integrity of potentially sensitive information. Automating the process and instilling safeguard
with workflow-based policies and delegated administration capability can prevent such a
situation. A clear audit trail can prove it.
Happy Users = Improved Operational Efficiency
Beyond avoiding abuse at the hands of disgruntled former employees, keeping your good
employees happy must be the end goal of any IT function. Granting users simple and timely
access to the information and applications they need to do their jobs correctly (without giving
them more access rights than they actually need) is perhaps the second most important
function (behind compliance) that an IT manager can provide using a comprehensiveprovisioning solution.
SECTION 4
ConclusionsThe challenges facing IT managers as they go about the task of provisioning new and existing
users are numerous and have been well documented here and elsewhere. Using a
comprehensive, centralized and automated provisioning system can help solve several of thes
issues by helping to reduce IT costs, increase IT staff and end user productivity, mitigate risk
and help comply with regulatory and corporate governance standards.
Return on investment can be realized on an accounting basis through cost savings achieved beliminating or greatly reducing repeatable manual tasks such as password resets and multiple
new user adds or deletes. Economic advantages are realized through increased productivity, a
users receive access to what they need to accomplish their tasks more easily and more quick
Of course, the entire organization benefits from remaining compliant with federal regulations
and avoiding front page level breaches in security stemming from inadequate policies and
protocol.
Finally, as mentioned before, the true benefit that makes a comprehensive automated
provisioning solution a must for any organization is the ability to easily produce an accurate
and comprehensive audit trail. Manual provisioning is no longer viable when you take into
account these requirements. In addition to meeting the organizations compliance
requirements, the audit functions can be used for business resource planning and securitymanagement.
When looking for a solution to address the user provisioning imperatives of your enterprise,
make sure that it improves security, meets regulatory compliance and corporate governance,
automates repeatable processes and allows easy management of control and security policie
such as those related to segregation of duties or fine-grained entitlements.
8/2/2019 User Provisioning- Business Imperatives
10/11
8/2/2019 User Provisioning- Business Imperatives
11/11
CA, one of the worlds largest information technology (IT)management software companies, unifies and simplifies
complex IT management across the enterprise for greaterbusiness results. With our Enterprise IT Management vision,solutions and expertise, we help customers effectivelygovern, manage and secure IT.
WP05IAM01E MP321200907