User Provisioning- Business Imperatives

8/2/2019 User Provisioning- Business Imperatives

1/11

WHITE PAPER: IDENTITY MANAGEMENT

User Provisioning:The Business ImperativeSEPTEMBER 2009


2/11

Table of Contents

Executive Summary

SECTION 1 2

Provisioning Challenges for Todays IT Departments

SECTION 2 4

The Need for a Comprehensive Provisioning Solution

SECTION 3 5

The Benefits of a Comprehensive Provisioning Solution

SECTION 4 7

Conclusions

ABOUT CA Back Cover

Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permittby applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CAliable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.


3/11

WHITE PAPER: IDENTITY MANAGEMEN

Executive SummaryChallenge

The challenges facing those who manage and support IT users have never been greater

than they are in the current business environment. Todays IT manager needs to consider

that organizations have employees joining and leaving at a rapid rate, and that current

employees rarely remain in one position within the organization for any extended period

of time. They continually are changing roles and responsibilities and working cross-

functionally within the organization, and as such, entitlements need to be provisioned,

updated and documented in a dynamic manner that reflects the new realities.

Similarly, a constantly changing cast of non-employee usersbusiness partners,

suppliers, vendors and customersregularly need to access and utilize an organizations

data and resources. Making the job even more difficult is the looming specter of

regulatory and organization-mandated compliance and reporting protocols.

Opportunity

While improvised or manually provisioning users was once a way to ensure that each

received the proper rights and access, the sheer speed in the increase in users and

updates, along with the diversity of users, requires sophisticated and comprehensive

provisioning tools. This same volume of activity makes the documentation required by

internal and external auditors virtually impossible without robust and repeatable

processes and capabilities.

The IT department has the opportunity to address growing administrative costs by

streamlining, automating and documenting the user provisioning process while making

sure that group and individual rights are kept current and accurate, enabling all users to

better perform their jobs.

Benefits

Using provisioning tools with dynamic, scalable capabilities and flexible functionality

creates several tangible benefits to the IT department and the organization in general. Byutilizing user self-service options, fine-grained entitlement functions and supporting

diverse platforms, IT managers can reduce costs, improve service, better manage risk,

and meet the business needs of the enterprise through integration with other software

and applications.

A successful security management strategy helps ensure continuous business operations

by minimizing risk at virtually every level of the organization. Because IT budgets are

always tight, a successful security management system also can help IT stay within

budgetary constraints and increase operational efficiencies.


4/11

2 WHITE PAPER: IDENTITY MANAGEMENT

SECTION 1

Provisioning Challenges for Todays IT DepartmentsAs technology continues to fuel growth in organizations of all shapes and sizes, even the mos

dedicated and talented IT teams face challenges from the population explosion among theiruser communities. More users require more access to more applications than ever before.

In the past, adding new employees and updating passwords were considered time consuming

tasks, but not particularly mission critical to the entire organization. However, the changing

dynamics of the mobile, global economy, and increased scrutiny by internal and external

auditors, have dramatically increased the challenges facing todays IT department in the area

user provisioning.

Today, IT managers face a myriad of challenges to creating and maintaining user identities,

including:

An employee base that can grow or shrink virtually overnight

Employees who are constantly changing functions, or working cross-functionallywithin the organization

Temporary contracted and outsourced employees

Vendors and partners who need access to your applications

Customers who need access to your products and services

Compliance with internal corporate policy and external regulations

The Dynamic Workforce

The size, shape and makeup of an organizations workforce have never been more dynamic.

From a macroeconomic perspective, factors such as globalization, the growth of outsourcing,

the continued shift to knowledge-based employment, and even population fluctuations and t

aging workforce affect the potential makeup of an organizations user population.

On a more micro level, the reality of workforce migration is playing a significant role in

reshaping the workforce in most industries. The addition or departure of users on a regular

basis is clear evidence that organizations no longer remain one size for extended periods of

time. Mergers and acquisitions, layoffs and shutdowns, outsourced job functions and entire

divisions moving overseas, all mean that there can be significant changes to many users in a

very short period of time.

Where once it theoretically was possible to plan for new employees to be added on the first

Monday of the month (or terminated on the last), that predictability has been replaced by a

need to have a large group of new employees in the Beijing office online by next Thursday.Without powerful provisioning tools this need would become a major obstacle to productivit

The Challenge Within: Employee Movement and Promotions

Now that we have established that the employee base is constantly in flux, we need to addres

another challenge: the changing nature of the individual employee. Modern employees chang

job functions within an organization significantly more than they have in the past. As

organizations strive to reduce turnover rates and keep employees from job-hopping, one of th

benefits most are touting is mobility within the organization.


5/11


Marketing managers transfer into the role of business development; accountants transfer into

financial planning and analysis. This is great for human resources, and the organization as a

whole benefits from keeping talented people, but it presents a unique set of challenges for the

IT department to assign and maintain proper privileges. To do so efficiently and effectively,

user provisioning tools must provide a level of fine-grained entitlements that allow for specififunctions or rights to be added or removed, as well as some self-administration functions for

users and delegated authority to their manager to request and approve additional entitlemen

and resources. As with any steps in the provisioning process, it is also important to adhere to

corporate policy and document changes for future auditing purposes.

Do They Work For Us? Outsourcing, Consultants and Contractors

As mentioned previously, the movement toward a global workforce and the growing use of

contractors has created a scenario where the internal user doesnt necessarily reside in the

same office, building, country or even continent as the rest of the organization. These non-

employee workers also require the use of fine-grained entitlement policy setting based on a

variety of variables such as length of contract.

Partners, Vendors and Other External Users

In much the same way non-employee workers need access, the modern work force contain

external vendors, partners and suppliers that may be integral to the success of an operation.

As an example, consider a supply chain setting, in which there may be several vendors needin

access, each with specific requirements and separate entitlements. One vendor may be able t

get inventory status at certain times, but not at others. A second vendor may get pricing

information, but a third doesnt. Having rights assigned based on roles only, without specific

entitlements, may grant each user the same privileges. In our supply chain example, universa

providing inventory and pricing information to all vendors near the end of a contract may

weaken a negotiating position. The provisioning software must be capable of changingentitlements on the fly, or have automated functions that can adjust these privileges at

predetermined times.

Compliance

Looming over all of the challenges that face todays IT department is the need to continuousl

remain in compliance. A host of regulations and international standards have created an

environment where every step in the provisioning process must be made in accordance with

established corporate policy and documented for possible future audit.

For a provisioning tool to be useful in this environment it needs to facilitate an approved

workflow for all changes, provide appropriate checks and balances before granting entitlemen

and create an audit trail that will stand up to the most ardent scrutiny.

Segregation of Duties

Automating the control of policies to define segregation of duties helps enforces compliance

policies that prevent multiple users from having certain overlapping privileges, which could

lead to fraud or abuse. A provisioning tool's functionality needs to include an auditable proces

where requests for potentially conflicting duties can be detected to ensure that neither

financial controls nor private data are put at risk.


6/11


For example, you can prohibit users who issue checks from approving checks, or make sure

that employees responsible for depositing cash dont have the ability to alter bank statement

While this helps eliminate deliberate collusion and fraud, it also provides a safeguard to detec

innocent errors, which while not malicious, could be equally costly.

SECTION 2

The Need for a Comprehensive Provisioning SolutionThe IT manager now needs to efficiently add, remove and manage a variety of users (some

internal, some external) in a manner that provides them with the entitlements they need to b

successful in their work, while remaining compliant with all internal and external regulations.

Clearly, manual or improvised provisioning is only an option for managing a small number of

users, and many first generation provisioning tools lack the granular functionality, flexibility o

dynamic ability to make changes on the flyan absolute necessity to meet all the challenges

the enterprise mentioned in Section One. To affect the type of positive impact that executives

throughout the organization expect, the IT manager needs a truly comprehensive provisionin

solution.

What to Look For In a Comprehensive Provisioning Solution

There are several features that one must look for when choosing a provisioning solution.

Clearly the ability to automate certain commonly repeated functions, a level of user self-servi

and interoperability with many third-party systems, arent always an option. But a truly

comprehensive solution must meet several additional requirements and be able to satisfy the

needs of not just IT but also other stakeholders within the organization.

INTEGRATED WORKFLOW As part of an organizations compliance and regulatory efforts,

integrating workflows allows both the automation and enforcement of entitlement processesalso allows organizations to establish and specify administration policies for a variety of user

communities, both inside and outside the organization.

FINE-GRAINED WORKFLOW APPROVAL A comprehensive provisioning solution should offer

enhanced workflow capabilities that enable fine-grained entitlements based on particular

attributes or values. The solution must be able to work with individual business units to

establish specific approval processes and approvers, termination policy, modification

prerequisites and dependencies.

TABLE-BASED IDENTITY POLICIES A flexible policy model supported by table-based identity

policies can help simplify namespace administration for hundreds and thousands of possible

attribute values such as Active Directory (AD) groups, SAP roles and RACF groups. In an

environment where thousands of access entitlement combinations are required, table-based

policies simplify the user life cycle management process by combining role- and rule-based

user provisioning. By facilitating automated scheduled tasks, table-based identity policies

empower administrators to deploy or make a change to massive user communities with a

single push of a button.

SCHEDULED TASKS IT managers must be able to easily define and schedule provisioning

activities based on time as well as need. Tasks such as temporary role delegation, termination

or activation, should be scheduled and executed with as few manual requirements as possible


7/11


USER ADMINISTRATION DELEGATION By delegating user administration, IT can empower the

most appropriate people within the organization (and even those previously-discussed non-

employee users who may exist beyond the firewall) to authorize and assign entitlements that

help their team best accomplish its tasks on an on-demand basis. With IT at the center of the

command hub, users with proper administrative roles must be able to view and modify accesentitlements for users accounts at any given time. This centrally managed process for

delegating user administration can improve overall efficiency and is the most cost-effective

way to rapidly scale the provisioning process.

PASSWORD MANAGEMENT Password management services are still the most utilized function

in any provisioning solution. In our compliance driven environment, these services remain

among the most important. A comprehensive solution should include self-service, forgotten

password support, bidirectional password synchronization, centralized password composition

rules, flexible application of password policies, Graphical Identification and Authentication

(GINA) support and automated enforcement of periodic password changes.

INTEGRATED COMPLIANCE SUPPORT A comprehensive solution will tie entitlement policies intbusiness processes using workflow functionality to ensure that entitlement policies are

enforced, while serving as a watchdog to track current entitlements against current and past

activity for inconsistency or violation. In addition to segregation of duties, reporting is a key

aspect of compliance, as auditors require documentation and auditing of all controls to make

sure they are effective and in line with both external regulation and an organizations busines

policies.

SUPPORTING DIVERSE IT ENVIRONMENTS A key factor in the ease of deployment of a user

provisioning system is its ability to easily integrate into the organizations IT environment.

Solutions that provide out-of-the-box, standards-based and custom integration capabilities,

together with the flexibility of integrating into Web applications and portals of customers

choosing, go a long way in meeting this purpose.

The ability of a solution to integrate with many of the leading hosts/servers (Windows, Linux

Active Directory, SUN Solaris etc), groupware applications (Lotus Notes/Domino, Microsoft

Exchange), databases (Oracle, MS SQL, IBM DB/2), authentication systems (RSA Secure ID,

Actividentity CMS, Entrust PKI), mainframe systems (IBM RACF DB2 for z/OS, etc) and

standards and general interfaces (LDAP, ODBC, SPML, SDK, Universal Feed, Web

Service/WSDL, Connector Xpress for RDBMS, etc) can decrease dramatically time to value o

system implementation.

SECTION 3

The Benefits of a Comprehensive Provisioning Solution

Compliance Again

As stated previously, compliance is the driving force behind the majority of the advances in th

EUPA in Europe, AIPA in Italy, Personal Information Protection Act (PIPA) in Japan, Basel II an

FSA in the United Kingdom, Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA), the Federal Financial Institution

Examination Council (FFIEC) in the U.S., are facing regulatory compliance to become a

universal C-level issue.


8/11


When the auditors ask, IT must be able to easily create and provide reports that track any

or all entitlements provisioned, including the time, reason and persons who approved and

provisioned them. Likewise, they must also demonstrate when users were deprovisioned

following the end of a contract or termination.

A comprehensive provisioning solution provides IT with the auditing capabilities and robust

documentation to stand up to the scrutiny of even the most stringent of these requirements.

Cost Savings/ROI: Do More With Less

There are many tangible ways to measure the ROI of a provisioning solution, but perhaps non

is more compelling than the password reset function. Industry reports show that between

30% 40% of help desk calls are password related. Add in the cost of help desk support and

the frequency of use, the average network user can cost as much as $250 per year. In an

organization with 1,200 employees that number can reach $300,000 annually.1 Factor in the

additional non-employee users and partners/vendors who may be on your network, and the

potential lost productivity of both your IT staff and those locked-out end users, and the value

having a simple and self-administered password service suddenly becomes a lot moreattractive.

On a larger scale, enabling your employees, partners (and in some cases customers) to acces

the applications they require is the first step to improving business processes. In turn this hel

increase bottom-line organizational efficiency while meeting your business imperatives.

Not All PR is Good PR

One of the less easily quantified benefits of a robust provisioning solution is the value of

keeping your organizations name out of the scandal pages. Recent high profile security

breaches have revealed faulty and even negligent provisioning (and deprovisioning) practices

by some previously trusted brand names. Potentially disastrous headlines may reside with arecently laid-off human resources employee with a current password for personal employee

information, a former vendor with access to supply chain purchasing data or an unscrupulous

former contract worker with access to research and development data. Any loss of public

confidence in your policies and procedures can lead to loss of management confidence in you

people, and loss of shareholder confidence in your performance. Proper provisioning policies

and documentation can help keep blemishes from your organizations public image and keep

your management, customers and shareholders satisfied.

Roles and Rules: Making Sure People Get Only What They Need

With the growing number and types of users requiring access to critical applications, the line

between privileged and unprivileged user is not always clear. A comprehensive provisioningsolution will allow you to keep better control of all your users, documenting who requested an

authorized entitlements and privileges and why they did so. By implementing a workflow-

based policy for approvals, you can ensure that users get what they need to do their jobs

effectively and efficiently, within the boundaries of the corporate policies.

1 Source: Password Management: Gateway to Managing Identities , CA Inc., May 2007


9/11


In an extreme example, a mid-level accounting manager is terminated at 9:15 a.m. on a

Monday morning. Human Resources asks him to turn over his ID, and Security escorts him ou

of the building. But can you be sure that his access to sensitive corporate data has been

restricted? That same day, the IT manager who was sent the termination request late Friday

night has a dentist appointment and doesnt arrive until 11:15 a.m. Even a two-hour lag timecould provide a disgruntled and recently dismissed employee ample time to breach the

integrity of potentially sensitive information. Automating the process and instilling safeguard

with workflow-based policies and delegated administration capability can prevent such a

situation. A clear audit trail can prove it.

Happy Users = Improved Operational Efficiency

Beyond avoiding abuse at the hands of disgruntled former employees, keeping your good

employees happy must be the end goal of any IT function. Granting users simple and timely

access to the information and applications they need to do their jobs correctly (without giving

them more access rights than they actually need) is perhaps the second most important

function (behind compliance) that an IT manager can provide using a comprehensiveprovisioning solution.

SECTION 4

ConclusionsThe challenges facing IT managers as they go about the task of provisioning new and existing

users are numerous and have been well documented here and elsewhere. Using a

comprehensive, centralized and automated provisioning system can help solve several of thes

issues by helping to reduce IT costs, increase IT staff and end user productivity, mitigate risk

and help comply with regulatory and corporate governance standards.

Return on investment can be realized on an accounting basis through cost savings achieved beliminating or greatly reducing repeatable manual tasks such as password resets and multiple

new user adds or deletes. Economic advantages are realized through increased productivity, a

users receive access to what they need to accomplish their tasks more easily and more quick

Of course, the entire organization benefits from remaining compliant with federal regulations

and avoiding front page level breaches in security stemming from inadequate policies and

protocol.

Finally, as mentioned before, the true benefit that makes a comprehensive automated

provisioning solution a must for any organization is the ability to easily produce an accurate

and comprehensive audit trail. Manual provisioning is no longer viable when you take into

account these requirements. In addition to meeting the organizations compliance

requirements, the audit functions can be used for business resource planning and securitymanagement.

When looking for a solution to address the user provisioning imperatives of your enterprise,

make sure that it improves security, meets regulatory compliance and corporate governance,

automates repeatable processes and allows easy management of control and security policie

such as those related to segregation of duties or fine-grained entitlements.


10/11


11/11

CA, one of the worlds largest information technology (IT)management software companies, unifies and simplifies

complex IT management across the enterprise for greaterbusiness results. With our Enterprise IT Management vision,solutions and expertise, we help customers effectivelygovern, manage and secure IT.

WP05IAM01E MP321200907

Documents

User Provisioning- Business Imperatives