Author Thomas Hood once wrote, “…the easiest reading is damned hard writing.”
I imagine most system administrators would express a similar sentiment when approached about automating parts of their organization’s identity and access management (IAM) system. Although automation makes IAM processes less complex for users, it introduces additional complexity for IT, particularly in four specific areas:
Although too much complexity can lead to IT nightmares, tackling some limited complexity by implementing automated IAM processes can be a good thing, especially for the sake of the user experience.
Most IT departments use Active Directory to provide basic “birthright” access privileges for applications such as email and a few Microsoft apps like SharePoint—and not much else. New employees might get access to email and some folders, but they don’t receive access to the many other business apps they need to do their job. As a result, the new employees and their supervisors are forced to wait for time-consuming, manual fulfillment process before becoming productive. Similar waits happen when employees change roles.
Because fulfillment processes are manual, inconsistent policies and missed access revocation can expose an organization to risk. Plus, business users suffer because they must navigate inconsistent, bureaucratic, and opaque request and approval processes. While relying on manual fulfillment processes is simpler for the IT department, it takes longer for users to gain access to critical business apps that drive revenue and provide efficient operations.
It’s no wonder that business leaders with budgets prefer cloud applications that deliver more immediate results.
Access to cloud and mobile applications opens up a whole new set of challenges. Maintaining consistent security policies to cloud and mobile applications is beyond the abilities and scope for most users. As a result, IT must implement some kind of security for these apps. But because consumer apps are instantly available, users expect the same experience with business apps. So if IT slows things down by requiring a labor-intensive, manual provisioning process, users will lose patience. They will find other ways to get the apps they want and create shadow IT as a result.
Because of this motley approach to application delivery and IAM, certifying access becomes enormously complex for business managers. Simply discovering entitlements across disconnected systems is difficult enough. But try matching those entitlements to the managers that need to approve them. Once again, the business users end up suffering, searching through massive spreadsheets of users and apps to approve. With all the demands on business managers’ time, it’s not surprising that they often rubber-stamp certifications.
The shift towards more manual IAM has come at a price for business users. What is less complex for IT is now more complex for the business. But as users flock to cloud services in response, they unwittingly complicate the IT environment and expose the organization to risk.
It’s time to balance the convenience that users demand with the security that organizations need. Although automating IAM processes might add complexity for IT, integrating IAM with mission-critical applications, providing user-friendly request and approval processes with automated fulfillment, applying single-sign on to cloud and mobile apps, and providing risk-scoring for more focused access certifications will reduce complexity for users.
Easy IAM might be more work for IT, but with the right IAM products and processes, IT departments can reduce complexity for end users, helping them focus on what’s important: the success of the the organization.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.