Identity & Access Management (IAM) was first imagined as a centralized platform that would manage user access throughout the entire employee lifecycle, from hire to separation. IAM was designed to automate routine administrative tasks like creating user accounts and giving employees application access, all in a platform that also incorporated the business’s unique rules, policies, and workflows.
IAM systems have benefits for both operations and security, and larger organizations were quick to see the possibilities and adopt IAM. However, they learned some hard lessons along the way, and we would like to share some of those lessons with you.
Collaboration Between Departments, But a Single Final Decision-Maker
A successful IDM process requires the Identity Management team to work closely with the Human Resources department to create an efficient, effective employee on/off-boarding process. However, it also requires a single owner for the IAM system. Without a single owner (whether a person or a team), then there is no final decision-maker, and there is no easy way to resolve conflicts between the business side and the IT side. If each group owns their own piece and approach to the puzzle, the supporting business processes will be fragmented and disjointed.
A project team that doesn’t have both strong collaboration and a single final decision-maker is a dysfunctional team—one that is likely to compromise process efficiency and supportability to overcome political resistance within the organization.
Process Rules and Business Rules Must Agree
“People in any organization are always attached to the obsolete – the things that should have worked but did not, the things that once were productive and no longer are.” — Peter Drucker
Over time, organizations tend to specialize; departments and people narrow their focus to their own specific issues and concerns, rather than looking at the bigger picture. Specialization can disconnect departmental objectives from the company’s broader goals as each department develops its own culture, some more focused on business users than others.
This is particularly true in HR. Over time, HR’s Human Capital Management (HCM) systems get heavily customized. This is because they need to accommodate many different types of operations and handle multiple exceptions based on complex rules and processes.
But these highly customized systems can produce compromised data. In HR environments, business rules are many and varied, and integrations are problematic. HCM system limitations eventually interfere with what users want to do, and users work around these limitations manually. Many fingers on keyboards are required to keep the data updated, and with fingers on keyboards, data inevitably gets compromised.
This may work well within the HR department, but the data that comes from these highly customized HCM systems flows downstream to other important systems like Identity Management and Asset Management. If the data is not synchronized in each of the systems – in other words, if data is manually changed in one system and not another – then problems will almost certainly occur: problems like loss of system access or the inability to provide access when needed. And when the user data that comes from an organization’s authoritative sources (such as HCMs or Vendor Management Systems) is not trustworthy, IT must create backdoors in order to manage access directly within Identity Management systems, further complicating the system.
This can cause real problems. For example, employees or contractors may show up on their first day of work to find that they don’t have access to the building, the network, or even a computer. In some cases, new hires may sit for up to 2 weeks waiting for all the parts to work. As employees and contractors wait, the clock ticks. Lost productivity costs companies millions of dollars annually. (In one large global organization, these kinds of onboarding process problems were costing in excess of $1M annually in lost productivity—and that number does not include the cost of supporting a broken process.)
Pay Attention to Small Mistakes
“A small mistake in the beginning is a big one in the end.” — St. Thomas Aquinas, Commentary on Aristotle’s On the Heavens and Earth
In a recent post, we discussed data mapping, which is a necessary prerequisite to both Identity Management and the entire employee/contractor on- and off-boarding process. Overlooking a data map is one of the small mistakes you don’t want to make.
Sure, small mistakes are made every day, and they don’t always lead to global problems. But in Identity Management—a comprehensive business process that governs the on-boarding of employees and contractors and requires that multiple systems be in sync— then small mistakes inevitably lead to major consequences for the business.
To ensure that your employees and contractors show up on day one ready and able to work, keep the following tips in mind:
- Ownership – there must be a single person or team who owns the process to drive standardization and adoption and corral all the moving parts. The owners need to be decision makers that deeply understand the process and systems involved and how it fits into the larger picture.
- Process & Business Rule Agreement – the owner needs to be able to work closely with each of the different departments/parties that have a stake in the process. There is no room for a “loose cannon” or a backdoor; different stakeholders need to agree about how it all works together. A fragmented process with different owners for each piece of the puzzle inevitably leads to chaos and higher support costs. The process, data controls, and business rules need to go through one authoritative source.
This article was co-written by Jeff Luther and Hanno Ekdahl.
Learn how Identity and Access Management can help secure your organization in our new book, Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.
Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.
Photo credit: Flickr
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us