Jay O’Donnell President and CEO N8 Identity

Compliance requirements are a big driver for IT teams in charge of identity and access management (IAM).  Previously confined to the chief information security officer’s office, Sarbanes Oxley and other federal guidelines are making IAM a business-wide concern.   Understanding who should have access to what information within a business is a deceptively complicated problem that has the potential to spark arguments among even the best relationships across the company. 

At first glance, it may seem as though responsibility for IAM should reside in an organization’s IT department.  True, IAM information is stored on databases managed by the IT team, and employee access to specific areas of the network is also governed by IT. The issue is that these responsibilities are just a small part of a fully-fledged identity governance program. There are many additional steps a company must take to ensure full compliance and control over employee network access.

The Needs of the Business Motivate IAM
The concept that identity and access management must be process-driven if it is to make a significant impact within a company has been fairly established in the industry. According to Sally Hudson, research director at IDC Research, “IDC has discovered that many IAM solution deployments are too often fragmented or incompletely installed, creating duplication of effort, noncompliance and frustration across divisions.  Reducing repetitive processes, manual paperwork and data entry represents a good opportunity for companies seeking ways to cut IAM costs and improve compliance with federal regulations.”

Why process in particular?

Any adjustment to the identity of an employee is triggered by the business side of the organization, not by IT. The identity attributes of an employee are constructed when they are hired (onboarding), adjusted when they are assigned new tasks or promoted (change in responsibility) and must be closed when they leave the business (offboarding).

A stable relationship between IT and the organization’s business divisions is vital to ensure that:

• There is a process in place to account for all of the adjustments that happen to the identity of an employee over the course of their lifecycle with a business.
• The business has established and approved the processes under which employee access will be granted or denied.
• Adjustments are processed within the identified framework (i.e. no one is given access “through the backdoor”).

By including business owners at the onset of the development of an IAM program – including human resources, as it typically “owns” the bulk of employee attributes, like name, address, social security number and banking information – organizations will boost the likelihood of executing their IAM goals on budget and on time.

Weave Continuous Compliance into Company Culture
Conventional approaches to identity and access governance take a reactive approach to fulfilling compliance standards.  If the company’s only measure of success is the ability to produce an attestation report, the company will forever be reactive rather than proactive.  It is far more advantageous to prevent access violations from occurring instead of trying to fix them once they’ve already happened.  At that point, the security breach has already occurred, inappropriate access has already been granted and the damage has been done.

The intent of a successful identity governance program should be to ensure that employees are only given the access that is appropriate under a precise set of regulations in accordance with company policy.  In addition, requests for access that would violate a policy (e.g., separation of duties) should be denied and the appropriate supervisor should be informed.  By taking these steps, the company is able to produce a true culture of continuous compliance by working with business divisions to set these proactive policy parameters up front.

Compliance is Just One Part of an IAM Program
Compliance may be annoying but it is a necessary evil. If handled correctly, compliance can also develop the opportunity for significant productivity improvements and cost savings throughout the business.

By establishing proper business procedures to manage identities and maintain the identity of your employees centrally, companies are able to:

• Have new employees productive on day one: It is vital to secure the primary attributes required to create an employee identity during the onboarding process and administer this information to all related systems (e.g., payroll, HR, Active Directory, SAP).  This approach gives employees the tools they need to be productive on their first day of work with the organization.

• Do away with entering data multiple times: A large Canadian retailer recently identified more than 90 attributes that encompass the identity of their employees.  More importantly, it also realized that these attributes were being manually re-entered up to ten times for various reasons across the organization.  It began managing their identity program centrally and was immediately able to capture data with no re-entry, thereby eliminating hundreds of overlapping entries per employee.

• Cost-effective administrative changes: Simplifying audits, improving time to productivity and consolidating administrative tasks will result in millions of dollars saved, depending on the size of the company.

Learning History’s Lessons
Many businesses have tried following the IAM solution path before with varying levels of success.  The problem-solving burden has typically fallen on the IT department. IT typically tries to fix the issue via technological solutions, which is a problem because IT does not own the process or the information.  Attempting an IT-only response, dependent on third-party technology and without buy-in from other departments, will cause annoyance to the business and lead to losses in time and capital.

Regardless of these challenges, there is promise for businesses trying to find the Holy Grail of IAM.  Below are some best practices companies can apply to improve their internal IAM processes:

• Get the business involved from the start: IT cannot solve the problem independently. They are the custodians and the organization is the end-user.  IT must interact with HR and business in simple language and find common denominators.
• Create an identity warehouse: Conduct a comprehensive cleaning of identity data stored in various internal systems so there is clear visibility and easy reconciliation of the access granted to employees.   
• Emphasize the controls: Implement procedures early on in the business process (i.e. during onboarding), and ensure they are followed, to achieve the most value from your identity and access management program.  
• The process is the key: IT spends a substantial portion of its budget and time on the tedious work of managing identities.  IT and the business divisions can derive measurable benefits from implementing processes that decrease wasted time and money.
• Go paperless: Going paperless with IAM frees employees from the stacks of paper on their desks. An electronic IAM system can lighten the load across divisions by speeding timelines and identifying holdups.
• Prevention is necessary: Get away from the mentality of “putting out the fires.”  Fires can be prevented if the controls are incorporated into the process itself.

Conclusion
Organizations are able to deal with potential challenges proactively by approaching IAM in a process-oriented way and following the best practices outlined. When working together, tech and business can consolidate the IAM processes across all organizational departments, resulting in shortened onboarding time, reduced costs, increased productivity and regulatory compliance. These are goals the entire company can support and achieve.