It’s spring, and the number of tasks seems never-ending. We get it, the weather is beautiful, and the house still needs to be cleaned, and the garage cleared out. It’s not the time of year one often thinks about cleaning around the dusty corners of their identity and access management program. But it’s a perfect time. As enterprises move forward, managing their IT, and deploying new technology, how they manage their identities and associated privileges collects cobwebs and technical debt.
It has to be cleaned-up sometime.
There’s aging identity management technology stack, existing antiquated workflows, directories that have become a little musty, and identity policies may not be as aligned with to match new regulations. You get the idea: there’s never any end to the work that needs to be done. And if it’s not done, it just becomes more challenging to do over time.
What should be done? That, of course, will vary from business to business; however, based on recent conversations with identity management executives, I’ve created a list of common challenges that could serve as starter ideas.
Streamline processes. Unless you have already been through the exercise of normalizing identity and access management processes across departments, the chances are that each business unit is doing its own thing. They have their own access approval processes, they probably have customized tools, and they likely even have their own names and language when it comes to identity. This works – until it doesn’t. And the moment the organization goes to standardize on an enterprise-wide approach, these variations make that a grueling endeavor.
Take a look at the tools and processes in use across the organization and look for ways to standardize where possible.
Automate manual tasks. The chances are high that many of your identity-related approval workflows are managed manually. And identity-related information is likely stored within spreadsheets, and information gathering is conducted through email. Lots and lots of emails. Many of these processes were set up for a good reason. They protect the organization from granting employees too much access, or they help to maintain compliance with industry regulation.
Of course, these processes are necessary and designed to help protect the organization — and some processes absolutely always need a human review — many of these processes, however, can be safely automated. An employee requesting access to data that isn’t sensitive or regulated may be able to be granted access automatically, just as can a new hire being given access to an established set of applications can services. Increasingly such decisions will be made by an AI.
Rogue bots. The use of enterprise bots is on the rise. According to Forrester Research, the Robotic Process Automation (RPA) market will reach $2.9 billion by the end of 2021. Enterprises are investing in bots to streamline normal manual processes and, increasingly, make low-risk decisions.
Some enterprises, like this national bank, are already well underway to formally securing and governing their bots. Those who don’t will realize that they have a complex matrix of service accounts that have been established to manage system and service settings, and now that they are automating many of those processes there is a substantial rise in risk. The best way to manage and audit that risk is through identity governance of these bots — but the work needs to start early to be manageable.
Get control of non-payroll accounts. Many companies have a firm handle on the identities of those on their payroll. They have likely integrated their HR software with an identity management system, and the identity lifecycle is managed thoroughly for these users. Where many companies are falling short is with their non-payroll accounts. These are the consultants, interns, partners, and others who visit and use the corporate network.
Take a look at how you are managing non-payroll accounts and see if there are ways to clean and streamline there.
Orphaned Accounts. To this day, orphaned enterprise identities remain one of the most common areas organizations need clean-up. Accounts that remain active long after employees leave the organization, or they switch jobs and have privileges that remain available and that are no longer required. All of this increases the organization’s attack surface.
Spring is the perfect time to dive into the identity environment and weed out unnecessary accounts and privileges.
Take an honest assessment of weaknesses in your identity program. Every organization has a different situation and will need to work on different things when it comes to their identity management late spring cleaning. So, take an assessment of areas where identity management debt exists, such as manual processes that can be automated, or where teams are struggling with outdated identity software and services. Or, perhaps there are classes of users where identities are not being managed as thoroughly as they should. Whatever it is, there are likely several areas that need attention.
Of course, whatever you choose to tackle in identity spring cleaning list, everything doesn’t have to be completed all in one year. But if you manage to knock a one or two items off the list each year, you’ll find the program gets better — and easier to manage.