Killing two birds with one stone: Integrations and Identity and Access Management
In an ideal world, all applications would talk to each other and be able to exchange data freely (provided this is all secure). In this blog post, we hope to bring some inspiration by sharing insights as to how secure integrations can go hand-in-hand with solving other important business problems, such as Identity and Access Management (IdAM).Scroll to next section
Or, as we would say in the Netherlands, hitting two flies in one go. No matter your preference for flies or birds, the gist of the saying remains the same. At the core, it’s about being smart about something and achieving multiple purposes with one effort.
This is very close to our heart. Therefore, we hope to bring some inspiration by sharing some insights as to how secure integrations can go hand-in-hand with solving other important business problems, such as Identity and Access Management (IdAM).
First, more on Identity and Access Management
Your employees need to connect with many applications each day to perform their job. A common challenge is ensuring that they have the right access to the right systems, which if done securely, will only provide them with the minimum access required for their role, enforcing a principle that is referred to as ‘least privilege’.
In order to do this properly, an organisation needs to:
- Understand the employees job function and which applications and application roles they will require access to
- Manage the authentication processes to each application
- Manage the authorisation processes to each application (i.e. which user accounts should have access to which profile within each application)
For step 1, the employee is on-boarded by HR and provided access to IT applications based on their line managers' understanding of the applications they require access to.
For step 2, if your organisation uses Single Sign On (SSO) solution then once the employee is authenticated with a single set of credentials to the SSO server, they automatically have access to all applications within your organization.
For step 3, there are a number of (enterprise) applications on the market, known as Identity and Access Management (IdAM) tools, that enable these accesses to be managed and validated regularly (a process called User Access Review, UAR). A big one in Europe is Tools Forever, and in Australia we have SalePoint, alongside the more global tech giant tools offered by Microsoft, Oracle, etc.
The authorisation dilemma
However, these solutions are quite expensive and can require complex implementations. In smaller and medium sized organisations (SMEs), many do not have an IdAM platform and typically have their own in-house/cloud SSO server and find case-by-case solutions for provisioning each of the applications. Aside from how expensive they are (time and money), the main drawback of these IdAM applications is that they require complex implementations, and: integrations.
So, what do integrations have to do with resolving this?
In an ideal world, all applications would talk to each other and be able to exchange data freely (provided this is all secure). For IT provisioning, i.e. ensuring that your employees have the right access to the right systems, the key applications to integrate are the Human Resources Management application (HRM application), for example, PeopleSoft, with Active Directory. Active Directory is the database containing all staff, their roles and (usually) what applications they have access to, and what level of access they have to those applications. If the loop is to be fully closed, the entire employee application value chain can be linked up. Starting with the Applicant Tracking System, via the HRM application, Active Directory through to the various other IT provisioning services that are used across the networks of the organisation.
If the loop is closed, it means that the directory of employees is always being updated, across all applications that are integrated. This approach also allows for the application of further filters to ensure the right groups of users are given access to the right applications, at the right level for their role.
The same applies to on-boarding and off-boarding. This integrated approach allows for the creation of user accounts for every new user, including any profile information, such as contact info, function, department, etc. In addition, users that no longer require access to the network and applications, because they have left the company, can be deactivated automatically. Finally, if at any point in time, employees change roles within the company (sometimes referred to as ‘in-boarding’), Active Directory and the associated target applications will be updated accordingly to revoke or modify access to a level suited to the new role.
After creation or modification of each employee account, the integration can be programmed to execute a custom workflow, like sending the employee a personalised email informing them that they can now access a target application, or that their access has been modified to suit their new role.
Integrations and IdAM: 3 main benefits
- The first and most obvious benefit of combining integrations with IdAM processes, is a huge saving on manual data entry work, as well as cost. Staff does not have to spend time on taking data from the Human Resources Management system and enter it into Active Directory - whether completely manually or by semi automated processes such as spreadsheet uploads or executing scripts. The integration also eliminates the need for separate IdAM software in many instances. This saves both cost and time.
- If user access reviews are performed manually, they are normally not done frequently as it is a labour intensive process. We often see quarterly/annual reviews at best, in this case. A benefit of combining integrations with IdAM processes, is that user access can be revalidated as frequently as desired, in a fully automated way. The only subsequent choice to make is whether mitigation of any inappropriate access should be done automatically, or whether this would require manual intervention. A reason for manual intervention could be that access outside of policy is allowable under certain (very special) circumstances.
- In addition, the risk of extended access for employees who have left the organisation is mitigated by application controls, e.g. preventing disgruntled employees from wreaking havoc.
Worked example - annual savings
Those are some pretty words, but now you want to talk business?
We understand. So here is a worked example for you to consider. The desired outcome is that Organisation X will have a robust, automated and fully tailored process for provisioning user accounts.
Specifically, this is what Organisation X wants to achieve:
- Automating the manual IT provisioning process. Organisation X creates, modifies or deactivates around 300 accounts per year
- Not having to invest in an enterprise IdAM platform
Say, Organisation X just wants to focus on the core integration described above, of the HRM application and Active Directory. They enter into a contract at $300 per month, for IT provisioning integration services. The alternative for them is to build the integration in house, but in evaluating their IT capability they conclude they don’t have resident skills required to build and maintain it. Should you consider building your own integration, read some of our tips to do that well here.
How did Organisation X go?
Automating their manual IT provisioning process: for 300 accounts created, modified or deactivated per year, the saving adds up to 75 hours of time that IT staff can allocate to more impactful tasks (estimated 15 to 30 minutes per account, including troubleshooting). Based on normal IT support payroll cost, the estimated annual savings range between $5,000 - $9,000.
As a result of the integration, there is no need for Organisation X to invest between $30,000 - $75,000 in a mid-tier IdAM platform.
The cloud integrations provider provides a robust, automated and fully tailored process for the provisioning of user accounts and ongoing access management to Organisation X.
Building an integration, leveraging a managed integration service, or using another integration software product, saves Organisation X up to $74,000 per year. This is pure cost saving and does not count the other value-added work the IT staff is able to take on, or the increased employee satisfaction as a result of eliminating the manual processes associated with IT provisioning.
Since we are digital crafts(wo)men, we love to explore new options with you. We are also true blue coffee lovers. So if you’re keen to explore options, the coffee is on us. Ideas are free as well. We want to enable you to work smarter, and embrace a “no worries” lifestyle. If this sounds like an appealing prospect, request a conversation with us here!
Image credit: George Prentzas on Unsplash