Application (app) onboarding provides situational awareness and insight into user accounts and associated privileges so you know who has access to your sensitive high-value systems and how they’re using that access.
Capabilities of app onboarding include: ability to connect identity management to high-risk, high-value assets, applications, and systems; and capacity to apply continuous analytics to application entitlements.
Benefits of app onboarding include: answers to the critical question of who has what level of access; and enforcement controls by automating provisioning/deprovisioning access and privileges on applications and systems.
App onboarding is not a technically complex project. With the use of accelerators and application prioritization, organizations can implement these key capabilities and benefits in a reasonable timeframe.
App Onboarding is a Key Capability for CISOs
App onboarding is the collective name for combined business and technical processes that allow your identity management system to connect to enterprise systems to identify accounts and privileges users have. This is a key capability that helps the office of the chief information security officer, enterprise security architects, and identity credential and access management leads keep their organization’s data secure.
Most organizations and agencies have an identity governance tool that lets them collect a centralized source of authoritative identity data. What they lack is the ability to see user privileges and entitlements. That means IT managers have little if any visibility into the enterprise application accounts and entitlements that are associated with each identity.
With application onboarding, however, organizations get a comprehensive view of accounts and the identities associated with them. Importantly they identify orphan accounts that don’t align to users in the authoritative source—which if compromised could reveal personal data, cause damage to reputation, and result in loss of intellectual property.
App onboarding also includes a centralized source of data that allows you to conduct analytics that let administrators and security officers answer questions like: How many inactive identities still have active accounts that impact licensing costs? Which managed application entitlements/privileges seem over or undersubscribed?
App Onboarding is a Key Access Governance Building Block
Application onboarding is critical in identity and access management (IAM) because it embodies the ability to enrich identity data with foundational user account and privileged data. A richer identity data set is what an organization ultimately needs to track the entirety of its employees’ access to all systems, databases, and servers. Processes effectively integrate the identity governance tool with target applications and involve the following activities: (1) read in users’ entitlements on the system; (2) automate, create/certify, modify, and delete/decertify application accounts; (3) add/remove entitlements; and (4) manage passwords. Once integrated, users’ digital rights on the target applications can be centrally managed and audited.
Sila has exercised many uses of this IAM building block with customers; here are three examples:
- Be proactive to evolving user access needs: It’s common for employees that move into new roles to gain additional access while still retaining their old digital user rights. Once a target application or system is onboarded into the identity and access governance (IAG) system, organizations can identify if users have more access than needed, and can respond and remediate accordingly, such as by decertifying unneeded access. Similarly, onboarding the application also allows automating the provisioning of new access needed for existing employees, as well as those joining the organization, so they can immediately access their applications and be productive on day one.
- Monitor, respond, and control elevated rights: Privileged users carry the greatest risk to the organization because of their expansive access to applications and databases. App onboarding identifies those privileged users so they can be flagged for more regular reviews and certifications.
- Eliminate vulnerabilities of orphaned user rights: Organizations don’t want people keeping their access when they leave the job. With app onboarding, IT administration knows what access users had and can ensure they are all decertified and deprovisioned when they leave. Eliminating application privileges that are no longer connected to active staff quickly mitigates the vector of cyberattack that might have exploited such access.
App onboarding renders organizations preventive, detective, and corrective IT controls, as they relate to user digital identities and privileges:
- Application Onboarding + Access Requests = Preventative Controls: For example, access must be approved prior to being granted to the user
- Application Onboarding + Certification = Detective Controls: Periodic reviews of access by accountable users (e.g., application owner or user mange) and revocation of access
- Application Onboarding + Access Requests + Native Change Detection = Corrective Controls: Reporting or automated removal of access if new access is detected that wasn’t requested within the IAG system
Proper monitoring of user rights and access privileges are also integrally connected to auditing and compliance. For Federal agencies these include the need to comply with NIST Special Publication 800-53 for federal information systems. Similarly, the private sector is governed under a variety of rules such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard. An organization cannot properly monitor user access until it has onboarded the applications and their associated access.
A Suggested Roadmap for App Onboarding
App onboarding starts with your organization’s master user record collected through the identity governance tool. Pulling in these authoritative sources of data gives you an understanding of the identities in your enterprise organization.
An application prioritization process comes next. Sila suggests integrating applications based on the risk reduction the integration is going to provide. Although organizations sometimes lack a holistic view of the risk profiles for all their systems, Sila recommends starting with the platforms that support/manage multiple applications in turn, such as Active Directory – whether on-prem or in the cloud. Next, prioritize the high-value applications whose compromise would substantially impact the organization, such as financial and payroll systems and databases, or security operations center (SOC) systems that access sensitive data. Indeed, the output of an application prioritization plan is important for a roadmap of an effective identity and access governance solution.
Next, application discovery should be conducted to understand the security model of prioritized applications and the architecture to integrate them with the IAG solution. Leveraging an application questionnaire, Sila interviews both business and technical owners of applications, as well as the IT support/help desk teams, to get a sense of the current access request processes and associated pain points.
The final step is the technical integration between the identity system and the target application. This integration process can run the risk of being time-consuming and repetitive, so Sila has streamlined it with a unique accelerator that automatically creates multiple integrations of the same type of platform. Hundreds of applications that can be logically identified as a collection can be rapidly onboarded with this tool. From there, an organization can quickly move on to onboarding the remainder of applications that are further down the chain of criticality.
App onboarding does not need to be a technically complex project that devolves into a multi-year effort of boiling the ocean by the bucket, with no seeming end in sight. The key is to engage the app onboarding challenge using a tiered process that prioritizes platforms in a meaningful way, and integrates accelerators to streamline redundant onboarding processes. This allows organizations to begin securing their high-value, high-risk applications sooner than later, and take back control over user privileges.
If completed in the iterative fashion described above, app onboarding can quickly show a return on investment for the identity and access governance tool by reducing IT administration and help desk costs, as well as any negative impacts to user productivity that are associated with manual processes to add and revoke accesses.