How to Improve Joiner/Mover/Leaver Identity Lifecycle Management
The ability to quickly provision, modify, and deprovision user accounts is the fundamental goal of standing up a “Joiner/Mover/Leaver” identity lifecycle management program. The benefits of a strong program include increasing user productivity by allowing personnel to quickly gain access, as well as increasing security posture to automate mover and offboarding scenarios.
Organizations often collect a rich set of authoritative identity data and connect to systems that control network access like Active Directory (AD). Organizations can take the next step and achieve even higher value in user administration by putting automated workflows in place that simplify manual employee onboarding/offboarding processes. With such workflows, organizations can quickly automate the provisioning and deprovisioning of user accounts.
Automating Joiner/Mover/Leaver workflows address some of the most common causes of audit findings, security vulnerabilities, and IT administration burdens. Delays in onboarding users, and improperly offboarding users (who may retain accounts after leaving the organization) also result in high software license costs.
While related, each process has its own unique challenges and requirements.
Onboarding users starts with making determinations prior to the user reporting for job duty. For example, what is the user start date? What IT assets need to be provisioned (such as a laptop or organization-issued smart device)? Where does the user fit in the organization? What access is the user allowed? Federal agency onboarding processes have additional complexity due to the multitude of onboarding requirements — network account access, email account access, PIV card enablement, training requirements, background check adjudication. The list goes on and the complexity only increases. Supervisors may also need to submit several forms and make independent requests to get essential accounts created for the user to be immediately productive in their job function (e.g. membership to various email distribution lists, and access to content management platforms or portals.).
All these joiner determinations and processes must happen either before, or soon after, a new employee is allowed on the network. Often these onboarding processes are manual, disconnected, and not tied together in a logical sequence. The result is reduced user productivity, increased managerial burden, and higher costs.
This addresses the system access employees need when they change departments, job titles, or supervisors. The mover process can often be more complex than joiner or leaver as it requires an understanding of user access rights across multiple systems. In addition, user lifecycle requirements (like maintaining training qualifications) need to be managed for the user to retain access to systems and networks. Due to the complexity, we recommend starting with improving the joiner and leaver processes first and then addressing the mover process. Requirements for the mover process can often be gathered while conducting an Application Onboarding program where an organization can systematically connect identity management to all high-value assets and applications.
There are few information security needs more critical than protecting access to systems, including disabling the access of offboarded employees, contractors, or partners. This is especially true for any cloud applications that rely on off-premises user repositories that either are not connected to on-premises network access, or are not immediately synchronized with on-premises network accounts. The suspension, deactivation, or deprovisioning of access for users that leave the organization is critical to maintain security.
Automate and Leave Manual Processes Behind
The key to improving Joiner/Mover/Leaver identity lifecycle management processes lies with orchestration and automated provisioning processes. Automating processes provides numerous efficiencies to include:
Rescinding privileges as soon as a user leaves a role; tracking joiner/mover/leaver processes in a single, unified way; integrating with service desk activities for the entire workflow.
A solid Joiner/Mover/Leaver process provides the framework to connect identity management to all high-value assets and applications such as financial systems, document repositories like SharePoint, and unstructured data through an application onboarding initiative. Integrating user onboarding with identity management gives managers, application owners, functional department managers, and directors visibility to user access across all high-value systems.