Identity and Access Management projects are mostly looked at by the business and management as an automation solution, which it is, but why are you automating and what else is the business gaining outside convienences? One of the biggest cost savings aspect that doesn’t get as much focus as it should in an Identity and Access Management program is self service. Self service is enabling the users to manage their identity and accounts. However, when you say self service what is the function that comes to your mind? Password reset right? That seems to be the only part of self service that people focus on because it’s the easiest to comprehend and sell. But like provisioning, password reset capability is one piece of an overall self service strategy.
Self service should be built to allow as much ability of the user’s to manage their information as possible. Password resets, account unlocks, access requests to applications, vacation schedules for out of office delegations, workflow approvals, reporting, attestations, and so on… Build your business into the Identity Lifecycle Systems and enable as far as you can. Your processes don’t change that often and can easily be automated and streamlined. When you do that it’s easier to track the progress, see the slow down in the queue, remove the eyes that can see sensitive data. If Identity and Access Management is a train, Self Service is the passenger stations along the track. The easier it is to get on and off the more it will be used.
Self service provides a significant security advantage and protection for the business because it removes the need for a man in the middle to process the request. A good example is a business that has a call center to handle account locks. The user calls a call center that is usually staffed by part time, low cost employees and you provide your sensitive data and they either give you a new temp password over the phone or it’s emailed to you. It takes time for two people to process the request and there is a security gap of a middle man knowing your account status, probably what the temp password to access your account is, and there is lots of room of human error. I personally know of a company that uses the same generic password for ALL password resets for EVERYONE. Why? Because it’s easy. Think about it, all your employees are having the same password when they reset, from executives to contractors.
It takes the business and project leaders to talk about the benefits that go outside the box of the obvious user enablement and automation of password resets.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.