Automated identity?

Access & Identity Management Handbook 2011 Access Control & Identity Management

Ugan Naidoo, MD Security, CA Southern Africa discusses how effective service management processes help organisations build a solid IT infrastructure for delivering high quality services.

Identity and access management (IAM) solutions enable companies to manage their users’ identities and associated privileges, while securing access to sensitive resources. Today, these IAM services are generally not available to users within a service management framework, or when they are, they still depend on manual, organisation-specific procedures.

Establishing the user’s identity, role and access rights can involve filling out forms that are then transferred from one department to another to obtain the necessary authorisation. A similar process is followed when an employee’s personnel profile or business role changes or their tenure with the organisation finishes. The end-to-end process for any one of these operations is often laborious, manual and costly. Most importantly, it is subject to error.

Incorporating IAM services

Incorporating IAM services into an existing service management framework provides comprehensive automation for processes such as provisioning while allowing users to leverage existing interfaces to request other IT services.

Encapsulating IAM services within an organisation’s IT service management framework provides a number of benefits. This approach enhances the quality of IT services provided by the organisation, thereby increasing both organisational and user productivity. It also strengthens the alignment of IAM IT services to the business needs of the organisation and leverages a single point of contact for IT services by including identity administration service requests. Moreover, it improves the organisation’s ability to comply with regulatory restrictions through end-to-end transaction logging and auditing functionality.

IT service delivery of IAM

In order to remain competitive and viable in today’s business world, organisations are being challenged to supply customers with high quality services using cost-effective measures. Whether these IT services pertain to users’ requests for workspace, computer equipment, telecommunications services, or productivity applications – companies are adopting service management strategies to create effective processes that automate some of their most cumbersome admin activities.

For example, getting a new employee on board in a company is often an arduous process, typically involving manual communication mechanisms among multiple departments. Different departments fulfil the new user’s physical facility requirements such as their: telecommunications, computer hardware, human resources and security access. The overall process is typically disjointed, with no single point of visibility from which to monitor it end-to-end. Streamlining and automating such processes are paramount to solidifying the competitive viability of the organisation.

Most services within the IAM domain are viable for candidates to become part of an overall service management strategy. The success of such a strategy depends upon well-defined objectives and policies, as well as effective and efficient service management processes.

These include:

* Providing a single point of contact for service delivery (in the form of a service catalogue) to facilitate users’ access to IT’s portfolio.

* Ensuring the collaboration among departments by providing process components that automate the integration among disparate domains.

* Accommodating varying degrees of change management pertaining to user requests, by engaging a service desk as a single point of contact for service support.

* Securing access to corporate resources pertaining to the web applications that are central to the solution.

By encapsulating IAM services within an IT service management framework, the organisation enhances the quality of IT services provided, thereby increasing both organisational and individual productivity. IT services become aligned with business needs and a single point of contact and interface is achieved thereby simplifying interaction with the IT infrastructure and automating the approval and fulfilment workflow processes required to complete identity administration requests. Finally, the organisation obtains additional regulatory compliance benefits by virtue of the integration’s end-to-end transaction logging and auditing functionality.

The business case

The effective use of management tools to deliver IAM services begins with the following four functional areas:

* Provisioning a resource identity.

* Changing a resource identity, such as a user’s attributes or properties.

* Modifying resource entitlements, such as adding a role or business function to a user.

* Removing a resource identity.

Examining the business processes that encompass the provisioning of a resource identity highlights the complexity that can be involved. While the processes of provisioning a user with the appropriate access to systems and applications vary among organisations depending upon their IT maturity level, they represent an important subset of the processes required to get an employee onboard. They typically combine an overarching approval cycle with a number of forms-based e-mail communications.

To fulfil the new employee’s provisioning needs, the manager must obtain the required approvals and send the forms to people within other departments to complete specific steps. Employee data must be entered into a corporate management database (MDB). Entering such data is usually a manual function performed by IT and also entails defining a specific role for the employee, with associated access rights. Such role assignments require sign-off by the security team and the hiring manager. As a result, a ticket is opened in the service desk system.

The ticket eventually goes to the security team, which circles back with the hiring manager (and his or her superiors) to verify the request. Since the process takes place via e-mail, it can take several hours or days to complete. Once approval is granted, the security team approves the request and closes the ticket. At that point, the original IT team is informed, the role request can be fulfilled and the employee is granted access to required applications. Such a process requires extensive human interaction with no single point of oversight. If a hiring manager fails to respond to an e-mail requesting authorisation, the entire process comes to a standstill and requires manual investigation to identify the bottleneck. Meanwhile, the new employee is left without the required resources.

What integration brings

A more integrated approach enables users to manage the lifecycle of identity administration services using service management tools. Managers use the simple user interface in a service catalogue to order IT services. Transparently, the service catalogue works with the identity-provisioning manager to fulfil their requests. The solution builds upon and complements an organisation’s IT service management strategy to deliver high quality identity administration services using automated and cost effective measures.

Identity administration tasks are registered as services within the organisation’s service catalogue. The hiring manager uses the service catalogue to choose the IT resources the new employee needs. Behind the scenes, the service catalogue triggers a series of workflow processes that obtain the necessary approvals. Once all approvals are acquired, a fulfilment workflow process is executed that either triggers service desk change management to further analyse the change before submitting it to identity management, or executes identity management directly to fulfil the provisioning requests.

The identity management process then creates the necessary accounts and access rights. Throughout this process, the identity management subsystem monitors the status of the provisioning request and updates the service catalogue with the success or failure of the operation. Should any step be delayed, the service catalogue tracks the current state of the request. Should anyone inquire as to the status of the request, support personnel can immediately determine where the process stands, thereby reducing the need to chase paper and follow e-mail trails throughout the organisation.

In a similar way, if the user changes roles or business functions or leaves the organisation, the service catalogue triggers a workflow process to obtain the necessary approvals, and then the same fulfilment process, as described above, takes place. While delivering these services, logs are maintained that facilitate any subsequent auditing of the changes.

The benefits

Such an automated approach brings a number of important benefits to the process, including:

* Enhanced quality of IT services provided by the organisation, increasing both organisational and user productivity.

* Improved alignment of business process and identity administration, allowing IT to become a business enabler with employees receiving IT services in a consistent fashion.

* Security policies become more closely aligned with business goals and more consistently enforced.

* Automation enables IT to be viewed as a service that is transparent to users.

* A single point of contact for all IT provisioning needs. Managers and users can perform either delegated administration or self-service identity administration functions.

* Central tracking, management and reporting. IAM services are delivered based upon established service level agreements.

* Improved security and compliance through:

- Automated processes that improve consistency and accuracy in applying roles and access rights to individuals.

- Creation of an audit trail, helping to ensure compliance with industry and government regulations.

- Automated off-boarding, which ensures that employees who have left the organisation can no longer access corporate resources.

* Streamlined workflow

- The integration results in a well-defined process that can be used to provision accounts, roles and access requests.

* Cost savings

- Less manual intervention in the procurement process means less productivity loss for all concerned.

- Simplified training. With a single place to go for all IT service requests, educating staff on how to obtain access to systems and applications, processes is simplified.


In its July 2008 examination of the identity management market, the Burton Group summed up the situation well. “The complexities of the identity system must be simplified as organisations are forced to manage an ever growing user community, integrate with partners, and offer identity related services to customers and other external entities.”

Organisations can put the solution in place today and gain significant, immediate advantages by streamlining the process of delivering IT services. At the same time, they will be positioned for the future, having taken a step in the direction of achieving a simplified, automated, and integrated application architecture.

For more information contact CA Southern Africa, +27 (0)11 417 8645,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Enhanced biometric technology for mines
September 2019, ZKTeco , Mining (Industry), Access Control & Identity Management
Biometric identification and authentication are currently used at various mines in South Africa and in the SADC region.

Improving access in mines
October 2019, Astra Fasteners , Mining (Industry), Access Control & Identity Management, Products
The VP1 controller provides full access control and remote monitoring of intelligent locks without having to wire into a network or install, manage and maintain software.

Invixium and Pyro-Tech partner in South Africa
October 2019 , News, Access Control & Identity Management
Invixium, a manufacturer of IP-based biometric solutions and Pyro-Tech Security Suppliers have announced a new distribution partnership.

Suprema receives FBI PIV/FAP30 certification
October 2019, Suprema , News, Access Control & Identity Management
Suprema has announced that the company's BioMini Slim 3 has received FBI PIV (Personal Identity Verification) and Mobile ID FAP30 certification.

New appointments at CA Southern Africa
October 2019, CA Southern Africa , News
CA Southern Africa has announced a number of senior appointments to strengthen its local team.

Frictionless access with a wave
October 2019, IDEMIA , Access Control & Identity Management, Residential Estate (Industry)
IDEMIA was the Platinum Sponsor for the Residential Estate Security Conference 2019 and set up its MorphoWave Compact frictionless fingerprint biometric scanner at the entrance to the conference.

Streamlined access and reporting
October 2019, Comb Communications , Access Control & Identity Management, Residential Estate (Industry)
The main focus of the Comb stand was its practical demonstration of the MK II Lite intercom system with third-party integrated products.

Customised and integrated solutions
October 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
iVisit offers both high-end and low-end residential complexes a cost-effective visitor management solution that is fully integrated into Suprema's offerings.

Access solutions for every estate
October 2019, Impro Technologies , Access Control & Identity Management, Residential Estate (Industry)
Impro's flagship Access Portal solution comprises one of the most user-friendly software solutions on the market.

SALTO achieves Environmental Product Declaration (EPD)
October 2019, Salto Systems Africa , News, Access Control & Identity Management
SALTO Systems has announced that it has received the first Environmental Product Declaration (EPD) for XS4 smart locking solutions, including the XS4 Original model for the European and Scandinavian standard ...