A little over 10 years ago for new employees of the firm, all you had to do was create the active directory account and their mailbox ID. The rest of the on-boarding process was mainly to prepare his workstation (his fixed PC or his laptop) to install and configure the various softwares.
Nowadays, the workstation is nothing more than a display terminal for tools and everything has been implemented by the IT department so that the workstation requires little
maintenance or configuration: installation of GPO for the automatic deployment of software on workstations, setting up workstations in VDI (Virtual Desktop Infrastructure), provision of thin clients, use of RDS servers for Remote Desktop, etc.
The IT department is therefore more focused on using services rather than on resources:
cloud services are multiplying and “business” departments are naturally putting pressure on them to have various business tools.
13
For a new employee, there are therefore dozens of accesses to the different business tools that must be created when he/she arrives: the access to files, mailbox, instant messaging, access to CRM, to reporting tools, the corporate intranet, expense report management tools, etc.
Creation of the AD accounts when a new employee joins the firm are often painful but end up being completed. Still multiple communications are sometimes necessary between the
managers, HR, IT department, etc. so that the new employee has good access to the right software they need.
But this “onboarding” of the IAM is only the tip of the iceberg, because Identity management has 4 main management points (Benantar, 2005):
Management of Arrivals: when a new employee arrives. This step is generally carried out… but not necessarily correctly. The opening of accounts is done but often with forceps. The manager finds himself tossed between HR and IT, the former not having informed the latter and the latter not always quick to create access. These back and forth trips often create friction between managers and the IT department.
Management of Departures: when an employee leaves the company. This point is the most painful. No one “needs” the accounts of a user who has left to be closed, no one is comfortable with suspending accounts: “can't we wait?”, “We can left open the time to take over the files?” And who is in charge of this step? The IT department is only rarely informed of the departure of an employee, and must therefore do with the means at hand to properly close the accounts of the user who has left. As the processes are not always followed, the IT Department has been obliged to set up a regular “account review”: this involves going through the list of accounts and comparing them with the “active”
workforce provided by HR at any given time. This “inventory” is often done manually based on excel files that we try to merge between them. It is relatively heavy and is only done annually or biannually.
Management of Movements: When an employee benefits from internal mobility In this step there are 2 points: when a user changes position, he benefits from new applications and new rights which correspond to his new function, but he “also loses
14
”access to software and rights of his former position. As much as this first point is carried out correctly (as for the arrival of a new employee), the second point is hardly carried out because it is complicated: it is not a question of suspending an account but of modify the rights, the access perimeter. For example, a salesperson who changes sector should no longer have access to prospects or customers from his former sector.
Reconciliation: The coherence analysis of active access, this step has no trigger like the arrival or departure of an employee. This involves keeping an “inventory of identifiers”
for each user in order to be able to follow up on the previous points. But it is above all a crucial point in identity management to monitor all access accounts and ensure that they each have a valid reason for existing (the main reason being that they are used by such or such user). In an ideal world, the identifiers correspond exactly to the users, but there are
“system” accounts, shared accounts, accounts created for testing, temporary accounts, etc.
It is thanks to these 4 points which define the IAM that the company, and more particularly its IT department, will control and secure the digital identity of its employees by managing access rights to resources such as applications, systems, software, networks, data, etc. HR manager will be able to follow the employee from his arrival to his departure with all his development in the company, involving additions, modifications and deletions of his access rights.
Thus, IT and more broadly, companies are able to meet security and compliance standards, have better software management, a major reduction in security breaches and an effective fight against shadow IT.
As for human resources, they have a better approach to the employee through successful on-boarding which makes it possible to provide all the resources he needs upon arrival, career monitoring and controlled off-boarding.
In general, employees have access to a large number of core and valuable resources: files, applications, system, cloud services, network, database, professional telephone, virtual platform, etc. This inevitably introduces a higher risk of fraud and corporate network
15
attack. We are noticing this with alarming cyberattack figures. What to do? Lock down your business resources to have only a small official list? It would simply be
counterproductive. We can clearly see it today, uses are changing, changes in behaviour such as teleworking prove it, the company must adapt to new uses, in particular carried by the cloud. Concretely, the evolution of these uses accelerates and multiplies the requests for modifications of the accesses on the various software, cloud platforms etc., which
exponentially complicates the monitoring of these various accesses. To carry out identity monitoring missions, the IT department must deploy best practices, monitoring, reporting and control tools which are very time-consuming in everyday life. There is therefore a very strong need for automation. In this the IAM will considerably help the IT department by setting up a workflow with a delegation of validations by the business lines. The IAM software must be a tool managed by IT but used by managers and the HR department (Benantar, 2005). IT departments are often cautious at the idea of delegating part of their job to operational staff:
CIOs do not really want managers to manage the creation of accounts for their teams themselves.