I don't need an identity and access management solution; I manage it myself!

Published :

09/2022

| Updated on

-
Articles
>
Automation
Often postponed, an identity and access management project can prove detrimental. We think we can manage our users ourselves, but we quickly encounter slowdowns and minor errors that waste a lot of time. If we were to weigh the cost and implementation of an IAM solution on one side against the homemade approach on the other, which would be more worthwhile?

Summary

You've already heard of an IAM solution, Identity and Access Management, perhaps less so of IGA Identity Governance and Administration, which is the administrative part of IAM (as opposed to the technical part).

The administrative part includes the automation of account creation and suspension, and the configuration of workflows. IGA also encompasses a legal and security aspect with account reviews, rights alignment, and orphaned accounts.

For now, you manage all these parts yourself and you don't think it's necessary to go through a paid solution. So, let's discuss 😏!

💡 : It is possible to listen to this article! Find the audio at the bottom of the page 🎧

I don’t need help to know the number of employees.

"I've got Active Directory! Well, if you remove the system accounts, and I may have duplicates, errors and users gone..."

I regret to inform you that Active Directory is not your user repository. Active Directory contains a number of system accounts created by applications that are no longer necessarily present in your IS. AD mixes users, systems, and employees; you will find the accounts of users, past and present, and system accounts.

Counting employees is a very subtle operation, because HR does not have all the people working for the company at any given time (since they only count people who have a direct contractual relationship with them, which excludes service providers and temporary workers who nevertheless have accounts) and IT has a large quantity of accounts.

An IGA solution synchronizes the HRIS and AD (or your user directory), thus creating a single user repository. This operation requires no action on your part, you will find your list and then see duplicates and association suggestions.

I don't need help managing my onboarding process; HR fills out an Excel file.

"HR fills in an Excel file, then sends me an e-mail to confirm that I've seen the message. Sometimes I don't have enough information, so we call or write to each other. The job title isn't always very precise. Sometimes there's a hole in the racket and the colleague arrives and nothing's ready, but frankly that doesn't happen very often. Sometimes we haven't made the right software requests."

So yes, Excel is the friend in all situations, but sometimes you have to recognize that the tool is exceeding its limits. Managing users on Excel is not the simplest and most reliable way to manage arrivals and departures.

As long as you involve humans throughout the chain, you can be sure that you will have errors. Especially since your team and yourself will spend a lot of time gathering information, unifying it.

Here, you can argue the following: what does my company risk if there is an error in the process? Yes, it wastes time, but there is no risk to the company's security. To this, I will answer that some sectors are so tense that recruitment is a major issue within the company. Making a bad impression on the first day is not very strategic.

According to a study by ManPower, HR Voice and Opensourcing, a recruitment error has a very high cost, between €30,000 and €150,000. The impact is felt on the company's image, employee morale, the loss of earnings from the vacant position, the cost of recruitment and training, etc.

When HR enters a new employee into the HRIS, the IAM solution detects it within a maximum of 30 minutes and applies the software package that you have configured. Accounts are created automatically. IT only needs to validate the accounts.

I don't need help creating my users' accounts; I have a team that takes care of that.

“Sometimes, there are errors in the account nomenclature or there are errors in the spelling of names. My teams still spend a lot of time creating accounts and cannot focus on high value-added tasks.”

Go to your teams and ask them how long it takes for account creation and suspension, if the latter is implemented in your company.

Account creation requires several steps:

  • Receiving the information (assuming that all the information has arrived correctly 😉; we will therefore not discuss the back-and-forth with HR)
  • the team will create the AD account (if the company uses it),
  • then a 365 account (which can be created directly in Azure/365 via AD Connect)
  • Afterward, licenses will be assigned to the user on the various business software used.

The process being a bit laborious, often, we provide the links to the employee and invite them to create their accounts, then the manager or IT just needs to validate the incoming creation requests, but it remains tedious.

Moreover, often, when a new employee arrives, we dedicate the first day to making sure that everything is in place.

And if your team no longer spent so much time on account creation and suspension, what projects would you like them to focus on?

And if you no longer had any friction when employees arrive, what would be the feeling of the new recruits, the feedback from managers and the image of the IT department?

With an IGA solution, you have configured your different applications and you only have a few actions to perform (mainly validations), or none if you have set up workflows. On the employee side, no action is required from them, they have their access as soon as they arrive.

I don't need help performing my accounts review; we do it once a year.

"I mean, it takes up my time and that's really what I like least. I have to count, a full-time resource for several weeks. I don't do it very frequently, once or twice a year (it's true that I should do it more often)."

Quick reminder, why conduct an account review? We refer to account verification when we want to ensure that an active account in various applications is a legitimate account. Verifying this account is often tedious because it requires manually processing an HR list of employees and comparing it to a list of open access permissions to all of the company's applications.

Performing a manual account review is, therefore, extremely time-consuming. You have no choice but to export your employees and accounts and cross-reference them manually, with validation from the departments.

This operation is necessary from a legal and security point of view.

An IAM solution constantly cross-references all information, so you don't have to take any action to find your account review. You will then have a summary of the users who require action on your part.

I don't need help managing my licenses; I'm sure everything is fine (99% sure!).

"(In our experience, there are always big surprises!). If I could get a few licenses back, I'd be happy with the budget though."

With all the processes to take into account, IT departments lack the tools to track the resources used by the company. Humans cannot remember every resource element used for each user, whether present or not. It is often easier to reassign a new resource and then delete the old ones later than to reassign a license. However, as IT departments are increasingly overloaded, it is difficult to find time to get back to it later.

With an IGA solution, you can find for each software or for all your software the list of your units not associated with a user and therefore with an active license.

I don't need help managing my entitlements; rights and access are copied from a similar employee.

“It's true that we never looked to see if the applications that everyone had really corresponded to their position, but since we take the rights of a similar employee and paste them onto another, globally, it's fine.”

Is the new employee strictly similar to another? It is very common for an employee to need specific rights on an application, implying administrator rights. We apply them because we know them, we trust them, and we have put security elements in line with their access, but will these rights be correct for a new employee?

An employee who changes position may also change rights and accesses; is this monitored?

In terms of security, it is preferable to apply the principle of least privilege. Therefore, indefinitely replicating a profile whose rights and access have not been reviewed for several years can be highly problematic.

With an IGA solution, you can find in each user file the software and rights that the employee manages and who their manager is.
You also apply the right profile to the right person and you can review the profiles of rights granted.

I don't need help managing my account suspensions; we check every 6 months to see which accounts are unused.

"When someone leaves, it's more blurred than for arrivals, sometimes I'm informed by running into HR at the coffee machine, sometimes I'm not. We look at unused accounts after 6 months and check with HR. And then 2 times a year, we review the accounts with a CSV file. There isn't a very defined process for departures."

Account suspension is the poor relation of account management.

When someone leaves, it's less clear than for arrivals, the information doesn't pass as well. It's not as crucial as the information for arrivals; yes, a user without accounts is blocking and noticeable. A user who leaves with accounts still active is not noticeable, it doesn't bother anyone, and as a result, we let it go.

If we make the effort to include account suspension in the offboarding process, we run into a new inconvenience. To suspend an account, go to the admin console to find the license in question (often its name is 11112847393738). Be careful not to confuse it with license 11112847383736 because that's the manager's 😣. Then, we start again on each admin console, of each software, that the collaborator had. On the agenda: time, patience and self-control. For teams that are already overloaded, this step is tedious.

An IAM solution enables real-time notification of departures. An automated account suspension workflow can be implemented following an employee's departure. It is very easy to find active accounts of former users, which are known as ghost accounts.

I don't need help managing user password resets; they send an email to IT.

“It's true that it takes time for nothing for my teams.”

You know that on Mondays you will have your share of forgotten passwords and, worse, upon returning from vacation, the helpdesk will be over-solicited. Every time, it's the same, your teams spend a little time resetting and resending the password. It's not much, but if the system administrator was doing something else, it interrupts their work, and they waste time performing the action and then getting back to their work.

Password resets, let's be honest, are really the task with the lowest added value for the IT department, but also the one that will have to be at the top of the list every time.

With an IGA solution, you can use an app center to offer self-reset passwords. Your users will be much more independent, and you will no longer be asked to perform these types of tasks. Of course, it is up to you to define which software can be self-reset.

I don't need help providing initial credentials to my employees; we put them in an envelope and give them to the manager.

"I write it on a post-it note that I give to the new employee's manager, then we put it on his desk 🤡 the evening before or the morning of his arrival."

Of course, in terms of security, we've seen better; the CNIL (French data protection authority) even gives advice on password management. The question is always and constantly: how to communicate the transmission of the first password securely?

It can be sent to the employee's personal email or by SMS, which is already very good in terms of best practice. However, for some companies, not interfering in the lives of employees is important and therefore limiting the number of interactions in the personal access of employees is a necessity.

For others, it's a matter of security; an SMS or email leaves traces.

An identity and access management solution provides a secure platform to receive the initial password, leaving no trace outside of this platform.

What would you do with all that time saved?

Managing accounts and users internally is feasible, but it leads to significant security flaws. The work to be done internally is substantial and does not provide added value for the IT department, which cannot focus on other projects.

Account creation and suspension will have to be done in any case, whether you automate them or not. Now the question is: how much time do you want to spend on it?

You might object to the cost, but again, you will benefit by taking a solution like Youzer 😇. The costs are low, so you are profitable from the moment you set it up. You recover licenses and time immediately.

Want to test it out? We offer no-obligation trials for a few months, so you can make up your own mind!

Need to estimate the cost of an IAM project?

Download this white paper on the cost of inaction in IAM :

We have been unable to confirm your request.
Your request for a white paper has been taken into account.

Recommended Articles

How to connect my HRIS and my Active Directory?
What is application account provisioning?
Understanding Active Directory and its operation with an IAM