I don't need an identity and access management solution: I manage!

Mélanie Lebrun

|

Youzer Marketing Manager

09/2022

Articles
>
ITSM automation
Often postponed until later, an identity and access management project can be harmful. We think we can manage our users ourselves, but we quickly encounter slowdowns and small errors that waste a lot of time. If we were to weigh the cost and the implementation of an IAM on one side and the home-made solution on the other, which would be more interesting?

Contents

You've already heard of IAM, Identity and Access Management, perhaps less ofIGA Identity Governance and Administration, which is the administrative part of IAM (as opposed to the technical part).

The administrative part includes the automation of account creation and suspension, and the parameterization of workflows. IGA also includes a legal and security component, with account review, rights alignment and orphan accounts.

For the time being, you're managing all these parts yourself, and you don't consider it necessary to go through a paid solution. So let's talk 😏!

💡: it's possible to listen to this article! Find the audio at the bottom of the page 🎧

I don't need help to find out the number of employees.

"I've got Active Directory! Well, if you remove the system accounts, and I may have duplicates, errors and users gone..."

I regret to inform you that Active Directory is not your user repository. Active Directory includes a number of system accounts created by applications, which are no longer necessarily present in your IS. TheAD mixes users, systems and collaborators, so you'll find accounts for users, past and present, as well as system accounts.

Accounting for employees is a very subtle operation, because HR does not have all the people working for the company at any given time (since it only accounts for people who have a direct contractual relationship with it, which excludes service providers and temporary staff, who do have accounts), and IT has a large number of accounts.

An IGA solution synchronizes HRIS and AD (or your user directory), creating a single user repository. This operation requires no action on your part: you retrieve your list, then see duplicates and suggestions for associations.

I don't need any help to manage my arrivals: HR fills in an Excel file.

"HR fills in an Excel file, then sends me an e-mail to confirm that I've seen the message. Sometimes I don't have enough information, so we call or write to each other. The job title isn't always very precise. Sometimes there's a hole in the racket and the colleague arrives and nothing's ready, but frankly that doesn't happen very often. Sometimes we haven't made the right software requests."

So, yes, Excel is the tool of choice for all situations, but there are times when you have to admit that it's overstepping its bounds. Managing users in Excel is not the easiest or most reliable way to manage arrivals and departures.

As long as you involve people in the whole process, you can be sure that you're going to make mistakes. Especially as you and your team will be spending a lot of time collating and unifying information.

Now, you might argue: what does my company risk if there's an error in the process? Yes, it wastes time, but there's no risk to the company's security. To this, I would say that some sectors are so tight that recruitment is a major issue within the company. It's not very strategic to make a bad first impression.

According to a study by ManPower, HR Voice and Opensourcing, the cost of a recruitment error can be as high as €30,000 to €150,000. The impact is felt on the company's image, employee morale, loss of earnings from the vacant position, the cost of recruitment and training, etc...

When HR enters a new employee into the HRIS, the IAM solution locates him or her within 30 minutes and applies the software package you have configured. Accounts are created automatically. All that's left for IT to do is validate the accounts.

I don't need any help setting up my users' accounts: I've got a team that takes care of that.

"Sometimes, there are errors in the nomenclature of the accounts or there are errors in the writing of the names. My teams still take a long time to create the accounts and can't concentrate on high value-added tasks."

Go and see your teams and ask them how long it takes to create and suspend accounts, if this is set up in your company.

There are several steps involved in creating an account:

  • receiving information (we'll assume that all information has arrived correctly 😉 so we won't go into the back-and-forth with HR)
  • the team will create the AD account (if the company uses it),
  • then a 365 account (which can be created directly in Azure/365 via AD Connect,)
  • then, as time goes by, we'll allocate licenses for the various business software packages we use.

As the process is a little laborious, we often provide the links to the employee and invite him or her to do his or her accounts, then the manager or IT just needs to validate the incoming creation requests, but it's still tedious.

In fact, when a new employee arrives, the first day is often devoted to making sure everything is in place.

And if your team didn't spend so much time on account creation and suspension, what projects would you like to spend it on?

And if you had no more friction when new employees arrived, how would new recruits feel about you, and how would managers feel about you and your IT department's image?

With an IGA solution, you've set up your various applications and you only have to perform a few actions (mainly validations), or none at all if you've set up workflows. As for your employees, no action is required on their part, as they have their access rights as soon as they arrive.
Envie de voir une démo instantanée de Youzer ?  
View demo

I don't need any help with my accounts review: we do it once a year.

"I mean, it takes up my time and that's really what I like least. I have to count, a full-time resource for several weeks. I don't do it very frequently, once or twice a year (it's true that I should do it more often)."

A quick reminder: why do an account review? We talk about account verification when we want to make sure that an account active in various applications is a legitimate account. Account verification is often tedious, as it involves manually processing an HR list of employees and comparing it with a list of open accesses to all the company's applications.

Manual account review is therefore very time-consuming. You have no choice but to export your employees and your accounts, and to cross-check them manually, with validation from the departments.

This operation is necessary from both a legal and a safety point of view.

An IAM solution cross-references all information on an ongoing basis, so you don't have to take any action to retrieve your account review. You'll get a summary of users who require action on your part.

I don't need any help to manage my licenses: I'm sure that everything is fine (99%!).

"(In our experience, there are always big surprises!). If I could get a few licenses back, I'd be happy with the budget though."

With so many processes to consider, IT departments lack the tools to keep track of the resources used by the company. Humans can't remember every single resource used by every single user, present or not. It's often easier to reallocate a new resource and then go and delete the old ones later, than to reallocate a license. But as IT departments become increasingly overloaded, it's hard to find the time to get back to it later.

With an IGA solution, you can retrieve the list of units not associated with a user, and therefore with an active license, for each program or for all your programs.

I don't need any help to manage my authorizations: rights and accesses are copied from a similar employee.

"It's true, we never looked at whether the applications each person had corresponded well to their position, but as we take the rights of a similar employee and paste them onto another, overall, it's fine."

Is the new employee exactly the same as any other? It's very common for a new employee to need specific rights on an application, involving administrator rights. We apply them because we know them, trust them and have put in place the security elements appropriate to their access, but will these rights be correct for a new employee?

When employees change jobs, their rights and access may also change.

In terms of security, it's best to apply the principle of least privilege. As a result, indefinitely repeating a profile whose rights and access have not been reviewed for several years can pose a major problem.

With an IGA solution, you can track software and rights, who the employee manages and who his or her manager is in each user file.
You also apply the right profile to the right person, and you can review the rights profiles granted.

I don't need any help managing my account suspensions: we check every 6 months to see which accounts are unused.

"When someone leaves, it's more blurred than for arrivals, sometimes I'm informed by running into HR at the coffee machine, sometimes I'm not. We look at unused accounts after 6 months and check with HR. And then 2 times a year, we review the accounts with a CSV file. There isn't a very defined process for departures."

Account suspension is the poor relation of account management.

When someone leaves, it's less clear, whereas for arrivals, the information is much less clear. It's not as crucial as for arrivals. Yes, a user who has no account is blocked and it shows. A user who leaves with accounts that are still active doesn't show up, doesn't bother anyone and is therefore left alone.

If we make the effort to include account suspension in the offboarding process, we come up against a new inconvenience. To suspend an account, go to the admin console and search for the license in question (often the name is 11112847393738). Make sure you don't use 11112847383736 because it's the manager's license 😣. Then, we start again on each admin console, of each software, that the collaborator had. On the agenda: time, patience and self-control. For teams that are already too busy, this step is tedious.

An IAM solution provides real-time information on departures. A workflow can be set up to automatically suspend accounts following an employee's departure. It's very easy to find the active accounts of departed users, known as ghost accounts.

Would you like to receive our white paper on identity and access management?

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

I don't need any help to manage the reset of user passwords: they just send an e-mail to IT.

"It's true that it takes time for nothing for my teams."

As you know, by Monday you'll have your share of forgotten passwords, and worse, when you return from vacation, the helpdesk will be over-subscribed. Every time, it's the same: your teams spend a little time resetting and resending the password. It's not a big deal, but if the system administrator was doing something else, it cuts into his work and he loses time carrying out the action and then getting back to work.

There's no hiding the fact that resetting passwords is not only the task with the lowest added value for the IT department, but also the one that has to move to the top of the list every time.

With an IGA solution, you can use an appcenter to offer password self-reset. Your users will be much more independent, and you'll no longer be called upon to perform such tasks. Of course, it's up to you to decide which software you want to use for self-reset.

I don't need any help to give the first identifiers to my employees: we put them in an envelope and give it to the manager.

"I write it on a post-it note that I give to the new employee's manager, then we put it on his desk 🤡 the evening before or the morning of his arrival."

Of course, in terms of security, we've seen better, and the CNIL (the French Data Protection Authority) offers advice on password management. The question is always: how can we communicate about the secure transmission of the first password?

It can be sent to the employee's personal e-mail or by SMS, which is already very good in terms of best practice. However, for some companies, it's important not to interfere in employees' lives, and so limiting the number of interactions in employees' personal accesses is a necessity.

For others, it's a question of security: an SMS or e-mail leaves traces.

An identity and access management solution enables you to receive your first password via a secure platform, with no trace outside this platform.

What would you do with all that saved time?

Managing accounts and users internally is feasible, but it leads to significant security risks. The in-house work involved is considerable, and without any added value for the IT department, which can't concentrate on other projects.

Account creation and suspension will have to be done anyway, whether you automate them or not. Now the question is: how much time do you want to spend on it?

You could argue cost, but then again, you'll be a winner with a solution like Youzer 😇. Because costs are low, you're profitable right from the moment you set up. You recover licenses and time immediately.

Want to try it out? We offer non-binding trials over a few months, so you can make up your own mind!

Récap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next Récap'IT at the end of the month 😊

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.