Improving Onboarding With Automated Lifecycle Management

Improving IGA within your organization can have a beneficial impact on business outcomes related to employee efficiency and talent retention.

Background

There aren’t many things more detrimental to new employee productivity than a slow and disjointed onboarding process. Ineffective onboarding can cause employees to lose trust in their employer organization and can also impact a company’s ability to hit revenue targets. But what causes onboarding processes to decline? Manual lifecycle management (LCM) processes can often lead to new employees waiting months for the access they need to do their job. 

Case in point, if your organization utilizes AWS, you’re likely familiar with how time-consuming it is to properly provision a user. For one customer, manual LCM processes resulted in a drawn-out onboarding process with new employees waiting months for access to AWS. If your organization relies heavily on support tickets, tribal knowledge, or struggles with operational bottlenecks then this situation may sound familiar to you. 

Why It’s Important for IT and Cybersecurity Teams to Help Improve Onboarding Experiences

But onboarding is HR’s problem; you may be thinking. Keep in mind that IT and Cybersecurity teams oversee the access rights granted to employees for the key business resources needed to do their jobs. End-users may not understand everything that goes into provisioning an identity, but they sure like to blame IT when they can’t access the software needed to do their job. Whether or not IT is the one holding up the process. 

In addition, employee threat awareness is critical to effective cybersecurity. If end-users lose faith in the effectiveness of the IT and Cybersecurity processes, they’re less likely to respect and adopt recommendations made by your group. If you are working to convince your organization to change business operations to better benefit security outcomes, it’s important that employees have full faith in your IT group.

One Customer’s Story

Effective IGA practices like automated LCM can significantly improve onboarding experiences. A great example of how automated LCM can improve onboarding processes and have a positive impact within your organization is how one customer used Clarity to fully provision new employees in minutes rather than months. This customer was responsible for managing over 750 websites, plus SEO and content creation for their customers. Their employees needed access to a multitude of applications, web environments, and more. Most of their internal processes were built to prioritize agility, precision, and speed. Except for managing access needs during new employee onboarding. Some new employees had to wait for over 2 months to be fully provisioned. Manual lifecycle management processes were making it almost impossible to provision new employees in a timely manner. In addition, the customer had regulatory requirements that mandated a specific approval process be followed before employee access could be provisioned. Very few hiring managers knew about the requirement, and so access would go un-provisioned for lengthy periods of time.  
 
Regardless of regulatory requirements, new hires shouldn’t have to wait months to have access to the resources they need to do their job. Like many other organizations, this customer relied on tickets to handle LCM access requests. A manager had to remember to submit a ticket for their new employee’s access. Then an IT professional had to manually review the ticket, log into multiple applications, grant the proper entitlements, and respond to the manager to get formal approval to meet the previously mentioned regulatory requirements. This process was slow, time-consuming, and left a lot of opportunity for error. What if the manager forgot to include several of the applications needed or what if their requests left a user overprovisioned? How does an organization maintain RBAC and enforce least privilege if there isn’t a way to easily reference entitlements based on roles?

The Solution

To solve this customer’s problem, we used a combination of Clarity’s dynamic role mining engine and automated LCM to help minimize the organization’s reliance on tickets and alleviate bottlenecks during onboarding. 

To get started, team members from Clarity worked alongside the customer’s IT Team to complete Identity Unification. This process automatically generated the customer’s RBAC structure using flexible org units and attribute mapping to ensure least privilege and risk minimization. Afterwards, Clarity’s customer success team trained the client’s IT and cybersecurity administrators on how touse drag-and-drop workflows to create a customized automated LCM approval process. Now, when a new identity is found in a source of truth, such as when a new employee is populated in an HR system, that identity is immediately provisioned and granted access based on the appropriate role. There was no longer a need for IT admins to log into multiple downstream applications to manually grant access, saving significant time and reducing the potential for error. 

As we mentioned earlier, there were certain access requests that required specific approval in order to meet regulatory requirements. For those instances, an additional custom LCM workflow was created to send daily notifications to reviewers until they approved or denied the request. Once access was approved, the identity was automatically provisioned. 

In Conclusion

Prior to Clarity Security, it wasn’t uncommon for a newly hired junior developer to be without their required access for two months. After implementing Clarity Security, all access is provisioned immediately after the employee is finalized in the HR system. This shift to automated LCM improved onboarding processes, reduced time and effort spent provisioning new identities, removed clunky operational processes, and better secured the customer’s application landscape. 

February 2023 Product Updates

This month, we’ve introduced quite a few new features and improvements.

Improved Identity Attribute Mapping

Clarity has always been able to accommodate multiple sources of truth. However, this update now allows for:

-Better mapping of identity attributes across multiple sources of truth
-Better management of conflicting naming conventions
-The ability to define custom identity attributes
-The ability to select which source of truth takes precedence for specific identity attributes

All of these changes mean it’s easier to accommodate unique access requests; like updating an employee’s FTE status within your HR system while still maintaining an active status in Active Directory.

“This update is a big win for minimizing conflict within your RBAC structure and makes it more feasible to accommodate unique access needs. It also prevents a source of truth from firing off unintentional lifecycle management events that could introduce serious security implications.”

– Greg Glass, Co-Founder and CTO

Flexible Org Units for Simplified RBAC

This update also made improvements to Clarity’s automated role mining engine. We’ve introduced flexible org units to allow you to be as granular, or high-level, as you need with your RBAC structure. You can still default to the standard RBAC structure that Clarity automatically generates for you. Or you can create highly specialized birthright access by using organizational units such as division, region, tax status, and more.

“It’s common to be intimidated by RBAC because you have to sit and think about every department and title and who should have access to what. To do this manually, it’s a monumental task. But Clarity’s Role Mining makes it a much less daunting project. When you initially stand up your environment your RBAC is immediately generated and then you can use these flexible identity attributes to modify and tweak as much as you want. Create new roles, clone roles, alter roles, add exceptions or exclusions, all to your hearts content. Click a button, and RBAC is done.”

– Greg Glass, Co-Founder and CTO

Even More Workflow Customization

After a lot of feedback from our customers, we’ve expanded your ability to customize Lifecycle Management (LCM) workflows within Clarity with new triggers and event cascades. This gives you a lot of freedom over how Clarity should respond to identity creation events, changes in the lifecycle, and more. There’s also a new workflow trigger for “Orphan Account Detected” so that you can tell Clarity exactly how it should handle those expensive, and risky, orphaned licenses.

“We don’t want our platform to be so prescriptive that our customers have to overhaul all of their existing processes just to use Clarity. Instead, Clarity should be able to easily adapt to their unique processes. We’ve had workflows for a while now, and they just keep getting better and better”

– Greg Glass, Co-Founder and CTO

ClarityConnect Changes

Quite a few updates were made to ClarityConnect, our virtual appliance that lets you connect to your on-prem applications without punching holes in your firewall.

-Added ability to have multiple ClarityConnect instances across one or more separate infrastructures
-Logic updates for how a source of truth imports inactive users
-Updates to On-Prem import syncing/cleanups
-Added an ability to filter/restrict your Active Directory connector to specific OUs.
-Batch import detection, processing, and logging.
-Ability to “clean up” stale and missing entitlements
-Enjoy more consistent and complete asynchronous imports

Additional Updates and Fixes

In addition, here’s a quick rundown of all the improvements that have been made to Clarity recently.

-Upgrades to notification/alert functions
-Dashboard got some nice performance upgrades
-Some nice improvements to the UAR admin user interface
-Ability to toggle automatic role mining entitlements
-Reworked the way roles are created or inherited
-General improvements for role assignment of aliased roles
-Added more granular Active Directory group types for local, domain, and universal security and distribution groups
-Changes to what happens to service users who go missing on subsequent imports
-We’ve added support for PostgreSQL Database connectors
-Refactored the existing AtlassianCloud/Jira connector
-Lots of new application connectors in the Marketplace, including a new Reports as a Service connector
-General connector performance and reliability improvements
-Exterminated some bugs
-Some standard infrastructure updates to keep things running efficiently behind the scenes

3 Ways Automated Identity Lifecycle Management Makes Your Job Easier

Automation, automation, automation. As professionals, we all understand the general benefits of incorporating automation into our processes and procedures. But does the time and effort that is spent developing and deploying automation really improve cybersecurity outcomes? When it comes to Identity Lifecycle Management the answer is 100% yes, especially if you leverage an Identity Governance (IGA) Platform with easy to use drag and drop, customizable workflows.

What is the Identity Lifecycle?

Before we dive in, here’s a little refresh on Access Management 101. The Identity Lifecycle is the journey that a user’s identity goes through during its lifetime within an organization’s environment. Identities can be tied to specific end-users, such as employees, or digital entities such as devices or AI. The lifecycle of an identity begins the moment it is created, and it lasts through termination or deletion. Some important aspects of an identity’s lifecycle include when access is assigned, changes in credentials and authentication events. 
 
For example, Joy is a new Software Engineering Intern at Mega Corp. Her identity is created on her first day of work and she’s assigned all the relevant access she needs as a Software Engineering Intern. After just a few months, Joy is crushing her duties and is offered a full-time job at Mega Corp. With the change in role comes a new event in her identity lifecycle meaning Joy’s access needs to be updated. Joy is later assigned to a special project for a few months. This lifecycle event requires that her identity be granted temporary access to some systems outside of her standard role.

And so on and so forth. You get the gist. Every time Joy gets a change in title, or the scope of her work requires a change in access, an Identity Lifecycle event occurs. Now what happens at the end of an identity’s lifecycle? Well let’s return to our example employee Joy. After several successful years at Mega Corp., Joy accepts a job at another organization and her identity is fully deprovisioned, ensuring the now terminated Joy can’t access Mega Corp. systems and ending her identity’s journey through the lifecycle.

What is Identity Lifecycle Management?

Now that we’ve established what the Identity Lifecycle is, it’s easy to make the jump to Identity Lifecycle Management (LCM). LCM is the process of managing user identities and their evolving access privileges from day one through termination. 

For the sake of this example, know that Mega Corp. doesn’t currently use any automation for Identity Lifecycle Management. Every time Joy’s identity progresses through the lifecycle, a member of the cyber security or IT team has to rely on Joy’s manager to communicate that there’s been a change, in a timely fashion. Then that individual will spend multiple hours logging into every downstream application and manually updating entitlements. A truly mind-numbing task that eats up time and employee bandwidth. Manual provisioning and deprovisioning is also error prone and makes it difficult to maintain RBAC which can negatively impact future audit outcomes.

 What Does it Mean to Automate LCM?

While many organizations manually manage the identity lifecycle via access support requests, it’s possible to fully automate LCM through third-party software or on-prem solutions. This is done by connecting a tool or platform to your HR system and/or Active Directory so that changes within those sources of truth set off a cascade of actions within downstream applications. Rather than waiting to be informed of an event and then manually provisioning or de-provisioning, automated LCM handles the process on your behalf as soon as a change is made in a source of truth.

How Does Automated LCM Improve the Lives of Security and IT Professionals?

While you can, and many teams certainly do, manually manage the Identity Lifecycle this is a time consuming and frustrating process. It’s easy for teams to get buried under access requests or for managers to forget to inform IT and security admins about changes in employee roles or access needs. When processes breakdown within Identity Lifecycle Management it causes a ripple effect within your IT General and Application controls, making RBAC nearly impossible and leaving your organization more vulnerable than ever.

This is just one example of how cybersecurity practices impact successful business outcomes. LCM is an integral part of effective IT General and Application controls; it helps enforce principles of least privilege, maintains RBAC, enforces zero-trust, and much more. These are all very important practices for organizations that must comply with HIPPA, PCI, HiTrust and other regulatory requirements. If you organization is publicly traded, it’s even more essential that you comply with regulatory agencies or you could face massive fines, loss of revenue, or be delisted from the stock exchange.

Reason #1: Significantly Reduce Risk

In a recent study done by Beyond Identity, 83% of former employees said they still had access to company resources after termination. Whether this is from a disjointed offboarding process or a simple breakdown in communication, terminated employees who have access to your resources pose a major threat to your organization. Malicious terminations can lead to loss of IP, destruction of IT services, and failed audits. Automated lifecycle management ensures identities are deprovisioned the moment HR files the termination paperwork. 

It might not seem like a big deal that Sam from Dev. was terminated three weeks ago and still has access to some material applications… that is until Sam deletes every lambda, RDS, and backup and posts all of your product source code on GitHub for the entire internet to enjoy. Legal and GRC would have a field day if that were to happen.

Reason #2: Save Time Managing Access Requests

Manually managing access requests takes up hundreds of hours over the course of a year. If your organization has several hundred or thousands of employees it’s nigh impossible. By leveraging automation, it’s like you’ve hired an employee whose sole focus is keeping up with changes in access. Depending on the platform, you can use customizable workflows to automatically provision or deprovision identities based on their role, department, or whether the identity is tied to an employee, service account, or contractor. Some systems are even capable of highly-granular provisioning and deprovisioning.

Reason #3: Improve Audit Outcomes

We touched on this earlier, but automation goes a long way in ensuring the effectiveness of your IT General and Application Controls. Having an automated system in place that assures the right people have the right access at the right time improves audit outcomes and decreases the likelihood of deficiencies. As you know, cybersecurity best practices like least privilege and RBAC are essential to successful audit and compliance outcomes. But manual processes are error-prone and time-consuming, not to mention manually managing RBAC is a nigh impossible feat. Identity Lifecycle Management systems that use automation services like dynamic role mining ensure that RBAC is less likely to fall into disarray, role creep is contained, and least privilege is easily enforced. This translates to improves audit outcomes and a much improved business relationship with your GRC department.

Let’s Wrap This Up

Life as a security and IT professional is not easy. You’re pulled in a million different directions, your team is likely understaffed or under-resourced, and you’re constantly having to put out fires because end-users still can’t spot phishing attempts. If we could recommend one IGA practice that will significantly improve cybersecurity outcomes within your organization, it would be automation. Automating the Identity Lifecycle reduces risk, saves employee time and effort, and improves audit outcomes. It can even improve onboarding processes, lower IT operational costs, and positively impact business outcomes. 

When you’re ready to explore the ways that automated lifecycle management can transform your identity landscape our team is here to help! Get in touch and we’ll respond to you faster than you can say “NIST Cybersecurity Framework”.