This is a sample article
Identity-based access is key to modern cyber security. It’s something we’ve sought to implement at all levels with solid best practices. A subset of it is identity lifecycle management.
So, what is identity lifecycle management and how should you use it in your organization?
What is Identity Lifecycle Management?
It might help to know that identity lifecycle management is sometimes referred to as user lifecycle management.
In an identity or role-based system, identity lifecycle management is the process of ensuring that a user has the right credentials through their “life cycle” with the organization. This means applying the right permissions to their account when they are onboarded, changing those permissions if they are promoted, demoted, or transferred, and then turning them off when they leave the organization.
Ideally, this process should be automated as much as possible and operate across all of your applications. Modern organizations have a lot of different applications they are using, and manually updating all of them wastes a lot of IT’s time. I prefer to make sure that IT only has to “press a button” to activate or deactivate a user.
Why is Identity Lifecycle Management Important?
Ever started a new job and wasted your entire first day waiting for IT to get around to setting up your access? We all have, and it is not the best first impression.
Proper identity lifecycle management allows IT to activate all of a new employee’s permissions quickly so they can get right to training and/or work. If onboarding is being done right, new employees should sit down at their computer, in the office or at home, log in, and have access to everything they need (and nothing they don’t) right away.
At the other end of the story, too many companies have been “burned” when an employee who was fired or laid off used a lingering access to steal data to sell to their competitors or sabotage the company. Identity lifecycle management helps make sure that all of their accesses are terminated on their last day. Unfortunately, you do need to apply zero-trust to this. Only about 12% of employees take data with them when they leave, but that’s still a significant number. Trusted employees who are retiring or relocating will understand why their access needs to be terminated.
It also makes sure that access is not terminated prematurely.
What Are Best Practices for Applying Identity Lifecycle Management?
Identity lifecycle management is part of an overall identity and access management (IAM) strategy. It can’t be applied as a standalone policy, but is an integral part of improved cybersecurity. Here are some things I’ve found useful:
Link All Logins
As already mentioned, IT should never have to manually create accounts and accesses for every single system you use. This takes hours of time they could be spending on far more important matters. It delays the productive start of new employees and potentially results in a software platform being missed. This might leave a new employee without access to the tools they need to do their job or, at the other end, somebody who is departing on poor terms finding they can still get into your customer database.
Instead, the identity management system should allow IT to run a single script to create an account with the appropriate permissions. For example, if bringing on a new sales representative, they should have “sales” access to the CRM, access to internal collaboration tools that let them talk to other people in sales (and, importantly, marketing), internal and external email, etc. When IT can do this in one key stroke, a lot of time is saved. When the HR system does it automatically, even more time is saved.
All systems should also be in the IAM system. Don’t let, for example, your source code be separate, even if IT would like it to be.
Include it in an Onboarding Checklist
Identity lifecycle management is also a key aspect of employee onboarding. Onboarding is a first impression, and if you don’t do it right, you’ll have an employee who spends the evening after their first day polishing their resume.
The appropriate IAM tasks for each role should be on a list which is provided to IT and also to the new hire’s supervisor so they can make sure it has been done, ideally before the new hire steps into the office or sits down at a workstation.
When a new employee is onboarded, or when an existing employee goes through a role change that requires upgrading (or downgrading) accesses, this should go in a batch job sent by the HR system. It’s possible for a bug, glitch, or a bad actor to send an incorrect feed to the IAM system. To prevent this, add a predecessor job that makes sure the feed is within normal ranges and stops and flags it if anything is unusual. This can help prevent downtime.
Provisioning, that is setting up the new acount or changing permissions, generally requires approval. De-provisioning is a different matter. When an employee is terminated in the HR system, then de-provisioning should take place immediately and automatically.
You can set options for de-provisioning. You may want to “suspend” the user, for example if it is somebody you are hoping to rehire or if there is important data attached to their account. You may, under other circumstances, want to delete the entire account to free up database space.
Do Access Reviews
You should do an access review any time an employee’s status changes. This means having the manager do a quick overview of user access. For transfers, both the new and old manager should be consulted.
It’s also valuable to have the employee log on and verify they have access to everything they are supposed to. This reduces downtime caused when a new or transferred employee discovers they don’t have access to something mid workflow, affecting their productivity and mood and resulting in IT having to scramble.
I suggest that all companies use some form of identity lifecycle management. It improves cybersecurity, helps to streamline onboarding, and ensures that orphan accounts are not left after termination. It’s a vital part of your overall IAM program, and should not be neglected.