The daily news about data breaches always details what data was stolen by hackers or rogue insiders but never mentions the broken access provisioning processes that are often at fault. Establishing the right joiner-mover-leaver and access request processes is critical to a strong security posture. The challenge with these processes is partly that organizations need several business outcomes that are hard to achieve, but also that they neglect to make their processes measurable enough to see if expected outcomes are realized.
Provisioning business outcomes
Let’s consider what organizations want from their access provisioning processes.
- Security: Offboarding users promptly so that no orphan accounts become takeover targets is a key security concern. And assigning permissions accurately with respect to user job responsibilities is of paramount importance from a least privilege perspective. For some critical systems, just-in-time access or a “no-standing-privileges” approach is needed. In addition, there’s a change-audit requirement to support security, compliance, and forensics, namely, the challenge of auditing how someone got a certain permission, who approved it, and whether a permission was granted without approval.
- Speed: Timely access grants are crucial to avoid any impact on workforce productivity. No one wants employees waiting a week to get an account they desperately need! In fact, DevOps staff often demand immediate access and find a way to get it!
- Cost reduction: The costs associated with provisioning are an important issue. Manual approvals and manually serviced tickets are expensive when you count the man-hours involved across hundreds of weekly permission assignments and removals. The infrastructure that manages requests, approvals, onboarding, and offboarding can also be expensive to deploy and maintain. Existing investments in identity and ITSM need to be leveraged to keep costs down.
- User experience: The entire workforce interacts with provisioning processes, and for all these stakeholders, ease of use drives customer satisfaction. Any self-service request interface needs to provide a simple user experience that’s consistent with how employees ask for IT help in general. It should also be easy for administrators and application owners to configure provisioning and deprovisioning.
Provisioning process metrics
Working out processes to address these requirements isn’t enough; process KPIs that serve as evidence of results or pointers to problems are a must. And there’s the rub! Organizations cobble together solutions using off-the-shelf or homegrown software but ignore the issue of process metrics that help keep their processes on track. IT leaders often confess that the solutions they’ve deployed are “ok” or “not great”, but that’s as far as they can go.
At Zilla, we believe that measurable and effective access provisioning processes are key to a strong security and compliance posture, as well as to workforce productivity and operational efficiency. Zilla Provision, the newest module in our platform, was conceived to guarantee job-appropriate access, and both remove and assign new permissions quickly through zero-touch automation. It was also designed to keep costs down by reducing service tickets, to leverage existing IT investments, and to provide a simple user experience for all process stakeholders.
Zilla Provision’s integration with ITSM systems like Jira Service Management and ServiceNow eliminates the need to present users with yet another IT request experience, to deploy yet another workflow engine, yet another ticketing system or yet another change audit repository. Together with Zilla’s library of 500+ integrations and close integration with Identity providers like Okta and Azure AD, Zilla Provision delivers a bullet-proof solution for system-verified access provisioning across cloud and on-prem infrastructure and applications.
Finally, Zilla Provision is focused on making access provisioning measurable. Metrics like “Mean Time To Provision a User”, “Mean Time To Grant a Permission” and “Percent Grants Automated” help IT staff understand how their processes are performing, where the bottlenecks are, and what needs improvement.
In summary, effective access provisioning isn’t just a ‘nice-to-have’; it’s a necessity in today’s digital landscape. Building these processes demands a focus on not just the business outcomes expected from them, but also the means to measure process flow, impact and acceptance.
To learn more, visit: self-service access request.