Before considering the details of an IAM system, it is important to understand the motivation for automating these processes. There are broadly three types of reasons to automate IAM:
- To improve internal controls and IT security, often in support of audit or regulatory requirements.
- To reduce IT operating costs, in the form of a smaller team of people managing user access to systems and applications.
- To improve user service, in the form of simplified access requests, faster approvals and faster fulfillment.
Internal controls and regulatory compliance
One of the core problems IAM systems address is that users have excess access rights -- beyond what is appropriate for their business needs. This may be due to:
- Unreliable access deactivation processes, which result in orphan accounts (no known owner) or dormant accounts (not used, so compromises might go unnoticed).
- Inadequate change management processes, so that as user needs change over time, old and no longer needed entitlements are retained rather than revoked.
- Users whose access rights include "toxic combinations" that allow them to bypass controls processes -- i.e., failure to enforce segregation of duties policies.
- Users whose access rights in aggregate represent high risk.
- Access rights that are granted without appropriate approval or which are not periodically reviewed.
An effective IAM program should remediate these problems.
Cost savings in security administration and the IT help desk
Some number of people, either employees or contractors, are responsible for creating accounts and assigning entitlements in every organization. Another set of people is responsible for assisting users who have login problems, through password reset and unlock processes.
One of the functions of an IAM system is to automate as many of these processes as possible, so that users can help themselves or one another and the number of IT staff assigned to these tasks is minimized. Fewer people translates into a direct, measurable cost savings.
User service and SLA
It can be difficult for users to:
- Find where to request access.
- Fill in access request forms.
- Figure out what entitlements are required.
Once a request has been submitted, it may take too long to approve and too long to complete.
The end result of all this is frustrating, slow access management. This impairs use of systems and applications, as users who need access don't get it in a timely fashion and may waste time, unable to work, waiting.
An IAM system should make access requests easy to find and complete. It should help expedite the approvals process and fulfill approve requests automatically wherever possible.