April 15, 2019 at 14:42Implement IdM. Preparation for implementation by the customer
In previous articles, we have already discussed what IdM is, how to understand whether your organization needs such a system, what tasks it solves, and how to justify the implementation budget to management. Today we’ll talk about the important steps that the organization itself must go through to reach the right level of maturity before implementing the IdM system. After all, IdM is designed to automate processes, and it is impossible to automate chaos.
Until the company grows to the size of a large enterprise and accumulates a host of different business systems, it usually does not think about access control. Therefore, the processes of obtaining rights and control of powers in it are not structured and poorly amenable to analysis. Employees fill out applications for access as they like, the approval process is also not formalized, and sometimes it simply does not exist. It is impossible to quickly figure out what access an employee has, who coordinated them, and on what basis.
Given that the process of access automation affects two main aspects - personnel data and data of information systems to be integrated with, we will consider the steps necessary to ensure that the implementation of IdM goes smoothly and does not cause rejection:
The source of personnel data in the organization may be one, or maybe several. For example, an organization can have a fairly wide branch network, and each branch can use its own personnel base.
First of all, you need to understand what basic data about employees are stored in the personnel management system, what events are recorded, and evaluate their completeness and structure.
It often happens that not all personnel events are noted in the personnel source (and even more often they are noted out of time and not quite correctly). Here are some typical examples:
It is also worth paying special attention to assessing the quality of the data, since any errors and inaccuracies received from a trusted source, which are HR systems, can be costly in the future and cause a lot of problems when implementing IdM. For example, human resources officers often fill the positions of employees in the personnel system in a different format: uppercase and lowercase letters, abbreviations, different numbers of spaces and the like. As a result, the same position can be fixed in the personnel system in the following variations:
Often you have to deal with differences in the spelling of your name:
For further automation, such a mess is unacceptable, especially if these attributes are a key sign of identification, that is, data about the employee and his credentials in the systems are compared precisely by name and surname.
In addition, we should not forget about the possible presence in the company of namesakes and full namesakes. If an organization has a thousand employees, there may be few such coincidences, and if 50 thousand, then this can become a critical obstacle to the correct operation of the IdM system.
Summarizing all of the above, we conclude: the format for entering data into the organization’s personnel base should be standardized. The input parameters of the full name, positions and units should be clearly defined. The best option is when the personnel employee does not drive in the data manually, but selects it from a pre-created directory of the structure of departments and positions using the “select” function available in the personnel base.
In order to avoid further errors in synchronization and not to deal with manual correction of discrepancies in reports,the most preferred way to identify employees is to enter an ID for each employee in the organization. Such an identifier will be assigned to each new employee and will appear both in the personnel system and in the organization’s information systems as an obligatory attribute of the account. It doesn’t matter if it consists of numbers or letters - the main thing is that it is unique for each employee (for example, many use the employee’s personnel number). In the future, the introduction of this attribute will greatly facilitate the linking of data about the employee in the personnel source with his accounts and credentials in information systems.
So, all the steps and mechanisms for personnel accounting will need to be analyzed and put in order. It is possible that some processes will have to change or modify. This is tedious and painstaking work, but it is necessary, otherwise the lack of clear and structured data on personnel events will lead to errors in their automatic processing. In the worst case, unstructured processes cannot be automated at all.
The next step is to figure out how many information systems we want to integrate into the IdM structure, what data about users and their rights are stored in these systems, and how to manage them.
In many organizations, it is believed that here we will install IdM, configure the connectors to the target systems, and with the wave of a magic wand everything will work, without any additional effort on our part. So, alas, it does not happen. In companies, the landscape of information systems is developing and increasing gradually. Each of the systems can have a different approach to granting access rights, that is, different access control interfaces are configured. Somewhere, control happens through the API (application programming interface), somewhere through the database using stored procedures, somewhere interaction interfaces may be completely absent. You should be prepared for the fact that you have to review many existing processes for managing accounts and rights in the organization’s systems: change the data format,
You will probably come across the concept of a role model even at the stage of choosing an IdM solution provider, as this is one of the key concepts in the field of access rights management. In this model, data access is provided through a role. A role is a set of accesses that are minimally necessary for an employee in a certain position to perform his or her functional duties.
Role-based access control has a number of undeniable advantages:
The role matrix is first built separately in each of the organization’s systems and then scaled to the entire IT landscape, where global Business roles are formed from the roles of each system. For example, the Business role “Accountant” will include several separate roles for each of the information systems used in the accounting department of an enterprise.
Recently, it is considered “best practice” to create a role model even at the stage of developing applications, databases and operating systems. At the same time, situations are not uncommon when roles are not configured in the system or they simply do not exist. In this case, the administrator of this system must enter the account information in several different files, libraries and directories that provide the necessary permissions. Using predefined roles allows you to give privileges to carry out a whole range of operations in a system with complex composite data.
Roles in the information system, as a rule, are distributed for posts and units according to the staff structure, but can also be created for certain business processes. For example, in a financial organization several employees of the settlement department occupy the same position - the operator. But inside the department there is also a distribution into separate processes for different types of operations (external or internal, in different currencies, with different segments of the organization). In order for each of the business areas of one department to provide access to the information system according to the specifics required, it is necessary to include rights in separate functional roles. This will provide a minimum sufficient set of powers, not including excess rights, for each of the areas of activity.
In addition, for large systems with hundreds of roles, thousands of users, and millions of permissions, it is good practice to use a hierarchy of roles and inheritance of privileges. For example, the parent role, the Administrator, will inherit the privileges of the child roles: User and Reader, since the Administrator can do the same as the User and the Reader, plus it will have additional administrator rights. Using a hierarchy, there is no need to re-specify the same rights in several roles of one module or system.
At the first stage, you can create roles in those systems where the possible number of combinations of rights is not very large and, as a result, it is easy to manage a small number of roles. These may be typical rights required by all company employees in publicly available systems such as Active Directory (AD), mail systems, Service Manager and the like. Then, the created role matrixes for information systems can be included in the general role model, combining them into Business roles.
Using this approach, in the future, when implementing the IdM system, it will be easy to automate the entire process of granting access rights based on the created roles of the first stage.
NBDo not try to immediately include as many systems as possible in the integration. At the first stage, systems with a more complex architecture and access rights management structure are best connected to IdM in a semi-automatic mode. That is, based on personnel events, to realize only automatic generation of an application for access, which will be received by the administrator, and he will manually configure the rights.
After successfully completing the first stage, you can extend the system’s functionality to new advanced business processes, complete automation and scaling with the addition of additional information systems.
In other words, in order to prepare for the implementation of IdM, it is necessary to assess the readiness of information systems for the new process and to advance to develop external interaction interfaces for managing user accounts and user rights, if such interfaces are not available in the system. The issue of phased creation of roles in information systems for integrated access control should also be addressed.
Do not ignore organizational issues. In some cases, they can play a decisive role, because the result of the entire project often depends on effective interaction between departments. To do this, we usually recommend creating a team of process participants in the organization, which will include all involved units. Since this is an additional burden for people, try to explain in advance to all participants in the future process their role and significance in the structure of interaction. If you “sell” the idea of IdM at this stage to your colleagues, you can avoid many difficulties in the future.
Often, information security or IT departments are the “owners” of an IdM implementation project in a company, and the opinions of business units are not taken into account. This is a big mistake, because only they know how and in which business processes each resource is used, who needs to be given access to it, and who doesn’t. Therefore, at the preparation stage, it is important to indicate that it is the business owner who is responsible for the functional model, on the basis of which sets of user rights (roles) in the information system are developed, and also that these roles are kept up to date. A role model is not a static matrix that has been built once and you can calm down on this. This is a “living organism" that must constantly change, update and develop, following changes in the structure of the organization and the functionality of employees.
As you know, “there are seven nannies of a child without an eye,” therefore, a company should develop a methodology that describes the role model architecture, the interaction and responsibility of specific process participants for keeping it up to date. If a company has many areas of business activity and, accordingly, many divisions and departments, then for each area (for example, lending, operations, remote services, compliance, etc.), separate curators must be appointed as part of the role-based access control process. Through them, it will be possible to quickly receive information about changes in the structure of the unit and the access rights required for each role.
Be sure to enlist the support of the organization’s leadership to resolve conflict situations between departments - participants in the process. And conflicts when introducing any new process are inevitable, believe our experience. Therefore, we need an arbiter who will resolve possible conflicts of interest, so as not to lose time due to someone else's misunderstandings and sabotage.
NB A good start in raising awareness is staff training. A detailed study of the functioning of the future process, the role of each participant in it will minimize the difficulties of switching to a new solution.
To summarize, we summarize the main steps that should be taken by the organization planning the implementation of IdM:
The preparation process can be difficult, therefore, if possible, involve consultants.
Implementing an IdM solution is not an easy and crucial step, and for its successful implementation, both the efforts of each side individually — employees of business departments, IT and information security services, and the interaction of the entire team as a whole are important. But the efforts are worth it: after the introduction of IdM in the company, the number of incidents related to excessive powers and unauthorized rights in information systems decreases; employee downtime disappears due to lack / long wait for the necessary rights; due to automation, labor costs are reduced and the productivity of IT and information security services is increased.
Until the company grows to the size of a large enterprise and accumulates a host of different business systems, it usually does not think about access control. Therefore, the processes of obtaining rights and control of powers in it are not structured and poorly amenable to analysis. Employees fill out applications for access as they like, the approval process is also not formalized, and sometimes it simply does not exist. It is impossible to quickly figure out what access an employee has, who coordinated them, and on what basis.
Given that the process of access automation affects two main aspects - personnel data and data of information systems to be integrated with, we will consider the steps necessary to ensure that the implementation of IdM goes smoothly and does not cause rejection:
- Analysis of personnel processes and optimization of database support for employees in personnel systems.
- Analysis of user and rights data, as well as updating access control methods in target systems that are planned to be connected to IdM.
- Organizational activities and staff involvement in the process of preparing for the implementation of IdM.
HR data
The source of personnel data in the organization may be one, or maybe several. For example, an organization can have a fairly wide branch network, and each branch can use its own personnel base.
First of all, you need to understand what basic data about employees are stored in the personnel management system, what events are recorded, and evaluate their completeness and structure.
It often happens that not all personnel events are noted in the personnel source (and even more often they are noted out of time and not quite correctly). Here are some typical examples:
- holidays are not recorded, their categories and terms (regular or long);
- part-time employment is not recorded: for example, while on long leave to care for a child, an employee may simultaneously work part-time;
- the actual status of the candidate or employee has already changed (admission / transfer / dismissal), and the order for this event is delayed;
- the employee is transferred to a new full-time position through dismissal, while the personnel system does not record information that this is a technical dismissal.
It is also worth paying special attention to assessing the quality of the data, since any errors and inaccuracies received from a trusted source, which are HR systems, can be costly in the future and cause a lot of problems when implementing IdM. For example, human resources officers often fill the positions of employees in the personnel system in a different format: uppercase and lowercase letters, abbreviations, different numbers of spaces and the like. As a result, the same position can be fixed in the personnel system in the following variations:
- Senior manager
- senior manager
- senior manager
- Art. manager…
Often you have to deal with differences in the spelling of your name:
- Shmelyova Natalia Gennadyevna,
- Shmeleva Nataliya Gennadievna ...
For further automation, such a mess is unacceptable, especially if these attributes are a key sign of identification, that is, data about the employee and his credentials in the systems are compared precisely by name and surname.
In addition, we should not forget about the possible presence in the company of namesakes and full namesakes. If an organization has a thousand employees, there may be few such coincidences, and if 50 thousand, then this can become a critical obstacle to the correct operation of the IdM system.
Summarizing all of the above, we conclude: the format for entering data into the organization’s personnel base should be standardized. The input parameters of the full name, positions and units should be clearly defined. The best option is when the personnel employee does not drive in the data manually, but selects it from a pre-created directory of the structure of departments and positions using the “select” function available in the personnel base.
In order to avoid further errors in synchronization and not to deal with manual correction of discrepancies in reports,the most preferred way to identify employees is to enter an ID for each employee in the organization. Such an identifier will be assigned to each new employee and will appear both in the personnel system and in the organization’s information systems as an obligatory attribute of the account. It doesn’t matter if it consists of numbers or letters - the main thing is that it is unique for each employee (for example, many use the employee’s personnel number). In the future, the introduction of this attribute will greatly facilitate the linking of data about the employee in the personnel source with his accounts and credentials in information systems.
So, all the steps and mechanisms for personnel accounting will need to be analyzed and put in order. It is possible that some processes will have to change or modify. This is tedious and painstaking work, but it is necessary, otherwise the lack of clear and structured data on personnel events will lead to errors in their automatic processing. In the worst case, unstructured processes cannot be automated at all.
Target systems
The next step is to figure out how many information systems we want to integrate into the IdM structure, what data about users and their rights are stored in these systems, and how to manage them.
In many organizations, it is believed that here we will install IdM, configure the connectors to the target systems, and with the wave of a magic wand everything will work, without any additional effort on our part. So, alas, it does not happen. In companies, the landscape of information systems is developing and increasing gradually. Each of the systems can have a different approach to granting access rights, that is, different access control interfaces are configured. Somewhere, control happens through the API (application programming interface), somewhere through the database using stored procedures, somewhere interaction interfaces may be completely absent. You should be prepared for the fact that you have to review many existing processes for managing accounts and rights in the organization’s systems: change the data format,
Role model
You will probably come across the concept of a role model even at the stage of choosing an IdM solution provider, as this is one of the key concepts in the field of access rights management. In this model, data access is provided through a role. A role is a set of accesses that are minimally necessary for an employee in a certain position to perform his or her functional duties.
Role-based access control has a number of undeniable advantages:
- simple and efficient assignment of equal rights to a large number of employees;
- operational change of access for employees with the same set of rights;
- elimination of redundancy of rights and delimitation of incompatible powers for users.
The role matrix is first built separately in each of the organization’s systems and then scaled to the entire IT landscape, where global Business roles are formed from the roles of each system. For example, the Business role “Accountant” will include several separate roles for each of the information systems used in the accounting department of an enterprise.
Recently, it is considered “best practice” to create a role model even at the stage of developing applications, databases and operating systems. At the same time, situations are not uncommon when roles are not configured in the system or they simply do not exist. In this case, the administrator of this system must enter the account information in several different files, libraries and directories that provide the necessary permissions. Using predefined roles allows you to give privileges to carry out a whole range of operations in a system with complex composite data.
Roles in the information system, as a rule, are distributed for posts and units according to the staff structure, but can also be created for certain business processes. For example, in a financial organization several employees of the settlement department occupy the same position - the operator. But inside the department there is also a distribution into separate processes for different types of operations (external or internal, in different currencies, with different segments of the organization). In order for each of the business areas of one department to provide access to the information system according to the specifics required, it is necessary to include rights in separate functional roles. This will provide a minimum sufficient set of powers, not including excess rights, for each of the areas of activity.
In addition, for large systems with hundreds of roles, thousands of users, and millions of permissions, it is good practice to use a hierarchy of roles and inheritance of privileges. For example, the parent role, the Administrator, will inherit the privileges of the child roles: User and Reader, since the Administrator can do the same as the User and the Reader, plus it will have additional administrator rights. Using a hierarchy, there is no need to re-specify the same rights in several roles of one module or system.
At the first stage, you can create roles in those systems where the possible number of combinations of rights is not very large and, as a result, it is easy to manage a small number of roles. These may be typical rights required by all company employees in publicly available systems such as Active Directory (AD), mail systems, Service Manager and the like. Then, the created role matrixes for information systems can be included in the general role model, combining them into Business roles.
Using this approach, in the future, when implementing the IdM system, it will be easy to automate the entire process of granting access rights based on the created roles of the first stage.
NBDo not try to immediately include as many systems as possible in the integration. At the first stage, systems with a more complex architecture and access rights management structure are best connected to IdM in a semi-automatic mode. That is, based on personnel events, to realize only automatic generation of an application for access, which will be received by the administrator, and he will manually configure the rights.
After successfully completing the first stage, you can extend the system’s functionality to new advanced business processes, complete automation and scaling with the addition of additional information systems.
In other words, in order to prepare for the implementation of IdM, it is necessary to assess the readiness of information systems for the new process and to advance to develop external interaction interfaces for managing user accounts and user rights, if such interfaces are not available in the system. The issue of phased creation of roles in information systems for integrated access control should also be addressed.
Organizational activities
Do not ignore organizational issues. In some cases, they can play a decisive role, because the result of the entire project often depends on effective interaction between departments. To do this, we usually recommend creating a team of process participants in the organization, which will include all involved units. Since this is an additional burden for people, try to explain in advance to all participants in the future process their role and significance in the structure of interaction. If you “sell” the idea of IdM at this stage to your colleagues, you can avoid many difficulties in the future.
Often, information security or IT departments are the “owners” of an IdM implementation project in a company, and the opinions of business units are not taken into account. This is a big mistake, because only they know how and in which business processes each resource is used, who needs to be given access to it, and who doesn’t. Therefore, at the preparation stage, it is important to indicate that it is the business owner who is responsible for the functional model, on the basis of which sets of user rights (roles) in the information system are developed, and also that these roles are kept up to date. A role model is not a static matrix that has been built once and you can calm down on this. This is a “living organism" that must constantly change, update and develop, following changes in the structure of the organization and the functionality of employees.
As you know, “there are seven nannies of a child without an eye,” therefore, a company should develop a methodology that describes the role model architecture, the interaction and responsibility of specific process participants for keeping it up to date. If a company has many areas of business activity and, accordingly, many divisions and departments, then for each area (for example, lending, operations, remote services, compliance, etc.), separate curators must be appointed as part of the role-based access control process. Through them, it will be possible to quickly receive information about changes in the structure of the unit and the access rights required for each role.
Be sure to enlist the support of the organization’s leadership to resolve conflict situations between departments - participants in the process. And conflicts when introducing any new process are inevitable, believe our experience. Therefore, we need an arbiter who will resolve possible conflicts of interest, so as not to lose time due to someone else's misunderstandings and sabotage.
NB A good start in raising awareness is staff training. A detailed study of the functioning of the future process, the role of each participant in it will minimize the difficulties of switching to a new solution.
Check list
To summarize, we summarize the main steps that should be taken by the organization planning the implementation of IdM:
- clean up personnel data;
- enter a unique identification parameter for each employee;
- assess the readiness of information systems for the implementation of IdM;
- to develop interfaces of interaction with information systems for access control, if they are absent, and allocate resources for these works;
- to develop and build a role model;
- build a role model management process and include curators from each business line in it;
- select multiple systems for initial connection to IdM;
- create an effective project team;
- Enlist the support of company management;
- to train staff.
The preparation process can be difficult, therefore, if possible, involve consultants.
Implementing an IdM solution is not an easy and crucial step, and for its successful implementation, both the efforts of each side individually — employees of business departments, IT and information security services, and the interaction of the entire team as a whole are important. But the efforts are worth it: after the introduction of IdM in the company, the number of incidents related to excessive powers and unauthorized rights in information systems decreases; employee downtime disappears due to lack / long wait for the necessary rights; due to automation, labor costs are reduced and the productivity of IT and information security services is increased.