Managing user identities and access to IT resources has never been more important as organisations increasingly turn to cloud services and mobile apps to empower mobility and scalability. Ensuring employees and customers can access applications and data from multiple devices and locations, without compromising security, is a cornerstone of digital transformation. It is with robust identity and access management (IdAM) solutions, that this is made achievable.
Choosing your right product for your business can be hard enough, but once you are at the implementation stage there are still many pitfalls that can occur.
Avoiding duplicated data
Too often a lack of structure in the composition of user logins can result in collisions and duplications of your data. For example, trying to create a unique login by formatting an employee’s first letter of their first name and their surname causes all sorts of issues if people have the same name or initials. Alternatively, using customer’s email addresses as their unique identifier is similarly flawed, as people change email address; you need to make sure your chosen platform supports this.
Issuing employee numbers internally and using Globally Unique IDs (GUIDs) to identify external users will prevent such duplications from taking place.
Cleansing Your Data is a Must
With a unique model for IDs established, you can clean up your data by identifying any unused or orphan accounts. This ensures the data going into your IdAM solution is as up to date as possible, a pressing concern for organisations as GDPR legislation is clear on the need to apply tighter controls to the storage of personal data.
Centralising User Databases
Analysing and centralising network user databases is integral to simplifying the administration of the IdAM system.
Once the data has been cleansed, analysing the network authentication to ensure that all user databases are unified, rather than each location having an independent base, results in a unique point by which to connect the IdAM solution.
Rolling this out to databases for other applications means that your IdAM system can connect to focal databases rather than spread across all, making administration, security and auditing far simpler.
Technical Implementation Approaches
There are two approaches to implementing your IdAM solution. The first, creating identities on demand, is where the identities have not been created before the IdAM solution is implemented. The second is known as reconciling identities, and is where the identities have been previously created by a reconciliation process.
Let’s look at this in a bit more detail.
Creating Identities on Demand
Creating identities on demand is a controlled way to validate and populate the IdAM system with identities as and when they are required.
- A user attempts to authenticate against the new IdAM system. If their details aren’t found, then previous IdAM and associated systems are queried for the user’s details.
- If a previously created user is found, they are inserted into the new IdAM platform. This implicitly ensures that the new IdAM system is only populated with active users.
One downside to this is that it leads to a slower first-time authentication process, as the users’ details are imported into the new IdAM system. However, subsequent login and authentication processes will not need to scan legacy systems – it’s a one-off price for each user.
Spurious and fraudulent authentication attempts would still trigger queries across the estate as the platform tries to find existing user details – this is a processing overhead, but should be considered a worthwhile exercise as it would prevent duplicate account creation, and give you the opportunity to enforce business rules and validations with the user account holder.
Going forward, all new user accounts would be added directly into the new IdAM system. All aged and unused user accounts would remain in the previous IdAM system, and quietly fall by the wayside as they would not be imported into the new platform. The previous IdAM system can then be turned off after an agreed amount of time.
Reconciling Identities Up-Front
The divergent approach is to reconcile user information from all legacy and previous IdAM data stores up-front, and merge them into a super-set of data in the new IdAM platform.
However, this is a more resource-intensive process to perform during implementation, and requires de-duplication decisions to be made in advance of the go-live phase i.e. before users are able to access their data.
If you err on the side of caution and carry most, if not all, of the existing user data across, you would still have to determine an approach to identify active users so that aged and unused users can be deleted. You would also still need to provide users with the ability to update i.e cleanse, their data.
In a world where most organisations now recognise the need to embrace cloud services if they are to keep abreast of today’s technology trends, businesses must operate with far more fluid boundaries. It is only natural therefore that identity and access management should be a cornerstone to any digital or cloud transformation programme. When done right, a robust implementation will allow companies to not only make cost and time savings, but also deliver improved security and achieve greater business agility.