Identity, access, BYOD issues are surely a thing in an IT Manager’s daily routine. However, these are not the only things that need to be managed. There are the various different systems, different networks and different applications which are the veins and the neurons of the enterprise.
IT managers need to squeeze some time from their daily routines and find time to face, analyze and solve these problems. Fortunately there are really simple solutions and we discuss them in detail.
Employee self-service is the place to start. There are a lot of areas where it is a waste of resources for the IT department to support users where, in fact, they can solve their own problems. One of these areas are the password resets. In one of my clients, the analysis of the (ITIL) request data revealed that close to 70% of the calls to the help desk involved Windows password resets. We have worked with the company and selected Microsoft’s Forefront Identity Manager application to enable the users to reset their passwords. We have coordinated the launch and told the employees that they have to register themselves to the self-service portal and no more password requests will be fulfilled by the help desk. It worked magically, the help desk took additional responsibilities and the user support team (who were resetting passwords) focused on other, more important areas.
When talking about password resets, let’s also talk about the user provisioning. There are two types of provisioning: onboarding and offboarding (transfers between departments can be considered as offboarding from the old and onboarding to new). To overcome the various tasks, the first thing to do is to speak with the Human Resources department first and set down the workflows. It is best to start the workflows from the HR because their records are accurate (due to payrolls, social security and other legal issues, they have to keep accurate records). When the onboarding workflows are clear with the HR, speak with the other departments and see what the employees are using – for example the sales department, whose employees are using Salesforce application, and therefore need to have Salesforce.com accounts. When the workflows are clear and standardized, use the identity manager application to automate the flows. Not only you will save time but also eliminate the security risks of active accounts of former employees.
Then there are the shifting demands of the workplace. Other than the very traditional and conservative businesses, it is hard to imagine a company who does not have mobile employees and who does not have someone who “didn’t bring his/her own device.” This leads to a couple of additional workloads for the IT department such as accessing corporate resources, mobile device security, shared file access and the like. Again, the workloads can be defined, agreed upon with the senior management and automated. In case of mobile access permission revocation or suspending a user account, automation applications such as Microsoft’s System Center Orchestrator will dramatically help IT departments to reduce the workload. The automation applications have many plugins (some written by 3rd parties) to work with other applications, such as Forefront Identity Manager, being able to manage Salesforce accounts.
Of course there is also the issue of rights management. I find it hard to understand why almost none of my clients do not employ Active Directory Rights Management or a similar tool for managing who has access to what. It is not only automating access control but also about complying with certain legislation (plus, in some cases, procedures such as ISO 27001 – which is about information security). Of course it is not always possible to fully automate every task but at least common tasks can be consistently covered with workflows. For example, one of my clients required to have an Active Directory, Exchange e-mail, Lync instant messaging account for each white collar employee. Although this looks like a trivial task, one help desk, one user support and one Exchange administrator needed to work on every white collar employee, both in onboarding and offboarding. Of course the requirements changed for various departments but automating at least these issues saved significant time.
All these discussions have one crucial point: the directory service must be consistent and up to date. Whether it is Active Directory or the OpenLDAP, all directory data must be in top shape. I frequently discuss this issue of keeping an up to date directory with my clients. Almost all the time it comes to the HR department as I have discussed above. Keeping the directory clean can also be accomplished by ending the onboarding, offboarding and inter department transfer workflows in the domain administrator’s task pool so that he can once again check that everything is in place and finalize the workflow.
Considering how much time all these tasks take individually and how they add up brings up the importance of an identity management and automation solution. The required investment both in terms of money and time will have returns sooner than you can imagine. Especially if you further consider using the time saved from these mundane tasks in more productive projects.