Establish the digital identity
The life cycle around a digital identity can be both simple and complex. As we mentioned in our previous blog post a user might be more than just a human, it´s all accounts that are used for authentication in your environment.
So, we need to be able to create good processes and tools to support the life cycle for all type of accounts, employees, partners, and customers as well as IoT devices and system accounts. The life cycle must take care of all scenarios, from the birth or onboarding through changes and modification to deactivation or off-boarding.
A solid foundation
When we started to work with Identity and access (IAM) programs, the main focus was on synchronizing values across the customers’ different systems. It often resulted in a high volume of integrations between different user directories and application databases. But today, with the possibility of much more mature access control and identity federation, we focus on creating a solid foundation of digital identities in the user directories. Ensuring that we have a high quality of information and attributes in the foundation. This created a great starting point to federate against other organizations and services.
What is JML?
To identify the life cycle, we often use three different processes, joiner, modify and leaver, JML. A good start is to involve the organization and the relevant stakeholders to identify the processes and routines around the JML. This is an area of expertise where we use our business analysts and IAM architects to help our customers with architectural design, business requirements and process mapping. Often there is a system that we could integrate against to capture as much information as possible and feed this into a central identity directory. One example could be a HR system as the key system for employees and then integrate that into the cooperate Active directory. From the HR system we not only capture the joiner and leaver processes, we can also receive a lot of valuable information that we transfer over to the Active directory as attributes. These attributes are then used for creating roles, group membership and can be used for applications that are utilizing Attributed Based Access Control, ABAC. Other examples of provisioning examples could be a CRM system for customers or an education platform for students.
Continue with governance
But even if we have a good key system to utilize for joiner and leaver, there is a lot of scenarios in the modify process that we need to pay attention to. Some scenarios, if an employee moves to a new department or if a student is approved to a new course are possible to identify through the key system. But many other modified scenarios are decisions that we can´t receive from a key system. Here we use a governance tool where the end user, the manager and a system administrator can manage requests to new applications and roles. We will have a deeper look into the world of governance and access rights in the next blog post.
With the user provisioning in place, we have laid a good foundation around creating a Digital Identity that we can trust. But we need to ensure that we can also secure the central identity directory. Many attackers aim to get in control of the Active directory or LDAP catalogue to be able to elevate their access rights. They often set target for system and service accounts. Here we might need to implement strong authentication and add-on security framework to secure these valuable assets. A topic further down the road of blog posts.