Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Money saving: It may look that the cost of manual identity provisioning is quite small. But it is not. Not even close. The thing is that most of the cost is actually hidden. What managers perceive as the "cost of provisioning" is usually only the time of system administrators that create the accounts. But there is much more: There are help desk agents that handle password resets, access requests, calls of people that cannot access a system because an access was accidentally revoked and so on. The common employees need to waste a lot of time to figure out how to request an access, to whom the request should be sent, what it needs to contain, and actually they need to even figure out what exactly they need to request to get the access they need. And once the request is sent then they need to wait. And wait even more. There is usually no automatic escalation of the requests so the requests can easily be forgotten. There is almost no visibility into the process so the requestor does not even know who to ask. And so on. This is a reliable recipe for inefficiency and huge waste of time for all the employees. Good identity provisioning system can dramatically improve that. The results from real deployments show that the password resets go down from an hour to few seconds and the help-desk load is considerably reduced. It also shows that the average time to process an access request goes down from more than a week to two hours. The overall time saving though the entire organization is enormous.
  • Improved security: Every security professional knows that security is not that much about firewalls and cryptography than it is about information, processes and people. If a security officer does not have reliable information about the people then he just cannot have security. It is as simple as that. How is a security officer supposed to investigate an a security incident if he does not know who had access to what? Security incidents are not isolated to a single system. But it is a Herculean task for a security officer to combine information from several systems. Just imagine how "easy" is to compile a list of all privileges in all the systems for a group of suspected employees. It is in fact quite easy to get a list of accounts that have access to a single specific system. But it is almost impossible to get a list of all access privileges of any single person in all the systems. And how can one possibly investigate anything without this crucial information? Security officers that do this without a help of a provisioning system should be considered nothing less than a heroes. But there is a way out of this: provisioning system correlates user accounts in many systems. Provisioning system can provide all the information easily. Good provisioning system will not only tell who has account where but also provide information about the privileges such as group membership and special permissions. The reports from the provisioning system can be used to improve investigation of security incidents. But it can also dramatically improve security audits. A single report from a provisioning system will save a lot of days wasted on collecting the data from the systems and manually correlating them in spreadsheets. But there is even more significant benefit: provisioning system can enforce policies in all the information system. And it can make sure that the policies make sense all together for the organization as a whole. This can reduce the chance of any security incident happening in the first place.

...