ITSM & IdM Convergence = Request Orchestration

Organizations continue to be challenged by increasingly complex compliance and regulatory demands, while simultaneously being pressured by shrinking budgets. Faced with the seemingly impossible paradox to “do more with less”, many organizations are struggling to effectively understand what accounts and entitlements users hold across various enterprise systems. Up to now, organizations have been on a never-ending treadmill of periodic reviews which have become a costly, time consuming burden on the business. This after-the-fact approach may satisfy the auditors but does very little to improve the root cause of the problem – users having inappropriate access.

Access violations and the corresponding potential for loss that can result from inappropriately granted access is a serious risk. Many organizations are realizing the current approach of periodic reviews is nothing more than reactive audit which only creates the illusion of compliance. There is a new wave of understanding that recognizes in order to truly get ahead of this problem it must be addressed proactively at the source – as part of the initial access request.

This important element of IT goes by many names – access management, rights management, identity management, service management – but all comes down addressing “how do users request and get access to company resources, including systems and assets”? The ability to provide a converged process that ties these functions together is Request Orchestration.

Almost every organization has at least one set of Identity Management/Governance (IAM/IAG) and IT Service Management (ITSM) tools, in fact some companies have an entire collection. More and more customers are realizing the convergence of requirements and are wondering where one solution ends and the other begins. This paper will describe how Request Orchestration provides a clear path forward.


Problems…and Opportunities

The growing awareness surrounding these overlapping technologies has created new debates about where this functionality should live. Do you customize your IAM tool(s) to somehow handle assets and other manual requests? Should you extend your ITSM tool(s) to somehow perform identity management and governance? This difficult decision is further complicated by the need to leverage existing solutions to provide increased efficiency and compliance while minimizing cost and complexity.

There is no simple answer. Legacy IAM specializes in automating access to some key applications, but it represents a small subset of what users typically require.

Conversely, ITSM tools perform a broad range of manual service requests, but lack the ability to function as an enterprise IAM/IAG solution.

So which solution is best suited for the job? The following sections provide practical insights for a successful IAM/IAG program and highlight the limitations of ITSM tools to perform IAM/IAG functions.


A Typical Organization

For most organizations, their current request process goes something like this:

1.       An event happens in HR (join, move, leave) and may trigger automated updates to a select few
          systems via an IAM tool (best case scenario)

2.       For the majority of all other requests, someone (usually a manager) has to troll through tens, if
          not hundreds of forms to repeatedly fill out the same user information for each access request

3.       Requests go “over the fence” with limited visibility or traceability of fulfillment activities

4.       One of the fulfillment teams is often an IT security team who takes the information and
          re-keys it into an IAM tool for “automated provisioning” of limited requests

5.       The requestor typically has to follow-up with the Helpdesk or fulfillment teams to obtain the
          status of their request

6.       At some periodic interval (quarterly or even annually) a team of IT resources collects data from
          various systems, spends weeks or months correlating these accounts back to known users, and
          then sends out complex reports to managers to sign off on the cryptic access of their direct
          reports. The end result? Managers “rubber stamp” this to get it done and the auditors go away
          for another year, but there are few if any improvements to overall compliance

The diagram below depicts this all too common broken flow which has huge inefficiencies and redundancies. We can do better, and organizations are demanding smarter solutions.



ITSM as IAM/IAG? Consider the Limitations

This is the question more and more organizations are faced with. On the surface, you may look at your Service Management solution and recognize its strengths, such as:

1.       It has a “service catalogue” concept
2.       It has capable workflow tools for modeling approval flows
3.       It has the ability to track and report status for requests


These would be valid observations, but it’s just the tip of the iceberg of the complexities involved in extending an ITSM tool to act as an enterprise grade IAM/IAG solution. Our first hand experience has shown that there are 5 Key Success Factors to a successful program:

1.       Integrate with HR Processes
2.       Have a single view of “Who has access to what”
3.       Apply proactive controls
4.       Handle both automated and manual fulfillment
5.       Provide visibility to request status and audit details


Below we will describe why each of these concepts matters, and how a traditional ITSM tool will struggle to accomplish these objectives.

1.       Integrate With HR Processes Or “Why Identity Doesn’t Start After HR”
Why It Matters
Security does not happen in a vacuum. User’s access is generally changed because of an HR event; a user is Onboarded (joins), Changed (transfer, promotion, etc) or Offboarded (leaves).

Deeper integration with HR processes can provide the following benefits:

•   Users electronically accept offers and “register” their
      personal details
•   Users can set and know their UserID/Password, and
      have access to systems (LMS, Orientation Portals, etc)
      prior to their start date
•   Access requests can be automatically initiated based
      on HR events
•   Accurate user data can be taken directly from source
•   If Roles are defined, access can be pre-approved

In fact, HR and Payroll can become targets to be updated from a converged process, not just triggers that fragmented IAM/ITSM solutions then have to react to.

Limitation of ITSM Solutions
•       Inability to evaluate Roles for pre-approved access
•       Up to manager to remember to complete numerous forms
•       Delays in timeliness of completing requests
•       Manager must rekey user data multiple times, increasing likelihood of error and bad data

2.       A Single View of “Who has access to what” Or “The IAM Holy Grail”

Why It Matters

This is the “holy grail” of IAM as it is the common pre-requisite to enable many critical outcomes. In order to achieve this view of “Who has access to what”, the following 3 data collection steps must be performed, each with its own challenges:
1.   An up to date source of user data (including
     “Reports To”)
2.   Accounts and entitlements from end systems
3.   The ability to associate these accounts to a
       known user

Once this data is collected, cleaned and consolidated it can be used to serve multiple purposes across the 4 R’s of IAM/IAG:

•      Reports: at any point in time, be able to know “Who has access to what” and how/when/why it
        was granted, regardless of how it was fulfilled
•      Requests: support accurate Modify requests by using the currently assigned access as a starting
        point and Offboards by knowing what accounts and assets to revoke
•       Roles: the ability to analyze and define pre-approved access based on key information about
        the collegue
•       Reviews: periodic access reviews either by the manager for their direct reports or by application
        owners for the accounts in their systems

If you can present a view of “Who has access to what” in a timely, efficient and accurate way you will be well positioned to accomplish each of these complex IAM/IAG outcomes.

Limitation of ITSM Solutions

•       Does not utilize a “security centric” Service Catalogue that is built around defining application
          entitlements/roles available for request
•       Generally not suited to act as a security/compliance policy rule engine about entitlements/roles
•       Unable to perform reconciliation with source systems
•       Needs manually syncing with other sources for up to date user data (see #1 on the lack of HR
          process integration)
•       Changes are done with limited knowledge of user’s current access, resulting in users
          accumulating more access and increased chance of compliance violations
•       Offboard/remove processes less effective due to lack of visibility to all assigned accounts
          and assets, resulting in increased orphaned accounts and lost assets
•       Generally not capable of performing Role analysis and modeling
•       Not usually built to perform periodic access reviews

3.       Proactive Controls Or “Preventing Fires from Starting in the First Place”

Why It Matters

Most organizations today are dealing with compliance in a reactive way through periodic access reviews. The concept of continuous and proactive controls is based on an approach that security and compliance policies are applied and evaluated before requests are submitted, thereby preventing incorrect access from being granted in the first place.

This is accomplished through compliance rules such as:
•       Segregation of Duties (SoD) defined at a granular permission level (i.e. user cannot have Active
        Directory Group X with SAP Role Y)
•       Restrict/personalize choice for Ad-Hoc discretionary requests (i.e. only users in Finance are able
        to request a particular system or specific entitlement)
•       Allowing for exception based over-ride approvals
•       Ensures these policies are applied consistently for all reports, requests, roles and reviews

Limitation of ITSM Solutions

•       Does not define, store or enforce governance policies (i.e. Restricted Access, SoD, etc) about
        resources and entitlements in the service catalogue to be applied globally
•       Users generally presented with all available forms, options and expected to make correct
•       Relies on requestors and approvers to not violate compliance policies
•       Cannot allow or track compliance violation exemptions and over-rides

4.       Handle Both Automated and Manual Fulfillment
Or “Recognizing the Realities of Today’s IT Landscape”

Why It Matters

The benefits to automated provisioning of accounts and entitlements are numerous and include the following advantages:
•       Elimination of manual admin effort and cost
•       Faster fulfillment/SLAs for completion
•       Improved accuracy and compliance (less human error)
•       Minimized risk by granting/revoking access in near-real time

This functionality is typically the domain of IAM, however, the reality is that even the most successful IAM provisioning projects only include a subset of all the assets and access that users ultimately require. All other requests are generally handled through ITSM/Service Management, which is usually a separate manual process.

In reality, all organizations utilize multiple fulfillment channels – different requests can be fulfilled in different ways such as a manual ITSM tool (or multiple ones), Identity Management tool, Enterprise Service Bus (ESB), or through direct endpoints.

This is the opportunity for true enterprise Request Management that spans both IAM and ITSM technologies.

Limitation of ITSM Solutions

•       Does not perform auto provisioning; requires customization to initiate transactions into an
        IAM tool
•       Not suited to generate a unique identifier that most systems rely on for SSO
•       No “closed loop” audit to confirm what unique User ID was actually used to manually create
        an account, thereby making future correlation more difficult

5.       Visibility to Request Status Or “How to See the End-to-End Process”

Why It Matters

Once an organization embraces the concept of an integrated process with HR events and recognizes the reality of dealing with multiple fulfillment channels, the next obvious issue is how to track, audit, and measure this activity.

Today, requests go “over the fence” with limited visibility to various IT teams or queues which leaves the initiator with the burden of checking multiple sources to get any updates.

At an aggregate level, this also creates an inability to accurately measure completion times – when were requests initiated, approved, or completed, regardless of fulfillment channel (manual vs. automated)? For example, HR may ask “are we getting new hires Onboarded with everything they require for Day 1?” Even if you could answer this question effectively, could you provide intelligence such as “80% of the telecom team requests exceed their 3 day SLA”?

By measuring and auditing the true process completion with SLAs these metrics then enable you to identify root cause and target specific areas for improvement.

Limitation of ITSM Solutions

•       No visibility to the overall business process, including HR events
•       Does not measure the true process, only the time from when a valid, approved request is
        submitted (i.e. time to closure on a ticket)
•       Users must track separate requests and call different teams to get any update on progress
        and status
•       Limited ability to answer *why* a user was granted a specific resource or entitlement (i.e.
        pre-approved, triggered due to a job change, requested by manager, etc.)
•       No audit capabilities around compliance policies, when they were applied, and if/how/when
        exemptions were granted

A New Approach: Request Orchestration
If you are expecting your ITSM tool to provide answers to any of the following questions:
1.       What is the user’s accurate data?
2.       What access/assets does a user currently have?
3.       What access/assets should a user have? (pre-approved)
4.       What access/assets shouldn’t a user have? (compliance policies)
5.       How to confirm a user got what was requested?
6.       How to review and certify a user has the access they are supposed to?
7.       How to integrate with HR processes?
…then you will effectively be using your ITSM tool as a development platform to build a customized IAM/IAG solution. While ITSM plays an important role in managing tickets within an organization, it was not designed to deal with the complexity of identity and access management and governance. Conversely, your existing IAM tools will continue to have a limited view based only on the systems it has direct integrations with and will not provide the holistic picture of “Who has access to what”.

So back to the original challenge of “how to do more with less”? Start by considering this possibility:

What if you could be continuously compliant? What if you could increase compliance to satisfy auditors and provide business value by driving millions of savings in process efficiencies?

The answer is Request Orchestration. The goal is not to replace HR, IAM or ITSM solutions but to answer the question “who owns the process that spans across them and fills in the gaps between them?” You must seek solutions that can leverage the strengths of each of these tools and create a best-of-breed process that unifies these disparate technologies. Only when you get to the root cause of the problem – dealing proactively with “Who has access to what” as part of Request Orchestration – will you be on a path towards increasing compliance while simultaneously generating positive business value.

This shift towards proactive compliance through Request Orchestration is the next generation of identity solutions that leading companies are recognizing the need for. Before long, auditors and regulators will realize a reactive approach is no longer adequate and organizations that are already on this path will be well positioned to meet the next wave of compliance requirements head on.

N8 Identity
N8 Identity is Canada’s leading dedicated IAM solution provider with almost 2 decades of IAM consulting experience; in fact, IAM is all that we have ever done. The lessons learned from more than 75+ enterprise implementations led us to create an new and innovative product – TheAccessHub. TheAccessHub.com is a subscription-based Identity-as-a-Service Platform built for the IoT that Scales from SMB-to-Enterprise and deploys in minutes.

To learn more about how we have helped other customers improve compliance while driving down cost, contact Shawn Upson, VP of Sales at shawn.upson@n8id.com or Jay O’Donnell, CEO & Founder at jay.odonnell@n8identity.com.

Posted Monday June 5, 2017permalink