News & Articles‎ > ‎Articles‎ > ‎

How To Manage And Control End User Access

posted May 27, 2016, 9:37 AM by Resty Manapat

A look at the perils of manual user-access provisioning and ways to streamline and better manage the process via automation.

The information security team is often seen as the department of “No.” At best, it's viewed as the department that impacts productivity and drives down employee satisfaction. Take the simple task of an employee getting access to business resources to do his or her job.

One of a few scenarios takes place:

A request for access or a password change is made and takes ages to complete: A new employee joins the company and requests access to a business system. Three days later, complaints roll in: “I still don’t have the access I need to get my work done.”

A request for access or a password change is made without any formal process in place and the request gets lost in a black hole: 60 days have passed and the employee is required to change their passwords, for every system and application to which they’ve been granted access. (Keep in mind not all systems and applications were granted on the same day, 60 days ago).

A request for access or a password change is made directly and informally, and too much access is given to the user: A member of IT asks the SysAdmin of the routers to request an admin-level login to a router to change something so they can run a quick test on a new application. Rather than creating a new time-based credential, the busy SysAdmin sends an email that reads, “Here’s the admin username and password for router XYZ—please don’t share it or abuse it!”

No request for access is made. The user instead finds a different service or means to get their work done—thank you, Shadow IT: An employee needs to share large files with their new external business partner and therefore need access to the company’s cloud storage service. It took IT more than a couple hours to grant them access, so they signed up for their own personal cloud storage service and share the company’s financial data that way.

IT, the help desk, and InfoSec teams are overwhelmed with these types of requests and they have no easy way to collaborate with each other to make the process better. The challenge comes down to connecting IT, InfoSec, and HR operations together such that integrated, streamlined workflows can exist.

Organizations are hunting for such operational timesavers, many times starting with help desk systems (like ServiceNow) and HR employee management systems (like WorkDay). In fact, many organizations have already invested heavily in these types of systems. To this point, at the recent CentrifyConnect conference in New York, about a quarter (25%) of the audience said they use ServiceNow, and about 15% use Workday. 

Just because things are manual and cumbersome doesn’t mean you can take credential management lightly, especially given that most of today’s attacks compromise the identity as the primary means for attack. According to the Verizon Data Breach Investigations Report, 63% of the confirmed data breaches involved weak, default or stolen passwords. 

Conversely, you can’t focus solely on controlling access. 

Take a look at the options for end user provisioning, and how to maintain a proper level of access control while minimizing the operational impact on IT, InfoSec, and HR -- as well as improving the experience for end users: 

Manually Provisioning New Employees 

In the case of on-boarding a new employee, the following manual steps are normally required and involve multiple people and multiple approvals: 

  • HR creates the request to add a new employee
  • IT gets notified to create the user
  • IT selects the role(s) in Active Directory
  • IT provisions each and every application
  • The employee is required to create new passwords for each system and application 

Automated New Employee Provisioning 

Using an identity-based centralized security policy, the connection between Active Directory and the secure access to systems/applications can be automated. Additionally, with the addition of single sign-on as part of this flow, the credentials could be federated such that a single username/password is leveraged by the user for each and every system and application they need to access. 

A new, streamlined process could look like this:

  • HR creates the request to add a new employee
  • IT gets notified to create the user
  • IT selects the security policy
  • The integration among Workday, ServiceNow, and Centrify automates the provisioning of systems and application 

Manual Password Resets 

On a user’s first day at work, even if all new system and application access is controlled through a single sign-on process, he or she still needs to set their new password for the first time. Assuming the company has a good password management practice in place, the user will also need to regularly change their password. 

At $25 to $200 per call to the help desk for one password reset call per employee per year, manually managing password resets and account unlocks can get very expensive, notes Andy Zindel, director of technical business development at Centrify. Manual processes can be both a pain for the user and an extremely inefficient use of help desk resources: 

  • User requests (or is forced to perform) a password change for most if not all systems and applications 
  • IT manually resets the password(s)
  • IT sends the user their new password(s) which the user will need to change upon next logon 

Automated Password Resets 

Using automated, self-service capabilities, users should be able to request their own password resets whenever they want to or need to: 

  • User is directed to the portal for their password reset
  • User verifies their identity
  • User changes their password 

ServiceNow and Centrify automate the change in Active Directory. With the integration of single sign-on, the new password grants them access to all systems and applications associated with their identity’s security policy. 

Manual Application Access Requests 

As roles expand, employees often find they need access to more systems and applications to get their job done. Sometimes, this access is granted outside of a formal access control or change management process. However, even with a formal process, the traditional method for granting access typically requires a manual step by the team(s) managing the system or application.

  • End user requests access to a system or application
  • The user’s manager has to approve the access (hopefully)
  • The system/application manager has to approve the access (hopefully)
  • IT receives the request to provision the system or application
  • IT manually provisions the access—for each user and each system/application 

Automated Application Requests 

With single sign-on access to the help desk portal, users can make the request, approvals are routed automatically, and the request triggers the automated provisioning of the new system or application.

  • User requests access to a system or application
  • Manager and SysAdmin approvals are automatically routed
  • The new system/application is automatically provisioned with the right role assignment based on the user’s group membership and policy settings in Active Directory 

Manual Privileged Access Requests 

Companies often forget that IT personnel are users, too: they need to be managed with the same formal processes. Doing so avoids accidental or malicious activities while IT possesses privileged access to critical systems and applications. Sometimes members of the IT team need temporary administrative access to a system to make a change to support a new business process. However, this request either takes place outside of formal processes (“go ahead and use the admin password for this change, but please don’t misuse it”), and/or access is granted without ensuring the credentials are revoked once they are no longer required.

  • IT user asks the system administer for privileged access
  • SysAdmin manually configures access to the requested resource
  • SysAdmin emails the credentials to the user
  • SysAdmin hopes the IT user won’t misuse or share the credentials
  • SysAdmin forgets to revoke the credentials once the user no longer requires access to the resource 

Automated Privileged Access Requests 

Gaining privileged access is a serious thing. Protecting privileged credentials and controlling their use is thus a task that should be taken seriously. Automating the process to maintain control and eliminate human error is critical:

  • IT user asks the SysAdmin for privileged access*
  • SysAdmin is notified of the request and approves access for a specified period of time
  • Upon approval, the IT user receives an automated email which contains an access link to the resource without exposing the password to the user
  • Access will be turned off automatically after the specified time runs out


Source: InformationWeek Dark Reading