Identity Life Cycle

Management Evolved
Streamline and Secure your Identity Life Cycle
Management with AI and Intelligent Automation

New
Employee
Change
Request Job
Premission
Introduction
43% Organizations run on their applications.
Every day, we use Microsoft, Google,
of IT teams mention
that manual
Salesforce, AWS, and a long list of products
permissions processes and services for collaboration and
will be a challenge for productivity.
them in 2020
The typical organization with over 1,000 employees uses over
288 apps, each with its own permission model that must be
navigated. This process of managing diverse permissions can
consume significant amounts of valuable time and resources.
All of which could be spent more productively on other tasks for
the business.

Striking a balance between security and productivity is

56%
difficult, especially at scale, where IT and Security teams
struggle to keep up with the influx of permissions requests. A
of IT executives survey of companies found that it takes an average of 13 days
still rely on internal for new employees to receive access to their applications.

tools and manual The good news is that more organizations are starting to
spreadsheets to leverage automation and Machine Learning to make data-
manage SaaS driven Identity Governance and Administration decisions faster
applications and more efficiently.

To understand how technology is impacting the process,

it is helpful to explore why this process is such a challenge for
many organizations.

In this paper we'll discuss

Challenges to Identity and Authorization Management

Applying the Principle of Right Privilege to the JML Lifecycle

Modernizing the Identity Governance and Administration Process

Authomize — The Intelligent Prescriptive Analytics Engine

Identity Life Cycle Management Evolved 2

Challenges to Identity and
Authorization Management
As work has shifted from a place that you go to something that you
can do from anywhere, legacy approaches to access and security have
shifted significantly. It is no longer enough to be inside your firewall.
Your applications have to be accessible to you wherever you are. There
are a couple of factors that are complicating how we manage access
to our applications.

As more organizations undergo digital transformations from on-premises

to SaaS and the rest of the XaaS alphabet soup, they are increasingly
relying on access controls based on identity over legacy practices that
depended on being located within the local network.

For each application that a user has, they require a new individual
identity for that account. With each user’s collection of identities growing
exponentially (both for human and non-human identities) and the task of
managing them becomes increasingly difficult.

Given the dynamic nature of identities, spinning

them up and down as needed, how are
organizations thinking about addressing the
challenge of managing their permissions
At the core of the permission challenge is an ongoing tension over how
much access is the right amount to grant, given the potential for risk.

There is always a tension between IT operations and Security. If you

grant too much access to too many people, then you raise your risk of
data breach. On the flip side, if you lock it down to an extreme degree,
then work becomes unfeasible since nobody can access the applications
that they need to do their job. Striking the right balance is difficult to
achieve, and is costly in terms of time and resources needed to manage
this process.

The task of figuring out who needs to receive permission to access which
apps falls on the IT and security teams. These departments receive
massive amounts of requests from various departments within the
organization. They then have to go through the process of figuring out not
only if the person making the request should be approved or denied, but
also who needs to be consulted to sign off on it.

In some organizations, they face the challenge of “rubber stamps”

wherein employees are simply granted permissions without undergoing
any real confirmation that they should indeed have that access. Far too
often, these decisions are based on a hunch, and not real data. This is
understandably a security risk as it can lead to both privilege creep for
that employee as well as permission sprawl across the organization.

When the number of permissions begins to exceed the required amount by

the organization, it creates a Permission Gap that can unnecessarily raise
the level of risk. This number of excessive permissions can grow over time,
significantly expanding the organization’s threat surface.

Permission
Permissions Gap
gap
Permissions across all apps

Excessive
permissions

The exact permission

needed

Identity created

From a management perspective, CISOs lack the visibility and control

necessary to ensure that their permission policies are being enforced.
This is because most of the heavy lifting of those granular permission
management tasks for the end users are being handled by their
enterprise’s widely distributed IT teams. Without the tools to set the
policy, enforce guardrails, and attain visibility across their organization,
CISOs lack the necessary control to contend with the risks associated
with the distributed management of end user privileges.

The second challenge here is that not only are these rubber stamp
organizations flouting the Principle of Least Privilege, but they are also
likely not granting the right amount of privilege.

Identity Life Cycle Management Evolved 3

Applying the Principle of Right
Privilege to the JML Lifecycle
$104 Joiner-Mover-Leaver (JML) Lifecycle events like onboarding, offboarding,
is the total cost of
or transferring to new roles or departments, adding new applications, and
ownership (TCO)
of course when an employee leaves the company, will all require additional
per support ticket and specific approvals and revocations of their access.

There is a tendency among a lot of organizations to simply use a “model

after” approach where new employees are provided with the permissions
that are granted to others in similar roles in their departments. The problem
here is that no two employees are likely to really be exactly alike, so their
permission profiles should not be either. Granting one the same permissions
as another can easily lead to permission creep for employees, creating a
situation that is all risk and very little reward.

5.5 Perhaps they are working on different projects and therefore need to use
different applications, albeit with a fair amount of crossover. In some cases,
User access
an employee may find him or herself with access to the application that
changes per year
they requested, but in fact need a higher level of permission to do his or her
job. The inverse is true as well, where the person’s access should be lower
than it is for a given app. Each case needs to be examined on its own merits
and decisions taken accordingly. However, as we know, time is a limited
resource and in larger organizations these review tasks can mount up fast.

For example, it can take an average of 45 minutes to perform an individual

employee access review. And this is not a one time effort. Research shows
an average of 5.5 user access changes are performed every year, so
managing this process manually is hardly an ideal option.

When it comes time for an employee to leave the organization, aka

offboarding, we need to make sure that they are not creating, intentionally
or unintentionally, exposure for the organization.

Not leaving orphan accounts, especially those created for external

individuals is another essential checklist item for good privilege security
hygiene. Because they exist outside of the HR visibility system, there is a
good chance that they can fly under the radar.

While monitoring for suspicious activity like downloading documents

is probably already on the checklist, it is also important to ensure
that they are not sharing access to work-related assets with their
personal accounts. Keeping track of who has access to what, again
at scale, is sysaphean at best, while failing to do so can be seriously
detrimental at worst.

Thankfully, we are starting to see the increased adoption of machine

learning and Automation technologies in the industry, providing these
overworked teams a powerful tool to manage their workload more
effectively.

Identity Life Cycle Management Evolved 4

Modernizing the Identity
Governance and Administration
Process

“
Given the scale of approvals that need to be reviewed at every
stage of the Identity Lifecycle, organizations have an imperative
to seek out ways to automate and manage their identities and
permissions more efficiently. By 2022, more than 50%
of Identity Governance
By harnessing the power of machine learning, organizations are able and Administration
to learn more about which types of employees should have which vendors will offer
types of permissions. This in turn allows them to prescribe which predictive, anticipatory
kinds of access an employee should have, even before they make autonomous governance
their request. engines supercharged
by ML and AI identity
For instance, if Lisa joins the Marketing team, then an ML algorithm analytics for mitigating
should be able to suggest which types of permissions people in her identity risk more
department with her type of role should have. We can assume that efficiently.”
most of these applications will not require additional approvals
because they are fairly standard, with apps like Hubspot, Gmail, and
Salesforece coming to mind.

But for those cases where it might be necessary for an admin or

other kind of app owner to sign off on Lisa’s access, the ML algorithm
can probably suggest who that approver is since they have been
the one to grant the permission in the past.

By simply learning about the types of roles

within Lisa’s organization and drilling down
We suggest....
... Which will... who needs and approves which kinds of
... Because... permissions, her IT and Security departments
can significantly reduce the amount of time
and resources that would normally go into
tracking everything through the process.

It is through this combination of ML with

automation that Authomize has built the next
generation of IGA solutions for the enterprise.

Identity Life Cycle Management Evolved 5

Authomize — The Intelligent
Prescriptive Analytics Engine
We believe
that your time Our solution automates permission policies by first integrating with
is better spent all of the SaaS apps, infrastructures, identity management providers,
and even home-grown apps. We then integrate into your ITSM solution
on tasks other (Jira, ServiceNow, and many more) to deliver contextual, data-based
than manually recommendations that improve your identity lifecycle process.
tracking down
We do this by analyzing who in your organization requires which
or waiting permissions in order to do their job effectively. This entails taking into
on approval account their roles and responsibilities; understanding which permissions
requests correspond to their needs; how they use the apps and how it correlates to
other users; the organization’s permission hierarchy; as well as the group
assignment structure. We then perform this analysis cross-application,
offering the best recommendations possible.

In order to keep up with the dynamic and highly distributed nature of the
enterprise environment, Authomize replaces the legacy periodic audit with
continuous scanning of end user privileges. By collecting a significantly
wider spectrum of data, Authomize’s Machine Learning engine is able to
produce up-to-date, data-driven recommendations at a scale and pace
that the large scale of the enterprise demands.

Our algorithm then recommends not only who should be approved or

denied access, but also provides recommendations to help us understand
if our team members have the right amount of access.

This approach helps answer questions such as if Lisa needs permissions to

more applications than she currently has, a higher level of privileges within
specific applications, and even who is the admin or app owner that can
sign off on her approvals.

Permissions Request Workflow Use Cases

In many cases, our intimate comprehension of how your organization
ticks can help to eliminate the need for those human-made requests and
approvals, fully automating the process from end-to-end with actionable
recommendations.

We can visualize this automation in practice with a couple of common

JML workflow examples. Meet Ben, a developer at ACME. When Ben
makes his request for access to the GCP dev Bucket, Authomize is able to
identify that he is a member of the dev team and should be added to the
Dev group that has access. Since he meets the necessary requirements,
this is an easy call that can be resolved with an automated approval
recommendation.

Fully Automated Permission Request and Approval

Ben MacDougal 2:10pm

I need access to GCP dev Bucket

Jira/ServiceNow…[ITSM] 2:10pm

We recommend to grant permission by adding to Dev group

Multiple Stakeholders Approval Required

In another instance, if Ben has changed roles within the organization, then
his request might call for some additional scrutiny. Here Authomize is able
to identify that this is a case and is able to save Ben’s IT team time that
would otherwise be spent tracking down the multiple stakeholders who
have to sign off on his approval.

Ben MacDougal 2:10pm

I need access to GCP dev Bucket

Jira/ServiceNow…[ITSM] 2:10pm

We recommend to grant Ben access by

adding him to the Dev group, due to
him being a member of Kelle's team

Jack
Application owner

We recommend to approve this access

request with Jake and Kelle because
he's not part of any team that should
have access to this resource Kelle
Direct manager

This allows teams to direct more of their focus to those requests that truly
require that extra human handling for more sensitive approvals. There
are many other instances throughout the JML lifecycle that are ripe for
automation and time savings, including recertification as a prime example.

Identity Life Cycle Management Evolved 6

Offboarding
Instantly revoke Monitor separating Pinpoint and revoke Detect orphaned
permissions across all employee activities API-based identities, accounts and transfer
apps and systems and identify risky key token applications ownership to secure
actions in the past 30 and more... accounts
days (e.g. file sharing)

Any and all access points that they may have

er
with the organization need to be severed. Beyond mb
Me
deleting their account, it is necessary to revoke r
we
access to their identities that may exist through r Vie
we
Vie
APIs, certifications, or other methods. m in
r Ad
we
Vie r
However, by constantly monitoring all of an ito
r Ed
employee’s permissions throughout their time at be er
Me
m wn
po
the organization, Authomize automatically maps r Ap 0241548
we
out the employee’s access points. So when it Vie
r
comes time to revoke access when a person leaves Ed
ito
the organization, the IT team has a ready checklist
to work with.

Onboarding
Fully automate the onboarding Avoid granting excessive Grant accurate permissions rather
process for new employees permissions from day one than using model after technique

Authomize streamlines the process of bringing on a new employee, dramatically reducing the amount of
definitions and preparations required for getting them up and running on their first day. We take a different
tact from the “model after” method. Taking a more nuanced and exacting approach, Authomize looks at
the permissions that other team members receive, but pulls data about that employee’s specific role and
cross application entitlements to create recommendations for their personalized permissions.

Ed
er ito
wn r
po
Ap Ed
r
we ito
r
Vie
Vie
ole Ad we
i n gr we
r
m r
t Vie in
rke
Ma n Ad
mi r Ed m
Ad ito ito in
Ed r
r Me
ito mb
Ed er

Identity Life Cycle Management Evolved 7

Recertification
Recertification is a regulatory necessity that consumes way more time than it needs to when it rolls around.
Going through the process of confirming that team members have the permissions that fit their role (no
more, no less) eats up IT resources as they run through their list, checking certs and marking off boxes.

Authomize helps to shorten and simplify this process because we are continuously verifying certifications.
We can then recommend who the stakeholders are that need to sign off on permissions and provide them
with a full picture of relevant data to help drive their decision making, helping IT & Security teams to reach
the finish line faster.

Reviewer's status for

approving permissions

Monitoring and managing each certification campaign

Certification campaign for

files accessed by external
identities

Setting up certification campaigns

For IT and Security teams, more automation translates into less time spent processing and more
time to tackle the productive tasks that better serve the organization. No more trusting your
hunches and hoping for the best required.

About Authomize
Authomize enables organizations to manage and secure complex and vastly different applications across
hybrid environments. Our intelligent Prescriptive Analytics engine helps IT and Security teams flawlessly
automate operations around authorizations to prevent permission sprawl, maximize productivity, and
simplify identity lifecycle management.

REQUEST A FREE ASSESSMENT REPORT

Identity Life Cycle Management Evolved

© 2020 Authomize. All rights reserved. 8