Why Divide and Conquer May Not Be the Best Provisioning Strategy

Top three reasons why splitting up provisioning among ITSM and IAM functions is not the right approach.

A recent Markets & Markets study on the Identity and Access Management (IAM) space points out one of the highest valued sub-markets of IAM is provisioning and de-provisioning, and it’s estimated to grow to be $5.1B by 2019. That is roughly 27% of the whole IAM market, which is predicted to be at $18B by 2019.

A big market size, usually means there are big challenges to solve. It also means, many vendors with conflicting messages on how those challenges should be solved. And one of the challenges I am seeing is the struggle for IT leaders to identify both the approach and ownership in solving these problems.

One of the flaws I see, as a result, is organizations delegating the responsibilities of identity management to different systems and owners. Some are looking at their ITSM vendor to manage service and hardware requests (ordering a new laptop, resetting passwords, requesting late night access to a building). Access requests for applications, on the other hand, are treated as separate tasks working through an IAM vendor. In this model, application provisioning is being bundled with role management, user entitlements and governance. Perhaps this way of dividing up responsibility for provisioning makes sense for IT teams, but what is the impact on the user when provisioning responsibilities and processes are disjointed?

There are many reasons why provisioning of all business and technology resources should be approached holistically and managed together not individually, the top reasons are:

1) Worker Productivity and Satisfaction

Users want simplicity. They do not think that ordering a new headset is any different of an IT request than resetting a password or requesting access to Visio. So why should they have to go to different systems and work with different people that submit each request differently? What is often even more frustrating is when response processes are different. Some responses are automated, others through an individual and delivery times can range from seconds to days. Workers live in an ‘on-demand’ culture, and they want instant confirmation that their request was received and is being fulfilled. The more systems you have managing these requests, the less efficient and standardized the provisioning. This not only leads to frustrated workers, but less productive ones.

2)      IT Efficiency

With limited bandwidth and budget, IT is already stretched thin to deliver on their SLAs to the business. One of the only ways to dig out of this hole is through automation. In many instances, if access is being managed in different systems, it requires either that (1) fulfillment is only indirect (meaning a task is manually completed) or (2) they need to learn different automation models and workflows in order to fulfill directly without human intervention. It is through automation that the most efficiency gains arise, but attempting to fully automate with different automation tools can become too time consuming, and make IT feel like the benefits may not be worthwhile. The challenge of this divided approach is why too often we see many access requests still being fulfilled indirectly, not leveraging the major productivity gains that can come from fully automating provisioning and de-provisioning.

3)      Compliance and Governance

If you talk to any auditor, one of the best ways to be compliant is to standardize your approaches. If access is being managed through different systems and different processes, it can exponentially increase the level of difficulty and cost of ensuring compliance. In this model, reviews and process rules need to be identified for two systems, not just one. Speaking to my earlier point, automation can also reduce compliance risks and costs associated with preparing for audits because standardization is enforced and room for human error is minimized.

You may ask, but is it really a problem if hardware requests and provisioning lies in a different system (and different team) than applications? Some might contend that applications are where we face the most exposure, and they merit being treated differently.  But with the evolution of the Internet of Things (IoT), we argue that this is no longer the case. “Things” can now just as easily account for the greatest security vulnerabilities, as they are now connected into the digital workplace fabric and blend the line between physical device and interconnected user.  The access challenges are only going to increase. Thus the central, standardized management of access to all things and all apps becomes increasingly more important.

I am not advocating that identities don’t warrant separate or dedicated systems. In fact, I believe identities should be created in the systems that make most sense for the business function – HRIS systems for HR related activities, AD for more security functions and so on. A good identity solution should be able to link into these different systems to create an identity store cross-linking identities. But when it comes to collecting, managing and servicing provisioning requests, access should be viewed holistically and not sub-divided across apps vs. services vs. hardware. Centralize how requests are submitted, captured and fulfilled in order to improve worker satisfaction, reduce IT costs and become overall more compliant.

This is how RES can offer the greatest benefit to your organization: by centrally managing and configuring provisioning based on policy-driven workflow and automating the fulfillment of those requests. Many requests are driven automatically by those policies (i.e. a worker role change), while others can be made through a formal request using an intuitive self-service store that can support service, hardware and app requests.

Check out one of our latest customers in Denmark who are solving these access challenges with RES, reducing the manual effort to perform account provisioning by 88%.