Do It Yourself (DIY) IT Compliance Management

Do It Yourself (DIY) IT Compliance Management

Don’t do it.

Does everyone remember when Full Service gas stations were the norm, and Self Service was rare? Would you prefer to go back to Full Service filling stations, or are you happy having the ability to manage the process on your own? On a similar topic, do you prefer to pay at the pump with your credit card, or did you enjoy walking into the station to pay for gas?

The culture today is continually pushing for more automation and faster execution of processes. Improving efficiency is a major driver of these cultural changes, and "end-users" are asking for and expecting these capabilities. From pumping and paying for gas without anybody else’s involvement to having the capability to take a picture of a check to deposit it without going to the bank, the world is expecting self-service.

Since we expect these improvements throughout our non-IT aspects of daily life, why shouldn’t IT follow the same path? Often, IT vendors get stuck in a mode where they are afraid to push IT compliance management boundaries with true identity and access management innovation. However, the business community is waiting for innovation that allows them to be more independent. Business users do NOT like to open help desk tickets or wait for IT to action their requests. Therefore, it is time to embrace self-service provisioning.

Why was the world slow to allow Self Service gas stations to infiltrate our culture? Primarily, it was around RISK. Concerns including the flammability of gas, the risk of crime from customers leaving their car, the toxic fumes emitted by gasoline, and the jobs created by requiring mini service all contributed to the slow adoption of self-service. Relate this to identity and access management, and a similar trend exists.

An article about Self-Service IAM on searchsecurity.techtarget.com stated:  "self-service should be used where there are cost savings and business opportunities to be gained by it, with a low amount of risk". The article went on to list several self service provisioning risk points of enabling this capability such as users entering incorrect data that could impact downstream operations. There are valid concerns with this, but audit controls and IT cyber security CAN be implemented to satisfy the desires of users to be self-sufficient with reduced risk that ensure IT compliance management.

By adopting self service identity and access management you can implement IT compliance management solutions with dynamic workflows that are easy to configure and eliminate risk points around self-service. An intuitive approval interface for specific activities can ensure users are performing tasks as expected without needing to manually route tickets, gather approval forms and then have IT actually provision users requests. Delegating approvals to the appropriate owner, rather than assuming IT understands every request, is more secure and puts accountability in the hands of the business rather than IT.

With the appropriate controls in place, Self-Service should be the future of identity and access management, so your IAM strategy should incorporate this now. There are several areas where you can empower your users to manage identity processes including:

‐ Self Service Password Reset/Change

‐ Attribute management

‐ Self Service Group Management

‐ Automatic Group Management

‐ Access Certifications

‐ Account Provisioning/De-provisioning

Obviously, depending on the IT compliance management and security requirements of your organization, the level of controls placed on top of each of these areas will differ. Larger organizations may never choose to provide self-service provisioning because they automate account provisioning from HR data. However, most organizations have only ventured into the self-service password management space, so there is a great deal of opportunity to expand these capabilities and reduce the strain on IT departments.

The world is a better place because of self-service trends, so IT needs to embrace this and offer more services in this fashion. Otherwise, the business will force the priority of this and potentially look for workarounds. Regardless of when these capabilities are enabled, self-service IAM is a good thing that can improve security while making users happier.

Get the Top 10 Identity Manager Migration Best Practices Workbook

top 10 identity manager migration best practicesStart your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.

Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).