Provisioning User Directory Cleanup

Provisioning User Directory Cleanup

User provisioning directories scrubbed.

Before diving into an identity and access management (IAM) project, doesn’t it make sense to solve your directory issues for provisioning users first rather than trying to hide them with identity access management customization  Issues with accounts, unused groups, naming conventions, policies and simply having too many directories all equate to a challenging identity management initiative, yet I have repetitively seen companies try to architect their identity and access management solution around their directory deficiencies trying to mask the problems rather than simply solving the root issue to begin with.

A minor investment in resolving active directory group management issues for instance can result in dramatic cost and operational savings, not to mention an environment that is easier to support long-term. IAM projects are difficult enough without adding business–specific group and user provisioning customization into the mix.

Addressing these issues with an internal team that is tasked to clean things on a part-time basis usually isn’t successful. Service providers such as Avatier have developed custom active directory group management and user management tools and services based on years of experience working on identity and access management projects, so it is more cost effective to bring in an outside expert to get you moving in the right direction quickly.

Some common account problems that should be addressed include:

  1. Orphaned/unused accounts‐rid your directories of accounts that have not been used in a considerable amount of time.
  2. Counts not matching policies ‐identify rogue accounts that have passwords set to never expire, accounts that do not require passwords or any other attributes that do not match your standards.
  3. Missing attributes ‐if you plan on leveraging your directory data for workflow or other authoritative data, your accounts better contain the necessary information. Look for missing manager, department, company, location, telephone, etc.
  4. Privileged IDs‐restrict who has privileged access to your systems by reviewing your administrative groups and inserting cyber security audit controls.

Common active directory group management and provisioning user distribution list problems that should be addressed include:

  1. Duplicates‐find groups that may be duplicates or serve the same purpose.
  2. Inefficiencies‐look for groups with 0-3 users. If there are 3 or fewer users in a group, there probably isn’t a need to have that group in the directory.
  3. Missing owners‐how will you know who to contact if you or someone has a question about a group and there is no owner assigned to that group? A self-service group management tool such as Group Requester can help with this.

If you have multiple directories in place, there may be other access provisioning challenges that can be solved:

  1. Account naming conventions ‐some account directories will allow you to rename accounts. If this is possible, it is often easier to take the effort to rename accounts to a standard through automatic group management then deal with mapping accounts to the authoritative account standard.
  2. Password policy‐take the time to align your system password policies such as expiration and strength requirements with an automated password reset tool rather than having your users deal with the confusion of multiple policies.
  3. Consolidation‐many organizations seem to think that it is too difficult to consolidate and shut down old directories, but the effort to deal with this is often easier than building an IAM solution around multiple and redundant directories.

By taking the time to clean your house, you’ll simplify your systems environment and improve IT cyber security all while lowering your ultimate identity and access management project costs. Be sure to think of your pain points and compare the effort and benefits of remediation before designing customization to hide your provisioning user issues.

Get the Top 10 User Provisioning Best Practices Workbook

Enable user provisioning software rapid planning, strategic decision-making, and technology innovation. Jump start your user provisioning and identity management initiative. Learn from IT security experts and address the challenges that derail projects.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).