Identity Management (IdM) is the core of IT Security Solution, it controls who can access your IT assets, and it help you to locate all of the unidentified users in your entire IT applications.
IdM provides a single product that automates the provisioning and revocation of all users and privileges in an enterprise, thus IdM can centrally manage and audit a pool of user identities, which can be accessed by authorized people within their specific business roles. The solution enables companies to thwarts insider threats by providing controlled access to user credentials throughout the Identity Life Cycle of an Employee.
Identity Life Cycle of an Employee
As an employee gets hired by a company, IdM can map and provision a UserID to his/her default applications, this process is beneficial for:
- Password Automation. The IT Administrator will never know the users password anymore, because password is generated and sent personally by system. This process saves the both the user and IT Administrator from identity theft risk.
- Faster On-Boarding Time. The employee will have email access and all default applications on Day+0, thus she/he can immediately work. Without IdM, in general a user will have all of the UserID and passwords on the 3rd week.
- Simple Audit. IdM can generate list of valid users in the entire application. Without IdM, an IT Security needs to learn how to create user access list report from each audited applications, and merge it all into a single audit report.
As an employee gets a new job role, IdM can map and provision a UserID to his/her new applications, and revoke access from the obsolete applications. The benefits is similar with above:
- Password Automation.
- Faster On-Boarding Time.
- Simple Audit.
As an employee forgets his/her password, IdM provides a self-service portal for the user to reset his/her application’s password. This process is beneficial for:
- Password Automation.
- Less Helpdesk Call. Up to 40% of help desk call is related to reset password.
As an employee resigns or leaves the company for any reason, IdM can revoke his/her entire access from all applications he/she ever had in the company. This process is beneficial for:
- Eliminate Orphan Account. Orphan account is a valid UserID with no owner, it is one of the highest risk in IT Security. Orphan account activity will never be blocked by IPS/IDS/Firewall, and it will always be authorized by the application logic, because it is a valid user with valid permission. The only way to eliminate Orphan account is by automatically revoke the entire access as an employee resigns or leaves the company. And the only system that has complete user access list of the entire employee is IdM.
- Simple Audit.
Gartner Magic Quadrant
IdM in Gartner Magic Quadrant is known as Identity Governance and Administration, it was formerly known as User Administration and Provisioning. IdM primary focus is on granting the right access to a valid user, and immediate revoke for off-boarding employee to eliminate orphan account. In the background, it does the periodic reconciliation to identify backdoor account, thus it can prevent internal fraud. IdM is the provisioning source for other Access Management family such as Single Sign-On, Web Access Management, and Privileged User Management. While for Identity Federation family, IdM provisions the UserID / authentication to Identity Provider (IdP) and the role / authorization to Service Provider (SP).
IdM best practice is to control the entire internal user (such as employees, outsourcers, and vendors) in all core applications (such as ERP, CRM, SAP, Core Banking, custom Front End), operating systems (Active Directory, Windows, Unix/Linux, AS/400) and critical perimeters (Access Management, Privileged Management, VPN, Gateway, Firewall, etc). And then IdM can be expanded to control other system such as Card Processing System for PCI-DSS compliance, or Financial systems for SOX compliance, or to any other system (such as email, internet proxy, database, network peripheral, cloud services, etc) for operational efficiency.
- One business day UserID creation for New Employee
- Immediate Revoke Access for Ex-Employee
- Paperless Self-Service for new application request
- Paperless Approval by Email or Web
- Less Helpdesk Call related to Password Reset
|Users wait for 3 weeks until their entire UserID is ready to use.||UserID and password will automatically be created when a user is hired on HR system|
|Up to 40% of help desk call is related to reset password.||User can reset password by themselves (or on behalf his/her team mate), and the new password will be delivered by email.|
|In order to get access to new application, a user has submit their requests by paper, approval and work order take a long time for paper-based request like this.||User can submit their request online, approval can be done via e-mail reply or mobile application, and provisioning is automated by system.|
|When an employee leave the company, IT Administrator needs to manually discover the employees UserID in the entire application since the hiring, mutation, promotion, until the termination day, to properly revoke his/her entire access.||When and employee marked as terminated in HR system, IdM will immediately revoke his/her entire access to all application in the company.|
|Hard to provide reports for IT Security audit purposes, since every application has different report. And usually an employee has different UserID from one application to another.||All reports related with user access list in the entire application can be easily provided by IdM.|
PT Global Innovation Technology has been an active IdM Vendor in Jakarta Indonesia since 2007, and has many Identity Management implementations in major customers like : Bank Mandiri, BTPN, Pertamina, Telkomsel, XL Axiata, Indosat, Kalbe Farma, Jasindo, Smart Philippines, NTT Data Japan.