‘Clean’ and ‘Organize’? What does housekeeping have to do with identity management?
All IT projects have a common Achilles heel: implementation. No matter how quick the process is, it always feels too long, and a rushed implementation can cause headaches for years to come. Relevant organization and stakeholder involvement can also be a pain to properly identify, quickly resulting in wasted work effort and hours that could have been put to better use. Just think of your average corporate software policies and how most administrators handle upgrades (reluctantly); these are issues that require significant investment to overcome.
As identity and access management specialists, we have regularly thought long and hard about how we can improve the implementation process of various systems. As mentioned, skipping steps to speed up the implementation will easily result in an unsustainable garbage-in-garbage-out scenario. Bad data is something we really want to avoid. By replacing steps with software rather than skipping them, we came up with a way to achieve the highest level of data quality possible and speed up the implementation at the same time. Our results are known as IDM:Clean and IDM:Organize.
So what do these tools actually do?
Cleaning up involves putting things away, removing garbage and sanitizing the area. IDM:Clean does the same for various systems by eating through data dumps pulled from them and generating a report with recommendations that can be carried out manually or through import files. Primary systems like AD, SAP, Dynamics AX and NAV are the major targets for this process.
IDM:Clean can be configured to check for things like redundant permission groups, empty or unused groups, separate groups with identical users, groups that are made up entirely of disabled or inactive users, users that have not used the system for a long time, and a host of other things.
The tool will generate two files based on whatever parameters are selected. The first file is a written report, or executive overview, that explains the results and makes suggestions based on them. The second output is an Excel file that includes every finding with the ability to filter, sort and make changes just like any spreadsheet.
After qualifying, processing, correcting and approving the content in the Excel file, the relevant system can either be updated manually or using an import file generated by feeding the relevant changes back into IDM:Clean.
Whether you want to implement an IDM/IAM/IAG tool afterwards or not, making sure your systems are clean is always a relevant endeavour. For example, how is your AD doing? How many groups do you maintain and how many users do you have? Are your active users really active? Do you know who has remote access and if they still need it? Which consultants and contractors do you still work with?
In all likelihood, you probably have several active accounts for consultants or partners that you have not worked with for a while. You may also have active accounts for users that stopped working for you months ago. In addition, the number of groups can sometimes end up being more than that of users!
In short, it is hard to maintain control. A traditional cleanup of AD can be like trying to weed a rainforest with a pickaxe. That is one of the reasons why we developed IDM:Clean as a stand-alone tool. The benefit? With around 15 000 users, an acceptable cleanup might take around 3–6 man-months of labour depending on the complexity and state of the system. IDM:Clean can bring the total number of hours down to a third of that with greater reliability and peace of mind that everything is being caught.
A traditional cleanup project often looks like this, requiring some sort of cut-off:
Our process, on the other hand, simply looks like this:
When dealing with identities, systems can become highly complex and difficult to manage without a clear overview. A good way to handle this is with an Identity and Access Management (IAM) tool. If you are planning to implement one such as our in-house IDM365 solution, we can help you further.
With the clean data output from IDM:Clean, we are able to profile current users through pattern matching. By looking at users, permissions and attributes such as business units, departments, locations and so on, IDM:Organize is able to propose easy-to-understand umbrella groups and access profiles that fit logically into roles or job functions assigned to users.
Just like IDM:Clean, IDM:Organize can be configured in many different ways to make the patterns more flexible or specific. For example, one user may only be missing a single permission that is part of another group. Depending on the requirements, IDM:Organize may suggest that the user be moved into that group with enough information that a manager or executive can decide whether it would be appropriate or not.
This process has a profound influence on implementation time as well, easily reducing it by about 50%. Rather than having to go over each and every worker with their manager, finding out what their roles are, what access they need and so forth, managers can simply look over their workers and provide names what it is they do. In addition to saving you a lot of time, having the software generate an overview report for managers to review puts you in a much better position moving forward.
Traditionally, this is what organizing roles and permissions looks like:
Here is how we do it: