Implementation of IdM. Preparing for implementation by the customer

In previous articles, we have already considered what IdM is, how to understand if your organization needs such a system, what tasks it solves, and how to justify the implementation budget to management. Today we will talk about the important stages that the organization itself must go through in order to reach the proper level of maturity before implementing the IdM system. After all, IdM is designed to automate processes, and it is impossible to automate chaos.

Until the moment a company grows to the size of a large enterprise and accumulates a lot of different business systems, it usually does not think about access control. Therefore, the processes of obtaining rights and controlling powers in it are not structured and are difficult to analyze. Employees fill out applications for access as they please, the approval process is also not formalized, and sometimes it simply does not exist. It is impossible to quickly figure out what accesses an employee has, who approved them and on what basis.

Considering that the process of access automation affects two main aspects - personnel data and information systems data, with which integration is to be carried out, we will consider the steps necessary to ensure that the implementation of IdM goes smoothly and does not cause rejection:

1. Analysis of personnel processes and optimization of employee database maintenance in personnel systems.
2. Analysis of data about users and rights, as well as updating access control methods in target systems that are planned to be connected to IdM.
3. Organizational measures and involvement of personnel in the process of preparation for the implementation of IdM.

Personnel data

There may be one source of personnel data in an organization, or there may be several. For example, an organization may have a fairly wide branch network, and each branch may use its own personnel base.

First of all, it is necessary to understand what basic data about employees is stored in the personnel records system, what events are recorded, and evaluate their completeness and structure.

It often happens that not all personnel events are noted in the personnel source (and even more often they are noted out of time and not quite correctly). Here are some typical examples:

• vacations, their categories and terms (regular or long) are not fixed;
• part-time employment is not recorded: for example, while on a long parental leave, an employee can simultaneously work part-time;
• the actual status of the candidate or employee has already changed (hiring / transfer / dismissal), and the order about this event is issued with a delay;
• an employee is transferred to a new full-time position through dismissal, while the personnel system does not record information that this is a technical dismissal.

It is also worth paying special attention to assessing the quality of data, since any errors and inaccuracies received from a trusted source, which are personnel records systems, can be expensive in the future and cause many problems when implementing IdM. For example, personnel officers often enter employee positions in the personnel system in different formats: uppercase and lowercase letters, abbreviations, a different number of spaces, and the like. As a result, the same position can be fixed in the personnel system in the following variations:

• Senior manager
• senior manager
• senior manager
• Art. manager…

Often you have to deal with differences in the spelling of the full name:

• Shmeleva Natalia Gennadievna,
• Shmeleva Natalia Gennadievna…

For further automation, such jumble is unacceptable, especially if these attributes are a key sign of identification, that is, data about the employee and his powers in the systems are compared precisely by full name.

In addition, one should not forget about the possible presence of namesakes and full namesakes in the company. If an organization has a thousand employees, there may be few such coincidences, and if there are 50 thousand, then this can become a critical obstacle to the correct operation of the IdM system.

Summarizing all of the above, we conclude: the format for entering data into the personnel base of the organization should be standardized. The parameters for entering full names, positions and departments must be clearly defined. The best option is when a personnel worker does not enter data manually, but selects them from a pre-created directory of the structure of departments and positions using the “select” function available in the personnel database.

To avoid further errors in synchronization and not to manually fix discrepancies in reports, the most preferred way to identify employees is to enter an ID for every employee in the organization. Such an identifier will be assigned to each new employee and will appear both in the personnel system and in the information systems of the organization as a mandatory attribute of the account. It does not matter whether it consists of numbers or letters, the main thing is that it is unique for each employee (for example, many use an employee's personnel number). In the future, the introduction of this attribute will greatly facilitate the linking of employee data in the personnel source with his accounts and authorities in information systems.

So, all the steps and mechanisms of personnel records will need to be analyzed and put in order. It is possible that some processes will have to be changed or improved. This is tedious and painstaking work, but it is necessary, otherwise the lack of clear and structured data on personnel events will lead to errors in their automatic processing. In the worst case, unstructured processes cannot be automated at all.

Target Systems

At the next stage, we need to figure out how many information systems we want to integrate into the IdM structure, what data about users and their rights are stored in these systems and how to manage them.

In many organizations, there is an opinion that we will install IdM, configure the connectors to the target systems, and with a wave of a magic wand, everything will work, without additional efforts on our part. So, alas, it does not happen. In companies, the information systems landscape evolves and grows gradually. In each of the systems, a different approach to granting access rights can be organized, that is, different access control interfaces are configured. Somewhere management occurs through the API (application programming interface), somewhere through the database using stored procedures, somewhere there may be no interaction interfaces at all. You should be prepared for the fact that you will have to revise many existing processes for managing accounts and rights in the organization's systems: change the data format, finalize interaction interfaces in advance and allocate resources for these works.

role model

You will probably come across the concept of a role model at the stage of choosing an IdM solution provider, since this is one of the key concepts in the field of access rights management. In this model, data access is granted through a role. A role is a set of accesses that are minimally necessary for an employee in a particular position to be able to perform their functional duties.

Role-based access control has a number of undeniable advantages:

• simple and efficient assignment of the same rights to a large number of employees;
• quick change of access for employees with the same set of rights;
• exclusion of redundancy of rights and differentiation of incompatible powers for users.

The role matrix is ​​first built separately in each of the organization's systems, and then scaled to the entire IT landscape, where global Business roles are formed from the roles of each system. For example, the Business role "Accountant" will include several separate roles for each of the information systems used in the accounting department of the enterprise.

Recently, it is considered “best practice” to create a role model even at the stage of developing applications, databases and operating systems. At the same time, situations are not uncommon when roles are not configured in the system or they simply do not exist. In this case, the administrator of this system must enter the account data into several different files, libraries and directories that provide the necessary permissions. The use of predefined roles allows you to give privileges to conduct a whole range of operations in a system with complex composite data.

Roles in the information system, as a rule, are distributed for positions and departments according to the staffing structure, but can also be created for certain business processes. For example, in a financial institution, several employees of the settlements department occupy the same position - the operator. But within the department there is also a distribution into separate processes, according to different types of operations (external or internal, in different currencies, with different segments of the organization). In order to provide each of the business areas of one department with access to the information system according to the required specifics, it is necessary to include rights in separate functional roles. This will provide a minimum sufficient set of permissions, not including redundant rights, for each of the areas of activity.

Also, for large systems with hundreds of roles, thousands of users, and millions of permissions, it's good practice to use a hierarchy of roles and privilege inheritance. For example, the parent role Administrator will inherit the privileges of the child roles: User and Reader, since the Administrator can do everything that the User and Reader can do, plus it will have additional administrative rights. Using the hierarchy, there is no need to re-specify the same rights in several roles of the same module or system.

At the first stage, you can create roles in those systems where the possible number of combinations of rights is not very large and, as a result, it is easy to manage a small number of roles. These can be typical rights required by all company employees to public systems such as Active Directory (AD), mail systems, Service Manager, and the like. Then, the created role matrices for information systems can be included in the overall role model, combining them into Business roles.

Using this approach, in the future, when implementing an IdM system, it will be easy to automate the entire process of granting access rights based on the created roles of the first stage.

Note You should not try to immediately include as many systems as possible in the integration. Systems with a more complex architecture and access rights management structure are best connected to IdM in a semi-automatic mode at the first stage. That is, based on personnel events, implement only automatic generation of an access request, which will be sent to the administrator for execution, and he will set the rights manually.

After successfully passing the first stage, it is possible to extend the functionality of the system to new advanced business processes, to implement full automation and scaling with the connection of additional information systems.

In other words, in order to prepare for the implementation of IdM, it is necessary to assess the readiness of information systems for a new process and to refine in advance the external interfaces for managing user accounts and rights, if such interfaces are not available in the system. It is also necessary to work out the issue of the phased creation of roles in information systems for integrated access control.

Organizational activities

Organizational issues should not be discounted. In some cases, they can play a decisive role, because the result of the entire project often depends on effective interaction between departments. To do this, we usually advise creating a team of process participants in the organization, which will include all the departments involved. Since this is an additional burden for people, try to explain in advance to all participants in the future process their role and significance in the interaction structure. If you “sell” the idea of ​​IdM to colleagues at this stage, you can avoid many difficulties in the future.

Often, the “owners” of the IdM implementation project in a company are information security or IT departments, and the opinion of business departments is not taken into account. This is a big mistake, because only they know how and in what business processes each resource is used, who should be given access to it, and who should not. Therefore, at the preparation stage, it is important to indicate that it is the business owner who is responsible for the functional model, on the basis of which the sets of rights (roles) of users in the information system are developed, as well as for ensuring that these roles are kept up to date. The role model is not a static matrix that has been built once and you can calm down on this. This is a "living organism" that must constantly change, update and develop, following changes in the structure of the organization and the functionality of employees. Otherwise, either there will be problems associated with delays in granting access, or there will be information security risks associated with excessive access rights, which is even worse.

As you know, “seven nannies have a child without an eye”, so the company should develop a methodology that describes the architecture of the role model, the interaction and responsibility of specific participants in the process for keeping it up to date. If a company has many areas of business activity and, accordingly, many divisions and departments, then for each area (for example, lending, operations, remote services, compliance, and others), as part of the role-based access control process, it is necessary to appoint separate curators. Through them, it will be possible to quickly receive information about changes in the structure of the unit and the access rights required for each role.

It is imperative to enlist the support of the organization's management to resolve conflict situations between departments - participants in the process. And conflicts in the implementation of any new process are inevitable, believe our experience. Therefore, an arbitrator is needed who will resolve possible conflicts of interest in order not to waste time due to someone's misunderstandings and sabotage.

Note Staff training is a good start to raise awareness. A detailed study of the functioning of the future process, the role of each participant in it will minimize the difficulties of switching to a new solution.

Check list

In summary, here are the main steps that an organization planning to implement IdM should take:

• put things in order in personnel data;
• enter a unique identification parameter for each employee;
• assess the readiness of information systems for the implementation of IdM;
• develop interfaces for interaction with information systems for access control, if they are not available, and allocate resources for these works;
• develop and build a role model;
• build a role model management process and include curators from each business area;
• select several systems for initial connection to IdM;
• create an effective project team;
• enlist the support of the company's management;
• train staff.

The preparation process can be difficult, so if possible, involve consultants.

The implementation of an IdM solution is not an easy and responsible step, and for its successful implementation, both the efforts of each party individually - employees of business units, IT and information security services, and the interaction of the entire team as a whole are important. But the effort is worth it: after the implementation of IdM in the company, the number of incidents associated with excessive powers and unauthorized rights in information systems is reduced; downtime of employees due to lack/long waiting of necessary rights disappear; due to automation, labor costs are reduced and labor productivity of IT and information security services is increased.

Source: habr.com