As the cloud continues to expand within the commercial world and cloud services such as Google Apps, GoToMeeting, and Office 365 being widely deployed, working with cloud applications have user and access management consequences that need to be addressed.
Controlling who has access to specific applications and the corresponding data is even more complicated with cloud applications than with a typical office intranet. Providers of cloud solutions give little priority to developing better management of user accounts and access rights in their applications; they are more occupied with developing new, business-oriented features.
Consequently, user and access management in cloud applications entails a number of challenges such as:
1. Single Authentication
Active Directory is the central link in the chain for user access to applications and systems. The traditional LAN-based applications often have specific integration, such as LDAP, with the central user account directory. Working with cloud applications means more authentication sources. In addition to the corporate Active Directory network log-in, users also need to remember their credentials for each cloud application utilized.
There are only a few possibilities for synchronizing user accounts between both authentication sources, (like AD Federation Services from Microsoft and the SAML standard). In this manner, end-users can log in transparently to the cloud applications. However, Federation is not a replacement for provisioning and basic user account management. Maintaining roles within a cloud application and linking accounts to central authentication remains an important task with which access to specific data is regulated.
A single-sign-on (SSO) solution for the cloud would help in this situation. Vendors that offer SSO for cloud base the credentials on those that already exist in Active Directory. This allows the user to log in to all of their cloud applications with just their AD credentials.
2. Manual Actions
Providers who do not support Federation, such as many providers of e-learning environments and HR systems, frequently offer a web-browser that managers can use to control access to the cloud application directly. However, there is no automatic provisioning and this necessitates a sequence of manual operations. This process is time consuming and error prone. Also, when it’s possible to import a basic CSV file into the cloud application, it still requires manual intervention by the application manager. This can result in a lot of unnecessary work.
For example, consider the procedure required when an employee leaves the organization. This procedure often occurs in phases: first the user log-in is removed, then the account is removed, data transferred to a different user, and, finally, an email notification is sent to the manager. All these phases require a separate manual operation for user management in the cloud application. In this case, an automated account management solution would assist in the process. A solution such as this would synchronize user accounts via the HR system, so that any changes made in HR, such as disabling a user would automatically be synchronized to all connected accounts in all applications.
3. Naming and Password Conventions
Conventions governing naming standards and passwords are often inconsistent between network and cloud applications. In the network, a user ID might be based on the log-in name, and in the cloud it might be the email address. This complicates exchanging user account details between the environments, and, in many cases, differences also apply to password conventions.
When extremely complex passwords are required in the corporate network, cloud applications might not be able to handle this type of password. The possibility also exists that the cloud application requires a different duration for password expiration than within the corporate network. Synchronizing passwords between the network and cloud applications can be exceedingly difficult. In this case, automated solutions can be helpful as they can enforce a standard naming convention across all applications while allowing for uniqueness when more than one employee has the same name.
An enterprise SSO solution can mitigate the password complexity issues by “remembering” the user’s password and providing it automatically each time the user logs into the application. Further, an SSO application can also routinely reset the password in the background, or prompt the user to do so, when expiration occurs.
4. Organizational Structure
The reporting hierarchy structure within an organization is often utilized to assign authorizations to employees based on their role or position, commonly referred to as role-based access control (RBAC). Within the corporate network, this structure is contained in an HR system or within Active Directory.
Cloud applications normally cannot translate this organizational structure, and the web-based provisioning functionality they offer does not offer a robust method for incorporating this level of detail. Naturally, it is possible to transfer the entire organizational structure to the cloud application, but this requires an enormous volume of management activity when something in the hierarchy changes.
RBAC in an automated account management solution can assist with this issue. It allows access to various components of the cloud applications to be based on the end user’s organizational role. In this way access will be controlled on the basis of the department or title in the HR system.
5. Bulk actions
Performing bulk actions in cloud applications is occasionally rejected by the application. Consider, for example, schools that want to create a thousand user accounts for students in a cloud application, such as an e-learning system. Some cloud applications that impose restrictions on the number of actions that can be carried out in one pass or require that no management activities are undertaken during working hours to prevent overloads on their network.
A robust provisioning application can adhere to the processing rules imposed by cloud applications by breaking up the number of requests to be processed in one connection and/or limiting the execution to specific time-frames.
Working with cloud applications generally means that organizations no longer have user and access management in their own hands, and that the rules and service level agreements of the cloud applications apply. User and access management are of secondary importance to business requirements. If it is requisite for an organization to have control of user and access management, there are third-party developers that provide software solutions to ease the transition to cloud-based applications.
For more information, please visit our website.
Friday, January 31, 2014
Friday, January 24, 2014
HR’s Role in Identity and Access Management
In today’s complex business environment, one task that can seem more elusive to automate than it actually is the granting of access to employees of the company’s network, email system and other applications.
In most organizations, paper forms or emails are sent from hiring managers to members of HR or IT departments to initiate this process, resulting in manual entry into the requisite applications for on-boarding employees and time delays of a few hours to several days or weeks before an employee is actually fully able to receive access to all systems and maneuver the organizations internal systems.
In the meantime, newly hired employees never reach productivity levels that could be had their rights been established properly from the beginning. The result is often waned enthusiasm of employees for their new job because they’ve become mired in the system.
A similar scenario often unfolds when an employee leaves the organization. Phone calls and emails start the process of deactivating the access rights, but delays and lapses are inevitable and can lead to a huge security risk as employees remain active for a period of time long enough for the departing employee to access private organizational information.
Solving the New Hire Access Dilemma
In the vast majority of cases, members of the HR department are the first or second to know when an employee is to be hired. The department’s employees typically enter the new hire’s profile into the HR department’s corresponding system with all appropriate data -- department, employee number, manager, etc. – and in some cases they send an email to the IT department letting them know a network access account and email need to be created. The IT department may need to go back to the hiring manager for approvals and any special access instructions that must be met.
An automated process can set off a simple entry process of the new employee record in the HR system to create the account in Active Directory and the email application. Further, a workflow process can be started whereby a hiring manager receives the employee’s log in credentials and a link to an internal website where special access can be requested. Once the manager completes the form, a further workflow can be sent if additional approval levels are required with the final step being a notification for IT to finish the provisioning.
For example, Lifestyle Hearing, a Hawkesbury, Ontario-based, company with 70 locations throughout Canada, automated this very process. The company rapidly expanded to more than 130 employees, which created many complications for the IT group. New departments and roles also needed to be created and formed on a regular basis. Since it started as a small company, many employees had responsibilities that included several roles requiring definition as the company grew.
This meant that user accounts needed to be created in multiple systems and tighter controls needed to be put in place. The task took about 30 minutes per employee, but only if all the correct information was provided from the beginning. If not, the employee needed to be tracked down in an attempt to get the information, and wait for a response, which could take an unlimited amount of time.
Lifestyle Hearing administrators knew it was critical to ensure all information was correct, but the process took too much time from too many people for it to be productive or worthwhile and had become a major drain on the organization.
Prior to putting an automated system in place, IT was a bottleneck because of the fact that employees in the department often had to handle other important tasks and they were not able to create accounts quickly for new employees. By automating their account management processes, HR now has controlled access through a web-based form to create an account that allows the IT department to easily enter the employee’s information, define user profiles and determine which systems they need access to.
Lifestyle Hearing previously had a four- to five-day window for employee account creation, but by automating, employees are now able to have their accounts before their first day and start working on day one.
Expediting Employee Access Termination
As equally important as providing new employees with prompt network access is ensuring that employees leaving an organization have their access to network accounts, email and other applications revoked in a timely fashion. While most employees leave on good terms, an upset or contentious employee can potentially cause damage to data or perform a mass emailing to clients, among other malicious attacks.
By automating, a manager can visit a web page and immediately revoke network and email account access of all terminated employees, as well as can put a terminate date in the HR system and have an automated process kick off on the appropriate date.
It is critical to the organization that departing employees have their access rights terminated in a timely fashion. To ensure this process runs smoothly, managers can access forms that allow them to search for an employee and revoke rights on demand. Another process runs once this action occurs to ensure emails are forwarded to the correct manager and any files left on the network are shared appropriately for review. This ensures continuity for any clients or projects the terminated employee may have been working with.
As the HR department is always involved with employee hiring and terminations, it makes sense to have them involved with the process of granting and revoking network and email access. Available systems make the impact negligible as to not occupy more the HR professional’s valuable time.
For ore information, please visit our website.
In most organizations, paper forms or emails are sent from hiring managers to members of HR or IT departments to initiate this process, resulting in manual entry into the requisite applications for on-boarding employees and time delays of a few hours to several days or weeks before an employee is actually fully able to receive access to all systems and maneuver the organizations internal systems.
In the meantime, newly hired employees never reach productivity levels that could be had their rights been established properly from the beginning. The result is often waned enthusiasm of employees for their new job because they’ve become mired in the system.
A similar scenario often unfolds when an employee leaves the organization. Phone calls and emails start the process of deactivating the access rights, but delays and lapses are inevitable and can lead to a huge security risk as employees remain active for a period of time long enough for the departing employee to access private organizational information.
Solving the New Hire Access Dilemma
In the vast majority of cases, members of the HR department are the first or second to know when an employee is to be hired. The department’s employees typically enter the new hire’s profile into the HR department’s corresponding system with all appropriate data -- department, employee number, manager, etc. – and in some cases they send an email to the IT department letting them know a network access account and email need to be created. The IT department may need to go back to the hiring manager for approvals and any special access instructions that must be met.
An automated process can set off a simple entry process of the new employee record in the HR system to create the account in Active Directory and the email application. Further, a workflow process can be started whereby a hiring manager receives the employee’s log in credentials and a link to an internal website where special access can be requested. Once the manager completes the form, a further workflow can be sent if additional approval levels are required with the final step being a notification for IT to finish the provisioning.
For example, Lifestyle Hearing, a Hawkesbury, Ontario-based, company with 70 locations throughout Canada, automated this very process. The company rapidly expanded to more than 130 employees, which created many complications for the IT group. New departments and roles also needed to be created and formed on a regular basis. Since it started as a small company, many employees had responsibilities that included several roles requiring definition as the company grew.
This meant that user accounts needed to be created in multiple systems and tighter controls needed to be put in place. The task took about 30 minutes per employee, but only if all the correct information was provided from the beginning. If not, the employee needed to be tracked down in an attempt to get the information, and wait for a response, which could take an unlimited amount of time.
Lifestyle Hearing administrators knew it was critical to ensure all information was correct, but the process took too much time from too many people for it to be productive or worthwhile and had become a major drain on the organization.
Prior to putting an automated system in place, IT was a bottleneck because of the fact that employees in the department often had to handle other important tasks and they were not able to create accounts quickly for new employees. By automating their account management processes, HR now has controlled access through a web-based form to create an account that allows the IT department to easily enter the employee’s information, define user profiles and determine which systems they need access to.
Lifestyle Hearing previously had a four- to five-day window for employee account creation, but by automating, employees are now able to have their accounts before their first day and start working on day one.
Expediting Employee Access Termination
As equally important as providing new employees with prompt network access is ensuring that employees leaving an organization have their access to network accounts, email and other applications revoked in a timely fashion. While most employees leave on good terms, an upset or contentious employee can potentially cause damage to data or perform a mass emailing to clients, among other malicious attacks.
By automating, a manager can visit a web page and immediately revoke network and email account access of all terminated employees, as well as can put a terminate date in the HR system and have an automated process kick off on the appropriate date.
It is critical to the organization that departing employees have their access rights terminated in a timely fashion. To ensure this process runs smoothly, managers can access forms that allow them to search for an employee and revoke rights on demand. Another process runs once this action occurs to ensure emails are forwarded to the correct manager and any files left on the network are shared appropriately for review. This ensures continuity for any clients or projects the terminated employee may have been working with.
As the HR department is always involved with employee hiring and terminations, it makes sense to have them involved with the process of granting and revoking network and email access. Available systems make the impact negligible as to not occupy more the HR professional’s valuable time.
For ore information, please visit our website.
Friday, January 17, 2014
Connecting National Geogrphic Employees Gloablly
National Geographic, the 125-year-old worldwide non-profit, has more than 1,400 full- and part-time employees, and hundreds of contractors working at its headquarters in Washington, DC and in remote offices throughout the world. However, the company faced the very real problem of coordinating all their employees. This is how the solved their dilemma…
Nat Geo’s employees must access several cloud applications, each with different credentials, to perform their daily duties. In addition, because of the hundreds of contractors the company employs, the IT department has to deal with high turnover rate of user accounts and manually ensure access is revoked once an employee moves on.
The situation was so out of hand that IT administrators were manually creating 10 new accounts for employees each day and deleting five others at the same time. The process was overwhelmingly time-consuming and inefficient, especially for such a geographically diverse organization.
“Since each of the organization's different locations publishes the content in their own language, our employees need to have access to the work resources,” said Dan Backer, director of campus technology at National Geographic.
Such a task was a tall order, especially since most of the IT administration and help desk-related tasks were taking place in Washington, DC.
This is a situation taking place at a variety of companies around the world
Like the thousands of other organizations with employees at various locations throughout the world, National Geographic faced a variety of issues when employees lost access to their accounts, either because they were locked out or because they forgot them.
When employees were unable to take corrective actions to get themselves back to work because the help desk was closed or unreachable as it was located in a different time zone, productivity was lost and other issues developed.
To ease any password-management issues National Geographic added to their technology repertoire
To use this new technology, employees simply answer predefined security questions that enable them to reset their passwords, even in the middle of the night, without contacting the helpdesk. This ensures that they are able make a simple change, regain access to their files and get back to work without having to sit around unproductively waiting for the helpdesk to unlock their accounts.
The benefits of using such a technology are obvious, but the company also added an automated account management solution that allows its administrators to connect the PeopleSoft HR system to Active Directory (AD) to read new data twice a day automatically and synchronise it to the directory and Google.
Now, when someone enters a new personnel request, the account management solution automatically creates a new:
The automated account management solution also assists with automatically deactivating accounts. Once an employee account is disabled in PeopleSoft, the solution automatically disables the AD and Google accounts to ensure the employee no longer has access to any internal accounts, records or information.
The organization also set its solution up to transfer that employee’s personal drive information to the manager, as well as ownership of all of the employee’s work-related Google documents. For organizations with high turnover and those with remote environments, implementing such a tool ensures that any projects that are in process are not lost forever.
According to National Geographic’s Dan Backer, the identity and access management solutions allow the company to serve employees worldwide better and help them address the high turnover of contract employees in a way that is simple and cost effective.
For more information, please visit our website .
Nat Geo’s employees must access several cloud applications, each with different credentials, to perform their daily duties. In addition, because of the hundreds of contractors the company employs, the IT department has to deal with high turnover rate of user accounts and manually ensure access is revoked once an employee moves on.
The situation was so out of hand that IT administrators were manually creating 10 new accounts for employees each day and deleting five others at the same time. The process was overwhelmingly time-consuming and inefficient, especially for such a geographically diverse organization.
“Since each of the organization's different locations publishes the content in their own language, our employees need to have access to the work resources,” said Dan Backer, director of campus technology at National Geographic.
Such a task was a tall order, especially since most of the IT administration and help desk-related tasks were taking place in Washington, DC.
This is a situation taking place at a variety of companies around the world
Like the thousands of other organizations with employees at various locations throughout the world, National Geographic faced a variety of issues when employees lost access to their accounts, either because they were locked out or because they forgot them.
When employees were unable to take corrective actions to get themselves back to work because the help desk was closed or unreachable as it was located in a different time zone, productivity was lost and other issues developed.
To ease any password-management issues National Geographic added to their technology repertoire
To use this new technology, employees simply answer predefined security questions that enable them to reset their passwords, even in the middle of the night, without contacting the helpdesk. This ensures that they are able make a simple change, regain access to their files and get back to work without having to sit around unproductively waiting for the helpdesk to unlock their accounts.
The benefits of using such a technology are obvious, but the company also added an automated account management solution that allows its administrators to connect the PeopleSoft HR system to Active Directory (AD) to read new data twice a day automatically and synchronise it to the directory and Google.
Now, when someone enters a new personnel request, the account management solution automatically creates a new:
- Google Apps account,
- AD account,
- Share drive and personal drive access, and
- Profile.
The automated account management solution also assists with automatically deactivating accounts. Once an employee account is disabled in PeopleSoft, the solution automatically disables the AD and Google accounts to ensure the employee no longer has access to any internal accounts, records or information.
The organization also set its solution up to transfer that employee’s personal drive information to the manager, as well as ownership of all of the employee’s work-related Google documents. For organizations with high turnover and those with remote environments, implementing such a tool ensures that any projects that are in process are not lost forever.
According to National Geographic’s Dan Backer, the identity and access management solutions allow the company to serve employees worldwide better and help them address the high turnover of contract employees in a way that is simple and cost effective.
For more information, please visit our website .
Friday, January 10, 2014
Preparing For A Software License Audit
For those anticipating a software license audit in the next year or so, the constant worry is certainly that the number of licenses purchased will deviate from the number of software applications actually used.
Without a solid overview of the relation between purchased licenses and those actually being used, an organization runs the risk of incurring a substantial fine from their software vendor. Added to which, software costs can turn out higher than necessary as some licenses may not be used at all.
This is a common problem for many organizations, and occurs when new employees enter service and the privileges of employees in similar functions are copied to their user accounts. This often includes rights to applications the employee may not actually need.
In other cases, temporary access rights to applications that employees require for a particular project are not revoked once the project has been completed. Or worse still, accounts by employees who have left employment are not terminated. As such, there are a number of reasons why the number of licenses used may not match the number of licenses purchased.
To solve this problem and mitigate management of license costs while preparing for software license audits, there are several easy and available options:
Employ Automated User Provisioning & Role-Based Access Control Tools
Using the human resources system as the source for creating, modifying and removing user accounts and authorizations, employees can be assigned temporary access to the network and the applications they need. In the licensing context, this ensures that the rights of former employees are revoked in a timely fashion.
Combined with role-based access control (RBAC) – a solution that lets administrators assign rights based on the role or title of employees – rights will only be assigned once consensus has been reached on the applications that employees actually require for their daily work.
Use Dashboards To Monitor Software Access & Activity
Provide IT managers, systems administrators and administrators with a dashboard that lists the number of times an application has been launched by an employee, the number of minutes the application has been used, as well as the idle time in minutes.
If an application remains unused for a long period, the application can be revoked or the user can be given a warning. The total license costs and the status of used applications can be mapped out using an interface with a facility management system or IT service management system.
Passive Auditing
Periodically communicate with managers and send them an overview of the rights and applications to which his or her team has access. This reporting can take place, for instance, once every three months, once a year, etc. (for the software license audit). Managers can thus conveniently check whether everything is in order and give their approval. They can also make changes, which will be implemented directly.
Making a long story short, when expecting a software license audit in the future and when needing to prevent fines or to cut license costs, make sure to take the right precautions, most of which are simple to implement and can save organizations a great deal of cash associated with software fines or for paying for unused licenses.
For more information on auditing solutions, please visit our website.
Without a solid overview of the relation between purchased licenses and those actually being used, an organization runs the risk of incurring a substantial fine from their software vendor. Added to which, software costs can turn out higher than necessary as some licenses may not be used at all.
This is a common problem for many organizations, and occurs when new employees enter service and the privileges of employees in similar functions are copied to their user accounts. This often includes rights to applications the employee may not actually need.
In other cases, temporary access rights to applications that employees require for a particular project are not revoked once the project has been completed. Or worse still, accounts by employees who have left employment are not terminated. As such, there are a number of reasons why the number of licenses used may not match the number of licenses purchased.
To solve this problem and mitigate management of license costs while preparing for software license audits, there are several easy and available options:
Employ Automated User Provisioning & Role-Based Access Control Tools
Using the human resources system as the source for creating, modifying and removing user accounts and authorizations, employees can be assigned temporary access to the network and the applications they need. In the licensing context, this ensures that the rights of former employees are revoked in a timely fashion.
Combined with role-based access control (RBAC) – a solution that lets administrators assign rights based on the role or title of employees – rights will only be assigned once consensus has been reached on the applications that employees actually require for their daily work.
Use Dashboards To Monitor Software Access & Activity
Provide IT managers, systems administrators and administrators with a dashboard that lists the number of times an application has been launched by an employee, the number of minutes the application has been used, as well as the idle time in minutes.
If an application remains unused for a long period, the application can be revoked or the user can be given a warning. The total license costs and the status of used applications can be mapped out using an interface with a facility management system or IT service management system.
Passive Auditing
Periodically communicate with managers and send them an overview of the rights and applications to which his or her team has access. This reporting can take place, for instance, once every three months, once a year, etc. (for the software license audit). Managers can thus conveniently check whether everything is in order and give their approval. They can also make changes, which will be implemented directly.
Making a long story short, when expecting a software license audit in the future and when needing to prevent fines or to cut license costs, make sure to take the right precautions, most of which are simple to implement and can save organizations a great deal of cash associated with software fines or for paying for unused licenses.
For more information on auditing solutions, please visit our website.
Subscribe to:
Posts (Atom)