IdM implementation. Preparation for implementation by the customer
In previous articles we have already considered what IdM is, how to understand whether your organization needs a similar system, what tasks it solves and how to justify the implementation budget to management. Today we will talk about the important stages that the organization itself must go through in order to achieve an adequate level of maturity before implementing the IdM system. After all, IdM is designed to automate processes, and it is impossible to automate chaos.
Until such time as a company grows to the size of a large enterprise and has accumulated a host of different business systems, it usually does not think about access control. Therefore, the processes of obtaining rights and control of powers in it are not structured and are difficult to analyze. Employees make out applications for access as they please, the coordination process is also not formalized, and sometimes it simply does not exist. It is impossible to quickly figure out what accesses an employee has, who coordinated them and on what basis.
')
Considering that the access automation process involves two main aspects - personnel data and information systems data, integration with which is to be carried out, we consider the steps necessary for the implementation of IdM to go smoothly and not cause rejection:
The source of personnel data in an organization can be one, and maybe several. For example, an organization may have a fairly wide branch network, and each branch may use its own personnel base.
First of all, it is necessary to understand what basic data about employees is stored in the personnel records system, what events are recorded, and evaluate their completeness and structure.
It often happens that not all personnel events are recorded in a personnel source (and more often they are marked out of time and not quite correctly). Here are some typical examples:
It is also worth paying special attention to assessing the quality of the data, since any errors and inaccuracies obtained from a trusted source, which are personnel records systems, can continue to be costly and cause many problems in the implementation of IdM. For example, employees of personnel services often get posts of workers in the personnel system in different formats: upper and lower case letters, abbreviations, different number of spaces, and the like. As a result, the same position can be fixed in the personnel system in the following variations:
Often we have to deal with differences in the spelling of the full name:
For further automation, such a jumble is unacceptable, especially if these attributes are a key attribute of identification, that is, data about an employee and his powers in the systems are matched exactly by their full name.
In addition, we should not forget about the possible presence in the company of namesakes and full namesakes. If there are a thousand employees in the organization, there may be few such coincidences, and if there are 50 thousand, then this can be a critical obstacle to the correct operation of the IdM system.
Summarizing all the above, we conclude: the format of data entry into the personnel base of the organization should be standardized. The input parameters of the name, position and units should be clearly defined. The best option is when the personnel officer does not enter data manually, but selects it from the previously created reference book of the structure of subdivisions and positions using the “select” function available in the personnel database.
To avoid further errors in synchronization and avoid manual correction of discrepancies in the reports, the most preferred way to identify employees is to enter an ID for each employee of the organization. Such an identifier will be assigned to each new employee and appear both in the personnel system and in the information systems of the organization as a mandatory attribute of the account. It does not matter whether it consists of numbers or letters - the main thing is that it is unique for each employee (for example, many use the employee’s personnel number). In the future, the introduction of this attribute will greatly facilitate the linking of employee data in the personnel source with its accounts and authorities in information systems.
So, all the steps and mechanisms of personnel records will need to be analyzed and put in order in them. It is possible that some processes will have to change or modify. This is tedious and hard work, but it is necessary, otherwise the lack of clear and structured data on personnel events will lead to errors during their automatic processing. In the worst case, unstructured processes cannot be automated at all.
At the next stage, we need to figure out how many information systems we want to integrate into the IdM structure, what data about users and their rights are stored in these systems and how to manage them.
Many organizations believe that we will install IdM, set up connectors to the target systems, and with a wave of a magic wand, everything will work, without additional efforts on our part. So, alas, does not happen. In companies, the landscape of information systems is developing and increasing gradually. In each of the systems, a different approach to granting access rights can be organized, that is, different access control interfaces are configured. Somewhere management occurs through the API (application programming interface), somewhere through the database using stored procedures, somewhere interaction interfaces may be absent altogether. It is worth being prepared for having to revise many existing processes for managing accounts and rights in the organization's systems: change the data format, modify the interaction interfaces in advance, and allocate resources for these works.
You will probably come across the concept of a role model at the stage of selecting an IdM solution provider, as this is one of the key concepts in the field of access rights management. In this model, the provision of data access is made through the role. A role is a set of accesses that are minimally necessary so that an employee in a certain position can perform his functional duties.
Role-based access control has several undeniable advantages:
The role matrix is ​​first built separately in each of the systems of the organization, and then scaled to the entire IT landscape, where global Business roles are formed from the roles of each system. For example, the Business Role “Accountant” will include several separate roles for each of the information systems used in the enterprise’s accounting.
Recently, it is considered “best practice” at the stage of developing applications, databases and operating systems to create a role model. At the same time, there are often situations where roles are not configured in the system or they simply do not exist. In this case, the administrator of this system must enter the account information in several different files, libraries and directories that provide the necessary permissions. Using the same predetermined roles allows you to give privileges to conduct a whole complex of operations in the system with complex composite data.
Roles in the information system, as a rule, are distributed for positions and divisions according to the staff structure, but can also be created for certain business processes. For example, in a financial organization, several employees of the settlement department occupy the same position - the operator. But within the department there is also a distribution to separate processes, according to different types of operations (external or internal, in different currencies, with different segments of the organization). In order for each of the business areas of one department to provide access to the information system on the desired specificity, it is necessary to include rights in separate functional roles. This will provide a minimum sufficient set of powers, not including redundant rights, for each of the activities.
In addition, for large systems with hundreds of roles, thousands of users, and millions of permissions, it is good practice to use role hierarchy and privilege inheritance. For example, the parent role of the Administrator will inherit the privileges of the child roles of the User and the Reader, since the Administrator can do everything the same as the User and the Reader, plus will have additional administrator rights. Using a hierarchy, it is not necessary to re-specify the same rights in several roles of a single module or system.
At the first stage, you can create roles in those systems where the possible number of combinations of rights is not very large and, as a result, it is easy to manage a small number of roles. These may be typical rights required for all company employees, to publicly available systems such as Active Directory (AD), mail systems, Service Manager, and the like. Then, the created role matrices for information systems can be incorporated into a common role model, combining them into Business roles.
Using this approach, in the future when implementing the IdM system, it will be easy to automate the entire process of granting access rights based on the created roles of the first stage.
NB You should not try to immediately include as many systems as possible in the integration. Systems with a more complex architecture and an access rights management structure in the first stage are better connected to the IdM in semi-automatic mode. That is, to implement on the basis of personnel events only automatic generation of an application for access, which the administrator will execute, and he will set up the rights manually.
After successful completion of the first stage, you can extend the functionality of the system to new advanced business processes, implement full automation and scaling with the connection of additional information systems.
In other words, in order to prepare for the introduction of IdM, you need to assess the readiness of information systems for a new process and to refine in advance the external interaction interfaces for managing accounts and user rights if there are no such interfaces in the system. You should also work out the issue of the phased creation of roles in information systems for integrated access control.
Do not discount the organizational aspects. In some cases, they can play a decisive role, because the result of the whole project often depends on the effective interaction between departments. To do this, we usually advise you to create in your organization a team of participants in the process, which will include all the units involved. Since this is an additional burden for people, try to explain in advance to all participants in the future process their role and importance in the interaction structure. If you “sell” the idea of ​​IdM to your colleagues at this stage, you will be able to avoid many difficulties in the future.
Often, the “owners” of an IdM implementation project in a company are information security or IT departments, and the opinion of business units is not taken into account. This is a big mistake, because only they know how and in which business processes each resource is used, who needs to be given access to it and who does not. Therefore, at the preparatory stage, it is important to indicate that it is the business owner who is responsible for the functional model, on the basis of which the sets of rights (roles) of users in the information system are developed, as well as for keeping these roles up to date. The role model is not a static matrix that was built once and you can calm down on it. This is a “living organism”, which must constantly change, update and develop, following changes in the structure of the organization and the functionality of its employees. Otherwise, either problems associated with delays in providing access will begin, or information security risks will arise associated with excessive access rights, which is even worse.
As it is known, “at seven nannies is a child without an eye,” therefore, a company should develop a methodology describing the architecture of the role model, the interaction and responsibility of specific participants in the process for keeping it up to date. If a company has many areas of business activity and, accordingly, many departments and departments, then for each area (for example, lending, operations, distance services, compliance and others), individual curators should be appointed as part of the role-based access control process. Through them, it will be possible to promptly receive information on changes in the structure of the unit and the access rights required for each role.
It is imperative to enlist the support of the leadership of the organization to resolve conflicts between departments - participants in the process. And conflicts in the implementation of any new process are inevitable, believe our experience. Therefore, we need an arbitrator who will resolve possible conflicts of interest, so as not to waste time because of someone's misunderstandings and sabotage.
NB A good starting point for raising awareness is staff training. A detailed study of the functioning of the future process, the role of each participant in it will minimize the difficulties of transition to a new solution.
Summing up, we summarize the main steps that should be taken by an organization planning to implement IdM:
The preparation process can be difficult, so if there is an opportunity, involve consultants.
Implementing an IdM solution is not an easy and crucial step, and for its successful implementation, both the efforts of each side separately are important - employees of business units, IT and information security services, and the interaction of the whole team. But the efforts are worth it: after the introduction of IdM in the company, the number of incidents related to redundant powers and unauthorized rights in information systems is reduced; staff outages disappear due to the absence / long waiting for the necessary rights; due to automation, labor costs are reduced and labor productivity of IT and IB services increases.
Until such time as a company grows to the size of a large enterprise and has accumulated a host of different business systems, it usually does not think about access control. Therefore, the processes of obtaining rights and control of powers in it are not structured and are difficult to analyze. Employees make out applications for access as they please, the coordination process is also not formalized, and sometimes it simply does not exist. It is impossible to quickly figure out what accesses an employee has, who coordinated them and on what basis.
')
Considering that the access automation process involves two main aspects - personnel data and information systems data, integration with which is to be carried out, we consider the steps necessary for the implementation of IdM to go smoothly and not cause rejection:
- Analysis of personnel processes and optimization of employee database maintenance in personnel systems.
- Analysis of data on users and rights, as well as the updating of access control methods in target systems that are planned to be connected to IdM.
- Organizational events and staff involvement in the process of preparing for the implementation of IdM.
HR data
The source of personnel data in an organization can be one, and maybe several. For example, an organization may have a fairly wide branch network, and each branch may use its own personnel base.
First of all, it is necessary to understand what basic data about employees is stored in the personnel records system, what events are recorded, and evaluate their completeness and structure.
It often happens that not all personnel events are recorded in a personnel source (and more often they are marked out of time and not quite correctly). Here are some typical examples:
- holidays, their categories and terms (regular or long) are not fixed;
- Part-time employment is not fixed: for example, while on long-term parental leave, an employee can work at a part-time job at the same time;
- the actual status of the candidate or employee has already changed (acceptance / transfer / dismissal), and the order for this event is delayed;
- An employee is transferred to a new full-time position through dismissal, while in the personnel system there is no information that this is a technical dismissal.
It is also worth paying special attention to assessing the quality of the data, since any errors and inaccuracies obtained from a trusted source, which are personnel records systems, can continue to be costly and cause many problems in the implementation of IdM. For example, employees of personnel services often get posts of workers in the personnel system in different formats: upper and lower case letters, abbreviations, different number of spaces, and the like. As a result, the same position can be fixed in the personnel system in the following variations:
- Senior manager
- senior manager
- senior manager
- Art. manager…
Often we have to deal with differences in the spelling of the full name:
- Shmeleva Natalia,
- Natalia Shmeleva Gennady I ...
For further automation, such a jumble is unacceptable, especially if these attributes are a key attribute of identification, that is, data about an employee and his powers in the systems are matched exactly by their full name.
In addition, we should not forget about the possible presence in the company of namesakes and full namesakes. If there are a thousand employees in the organization, there may be few such coincidences, and if there are 50 thousand, then this can be a critical obstacle to the correct operation of the IdM system.
Summarizing all the above, we conclude: the format of data entry into the personnel base of the organization should be standardized. The input parameters of the name, position and units should be clearly defined. The best option is when the personnel officer does not enter data manually, but selects it from the previously created reference book of the structure of subdivisions and positions using the “select” function available in the personnel database.
To avoid further errors in synchronization and avoid manual correction of discrepancies in the reports, the most preferred way to identify employees is to enter an ID for each employee of the organization. Such an identifier will be assigned to each new employee and appear both in the personnel system and in the information systems of the organization as a mandatory attribute of the account. It does not matter whether it consists of numbers or letters - the main thing is that it is unique for each employee (for example, many use the employee’s personnel number). In the future, the introduction of this attribute will greatly facilitate the linking of employee data in the personnel source with its accounts and authorities in information systems.
So, all the steps and mechanisms of personnel records will need to be analyzed and put in order in them. It is possible that some processes will have to change or modify. This is tedious and hard work, but it is necessary, otherwise the lack of clear and structured data on personnel events will lead to errors during their automatic processing. In the worst case, unstructured processes cannot be automated at all.
Target systems
At the next stage, we need to figure out how many information systems we want to integrate into the IdM structure, what data about users and their rights are stored in these systems and how to manage them.
Many organizations believe that we will install IdM, set up connectors to the target systems, and with a wave of a magic wand, everything will work, without additional efforts on our part. So, alas, does not happen. In companies, the landscape of information systems is developing and increasing gradually. In each of the systems, a different approach to granting access rights can be organized, that is, different access control interfaces are configured. Somewhere management occurs through the API (application programming interface), somewhere through the database using stored procedures, somewhere interaction interfaces may be absent altogether. It is worth being prepared for having to revise many existing processes for managing accounts and rights in the organization's systems: change the data format, modify the interaction interfaces in advance, and allocate resources for these works.
Role model
You will probably come across the concept of a role model at the stage of selecting an IdM solution provider, as this is one of the key concepts in the field of access rights management. In this model, the provision of data access is made through the role. A role is a set of accesses that are minimally necessary so that an employee in a certain position can perform his functional duties.
Role-based access control has several undeniable advantages:
- simple and effective assignment of the same rights to a large number of employees;
- prompt change of access for employees with the same set of rights;
- elimination of redundancy rights and separation of incompatible powers for users.
The role matrix is ​​first built separately in each of the systems of the organization, and then scaled to the entire IT landscape, where global Business roles are formed from the roles of each system. For example, the Business Role “Accountant” will include several separate roles for each of the information systems used in the enterprise’s accounting.
Recently, it is considered “best practice” at the stage of developing applications, databases and operating systems to create a role model. At the same time, there are often situations where roles are not configured in the system or they simply do not exist. In this case, the administrator of this system must enter the account information in several different files, libraries and directories that provide the necessary permissions. Using the same predetermined roles allows you to give privileges to conduct a whole complex of operations in the system with complex composite data.
Roles in the information system, as a rule, are distributed for positions and divisions according to the staff structure, but can also be created for certain business processes. For example, in a financial organization, several employees of the settlement department occupy the same position - the operator. But within the department there is also a distribution to separate processes, according to different types of operations (external or internal, in different currencies, with different segments of the organization). In order for each of the business areas of one department to provide access to the information system on the desired specificity, it is necessary to include rights in separate functional roles. This will provide a minimum sufficient set of powers, not including redundant rights, for each of the activities.
In addition, for large systems with hundreds of roles, thousands of users, and millions of permissions, it is good practice to use role hierarchy and privilege inheritance. For example, the parent role of the Administrator will inherit the privileges of the child roles of the User and the Reader, since the Administrator can do everything the same as the User and the Reader, plus will have additional administrator rights. Using a hierarchy, it is not necessary to re-specify the same rights in several roles of a single module or system.
At the first stage, you can create roles in those systems where the possible number of combinations of rights is not very large and, as a result, it is easy to manage a small number of roles. These may be typical rights required for all company employees, to publicly available systems such as Active Directory (AD), mail systems, Service Manager, and the like. Then, the created role matrices for information systems can be incorporated into a common role model, combining them into Business roles.
Using this approach, in the future when implementing the IdM system, it will be easy to automate the entire process of granting access rights based on the created roles of the first stage.
NB You should not try to immediately include as many systems as possible in the integration. Systems with a more complex architecture and an access rights management structure in the first stage are better connected to the IdM in semi-automatic mode. That is, to implement on the basis of personnel events only automatic generation of an application for access, which the administrator will execute, and he will set up the rights manually.
After successful completion of the first stage, you can extend the functionality of the system to new advanced business processes, implement full automation and scaling with the connection of additional information systems.
In other words, in order to prepare for the introduction of IdM, you need to assess the readiness of information systems for a new process and to refine in advance the external interaction interfaces for managing accounts and user rights if there are no such interfaces in the system. You should also work out the issue of the phased creation of roles in information systems for integrated access control.
Organizational events
Do not discount the organizational aspects. In some cases, they can play a decisive role, because the result of the whole project often depends on the effective interaction between departments. To do this, we usually advise you to create in your organization a team of participants in the process, which will include all the units involved. Since this is an additional burden for people, try to explain in advance to all participants in the future process their role and importance in the interaction structure. If you “sell” the idea of ​​IdM to your colleagues at this stage, you will be able to avoid many difficulties in the future.
Often, the “owners” of an IdM implementation project in a company are information security or IT departments, and the opinion of business units is not taken into account. This is a big mistake, because only they know how and in which business processes each resource is used, who needs to be given access to it and who does not. Therefore, at the preparatory stage, it is important to indicate that it is the business owner who is responsible for the functional model, on the basis of which the sets of rights (roles) of users in the information system are developed, as well as for keeping these roles up to date. The role model is not a static matrix that was built once and you can calm down on it. This is a “living organism”, which must constantly change, update and develop, following changes in the structure of the organization and the functionality of its employees. Otherwise, either problems associated with delays in providing access will begin, or information security risks will arise associated with excessive access rights, which is even worse.
As it is known, “at seven nannies is a child without an eye,” therefore, a company should develop a methodology describing the architecture of the role model, the interaction and responsibility of specific participants in the process for keeping it up to date. If a company has many areas of business activity and, accordingly, many departments and departments, then for each area (for example, lending, operations, distance services, compliance and others), individual curators should be appointed as part of the role-based access control process. Through them, it will be possible to promptly receive information on changes in the structure of the unit and the access rights required for each role.
It is imperative to enlist the support of the leadership of the organization to resolve conflicts between departments - participants in the process. And conflicts in the implementation of any new process are inevitable, believe our experience. Therefore, we need an arbitrator who will resolve possible conflicts of interest, so as not to waste time because of someone's misunderstandings and sabotage.
NB A good starting point for raising awareness is staff training. A detailed study of the functioning of the future process, the role of each participant in it will minimize the difficulties of transition to a new solution.
Check list
Summing up, we summarize the main steps that should be taken by an organization planning to implement IdM:
- clean up the frame data;
- enter a unique identification parameter for each employee;
- assess the readiness of information systems to implement IdM;
- develop interfaces with information systems for access control, if they are absent, and allocate resources for these works;
- develop and build a role model;
- Build a role model management process and include curators from each business line;
- select multiple systems for initial connection to IdM;
- create an effective project team;
- enlist the support of company management;
- train staff.
The preparation process can be difficult, so if there is an opportunity, involve consultants.
Implementing an IdM solution is not an easy and crucial step, and for its successful implementation, both the efforts of each side separately are important - employees of business units, IT and information security services, and the interaction of the whole team. But the efforts are worth it: after the introduction of IdM in the company, the number of incidents related to redundant powers and unauthorized rights in information systems is reduced; staff outages disappear due to the absence / long waiting for the necessary rights; due to automation, labor costs are reduced and labor productivity of IT and IB services increases.
Source: https://habr.com/ru/post/447536/
All Articles