Blog

The Identity Management Struggle: Overpromised, Underdelivered, and How to Fix It

April 4, 2024

In the world of identity management, the struggle is real. Identity management involves controlling and managing user identities, access rights, and privileges within an organization. At YeshID, we've seen it all: from Google App Scripts built inside Sheets to Notion databases, full of outdated and fragmented documentation. We’ve seen people who have unexpectedly inherited the identity management job and people spending all their time reacting to HR onboarding and offboarding surprises. We’ve seen managed service providers with creative solutions that too often fall short. And we’ve seen IAM vendors overpromising integration and seamless system management and delivering upgrade prices and uncontrolled manual processes.It's like a tangled web of issues that can leave you feeling trapped and overwhelmed. The result? A complex set of challenges that can hinder productivity, security, and growth:

  • Workflow Issues
    • Redundant Workflows: You have workflows dedicated to verifying automation, manually handling unautomatable tasks, and fine-tuning access in each app, including sending requests and reminders to app owners and the time-consuming quarterly access reviews.
    • Workflow Dependencies: Intertwined workflows make it hard to untangle them, leading to a domino effect when changes are made.
    • Bottlenecks and Delays: Manual steps and the need to chase approvals slow down processes, causing frustration and reduced efficiency.
  • Data Management and Accuracy
    • Data Inconsistency: Manual intervention and multiple workflows increase the likelihood of data inconsistencies, such as discrepancies in user information across different systems, leading to confusion and potential security risks.
    • Email Address Standardization: Maintaining a consistent email address format (e.g., firstName.lastName@) can help with organization, but ensuring conventions are followed can be complex, especially as the organization grows..
  • Security
    • Secure Access: Enforcing secure access practices is non-negotiable, but it's an uphill battle, including:
      • MFA: Multi-Factor Authentication adds protection against compromised credentials, but getting everyone to comply can be a challenge.
      • Secure Recovery Paths: Ensuring account recovery methods aren't easily exploitable is crucial, but often overlooked, leaving potential gaps in security..
      • Principle of Least Privilege: Limiting user permissions to only what's necessary for their roles is a best practice, but permissions can creep up over time, leading to excessive access rights and failing compliance audits.
      • Regular Updates and Patching: Keeping systems updated and patched is essential to address vulnerabilities and maintain a secure environment.
  • Compliance
    • Compliance Concerns: Meticulously designing workflows to collect evidence that satisfies compliance and regulatory requirements is time-consuming and often confusing.
  • Operational and Growth Challenges
    • Knowledge Silos: Manual processes mean knowledge is held by a few individuals, creating vulnerabilities and making it hard for others to step in when needed, hindering business continuity.
    • Audit Difficulties: A mix of automated and manual workflows without proper documentation makes audits challenging and prone to errors, increasing the risk of non-compliance.
    • Difficulty Scaling: As the organization grows, the complexity of fragmented processes hinders growth potential, making it difficult to onboard new employees and manage access rights efficiently.
    • Complex Offboarding: Workflows must ensure proper, gradual account removal to balance security, archiving, business continuity, and legal compliance concerns.
    • Mandatory Training: Tracking mandatory training like security awareness within the first month of employment is an ongoing struggle.
    • Group and OU Assignments: Correctly placing users in groups and organizational units is key for managing permissions, but automating this requires careful alignment between automation rules and the company's organizational structure, which can be challenging to maintain.

Recommendations: Untangling the Web

YeshID’s YeshList gives you a way to untangle the process web organizing centrally, distributing the workload, and coordinating actions.

  • Implement Company-Wide Accountability
    • Establish a regular cadence for an access review campaign to ensure permissions are regularly reviewed and updated.
    • Create a simple form for managers to review access for their team members, making it easy for them to participate in the process.
    • Use a ticketing system or workflow tool to track requests and ensure accountability, providing visibility into the status of each request.
  • Embrace Role-Based Access Control (RBAC)
    • Design granular roles based on common job functions to streamline access granting, reducing the need for individual access requests.
    • Track roles in a spreadsheet, including Role Name, Description, Permissions Included, and Role Owner, to maintain a clear overview of available roles and their associated permissions.
    • Upgrade to Google Groups for decentralized role ownership, employee-initiated join requests, and automation possibilities, empowering teams to manage their own access needs.
    • Use RBAC to speed up audits by shifting focus from individual permissions to role appropriateness, simplifying the audit process.
    • Tool Examples: Google Workspace allows custom roles, but other identity management solutions may offer more robust RBAC capabilities.
  • Conduct Regular Application-Level Access Reviews
    • Periodically review user access within each critical application to close potential security gaps and ensure that access rights align with job requirements.
    • Restrict access to applications using your company's domain to improve security and prevent unauthorized access from external accounts.
    • Utilize tools like Steampipe or CloudQuery to automate the integration of application access lists with your employee directory, enabling regular comparisons and alerts for discrepancies, saving time and reducing manual effort.
  • Invest in Centralized Workflow Management
    • Consolidate Workflows: Map existing processes, find overlaps, and merge them within a centralized tool.
    • Prioritize High-Impact Automation First: Target repetitive, time-consuming tasks to get the most value.
  • Prioritize Data Standardization and Integrity
    • Define clear rules for email addresses, naming, and data entry, and enforce them during account creation to maintain data consistency across systems.
    • Implement input validation to catch inconsistencies early, preventing data quality issues from propagating throughout the organization.
    • Schedule data hygiene checks to identify and correct discrepancies between systems.
    • Use a tool or script for account creation to ensure consistency.
  • Strengthen Security with Key Enhancements
    • Mandate MFA for all accounts.
    • Review Recovery Methods: Favor authenticator apps or hardware keys over less secure methods.
    • Regularly review user access levels and enforce least privilege principles.
    • Use your company's Identity Provider (IdP) for authentication whenever possible to centralize access control and simplify user management.
  • Make Compliance a Focus, Not an Afterthought
    • Document Workflows Thoroughly: Include decision points and rationale for auditing purposes.
    • Build requirements for proof of compliance directly into your automated workflows.
  • Tackle Operational Challenges Head-On
    • Reduce errors with in-workflow guidance, providing clear instructions and prompts to guide users through complex processes.
    • Cross-train IT team members to reduce single points of failure.
    • Develop templates for recurring processes to streamline efforts and ensure consistency.
  • Democratize Identity Management
    • Empower employees and managers to resolve access requests whenever possible through:
      • Automated Approval Workflows: Set up workflows with pre-defined rules to grant access based on criteria.
      • Manager Approvals: Delegate access request approvals to direct managers for their teams.
      • Self-Service Access Management: Consider a self-service portal for employees to request and manage basic access needs.
      • Empowered Employees and Managers: Enable employees and managers to add or remove employee accounts for specific apps as needed.

The Light at the End of the Tunnel

As you evaluate solutions, keep these factors in mind:

  • Cost-Effectiveness: Prioritize solutions with free tiers or flexible pricing models.
  • Ease of Use: Choose tools with intuitive interfaces to encourage adoption.
  • Scalability: Ensure solutions can grow with your company.

Identity management is a critical aspect of any organization's security and operational efficiency. By recognizing the common challenges and implementing the recommendations outlined in this post, you can untangle the web of identity management struggles and create a more streamlined, secure, and efficient process.YeshID Orchestration is here to help you on this journey, bringing Identity and Automation closer together for a more dedicated, consolidated, and simple solution. Don't let identity management hold you back any longer – take control and unlock the full potential of your organization today. Try for free today!

Recent Posts
How to Meet SOC 2 Access Review Requirements - A Startup's Toolkit
YeshID Monthly Release Notes: October 2024
Introducing Access Review: Simplify your compliance journey
🚀 YeshID Monthly Release Notes: : September 2024
Transforming Onboarding and Security Efficiency at Cyberhaven
Ready to take control of your identity access management?
Sign up