What Is Provisioning and Deprovisioning?
Provisioning is the process of making information technology (IT) systems available to users. Depending on your organization’s needs, provisioning can be defined at the network, server, application, and user level:
- Network provisioning involves setting up a network that can be accessed by users, servers, and devices. The telecommunications industry, for example, uses network provisioning to provide customers with wireless solutions.
- Server provisioning is the process of setting up a server that can be used within a network. This may include creating a new machine, putting physical hardware in a data center, installing and configuring software, and connecting to networks and storage.
- Application provisioning is an infrastructure management solution that allows administrators to optimize performance for various environments within an enterprise.
- User provisioning is the process of managing digital identities, which includes creating, updating, and removing rights and permissions to a business’s applications, files, networks, systems, and resources.
Deprovisioning is the process of removing user access to software and network services. Put simply, it’s the exact opposite of provisioning—and typically occurs when employees change roles or leave a company.
Both provisioning and deprovisioning play an important role in securing IT systems and applications, but effective and automated user provisioning should be top of mind for any organization that wants to enhance their security posture.
Why user provisioning and deprovisioning matters
When a new employee is hired, one of the first things an organization does is create a record of that employee. It then becomes the responsibility of HR, IT, or a combination of the two teams, to provide that employee with access to all of the apps, accounts, and systems they need to do their job.
User provisioning, therefore, takes place whenever information is added or amended in your organization’s HR systems: this includes the addition of team members, role changes, promotions, and department transfers, among other things. In other words, user provisioning helps you provide the right level of access to the right users during onboarding, update access throughout employment, and—during the deprovision process—remove access when an employee leaves the organization.
What is automated provisioning and what are its benefits?
Automated provisioning means making the manual processes of onboarding and offboarding users automatic. In organizations both big and small, automated user provisioning frees up IT and HR to work on more strategic tasks, prevents gaps in security by minimizing the impact of human error, and provides better user experiences.
Manually updating individual user profiles, account privileges, and group memberships requires time, especially as employees need access to more workplace applications than ever. Not only that, but the process can get delayed if IT teams are busy working on other projects. This can prevent new users from being onboarded quickly, stall the grant or removal of access rights, and make it harder to monitor and identify irrelevant permissions. Automated provisioning and deprovisioning takes this pressure off IT’s shoulders, allowing everyone to spend time on projects that drive business value.
By automating user provisioning, you can also eliminate some of the gaps in access management that could leave your business vulnerable to security breaches. Manually creating user accounts means that someone within an organization must share a password with an employee—which is likely a very insecure process, such as sending an email or writing on a sticky note. Similar instances of human error may also pose a threat to security. For example, users could accidentally be provisioned to systems and data that they shouldn’t have access to, or still have access once they leave your organization.
Automating user provisioning and deprovisioning removes these risks, providing individuals with permissions in a safe and private manner. The process ensures that a user is provisioned for on-premises and external apps based on their role’s attributes. These attributes and permissions are then stored in one central location, ensuring they can be easily modified as an employee’s role changes. When departments or teams implement a new tool or modify employees’ entitlements, access can also be rolled out based on group rules.
Provisioning IT automatically provides users with access only when it is necessary, preventing any security gaps that hackers could exploit to gain unauthorized access to sensitive corporate information.
Basic steps for establishing a user provisioning system
Before your organization can automate user provisioning and deprovisioning, it first needs to identify the problems to be solved and develop a use case. It’s also a good idea to test the solution before rolling it out across your organization.
Step 1: Assess your identity and access management
The first step is to define your provisioning needs and assess the quality and maturity of your current identity management program. There are three things to consider:
- People: Do your employees know what user provisioning means and what their responsibilities are? Is your access management solution easy to use?
- Process: What is your current end-to-end process for provisioning, managing, and deprovisioning user access? Does it create or eliminate administrative burdens?
- Technology: How comprehensive, secure, and usable is your business’s technology? Does the system immediately respond to a user’s role?
Understanding your organization's current provisioning system—as well as the time and resources required to maintain it—can help you identify next steps.
Step 2: Develop a business case for user provisioning
User provisioning is not a simple process that will immediately deliver results. Before implementing a solution, you should have a comprehensive business case that explains how it will help the organization to increase productivity and decrease risk, save time and money, improve user experiences, and ease employee lifecycle management.
Businesses with hundreds or even thousands of applications can easily become overwhelmed by managing user access. The business case should therefore prioritize and inventory critical systems and resources.
Step 3: Launch a pilot program
It’s important to trial user provisioning with a pilot program. This involves getting the buy-in of key executives to encourage employee participation, then selecting a group of initial users of varying seniority from different business units across the organization.
There are four things you should consider for a pilot program:
- Scope: Identify the systems and users that will be impacted.
- Duration: Set a schedule for the pilot program, allowing enough time to monitor and make required changes.
- Outcomes: Outline key metrics that will help indicate whether the pilot program has been successful. These should include time saved, productivity, and enhanced user experiences.
- Feedback: Gathering opinions from users involved in the pilot program can help pinpoint the solution’s strengths and weaknesses. This can be done simply and anonymously via tools like SurveyMonkey.
Step 4: Launch user provisioning across the organization
Once you have put the insights from the pilot program into practice you’ll be ready to implement user provisioning across the rest of the organization. To ensure the deployment goes as smoothly as possible, get various parties including the helpdesk, internal audit, and corporate teams involved in the rollout.
Keep in mind, however, that simply launching automated provisioning and deprovisioning is not enough to deliver long-term success. The program must be monitored on an ongoing basis so as to review the following:
- The amount of user provisioning being completed within a certain timeframe
- The number of requests being handled by the helpdesk—these should decrease over time
- Internal audit findings related to user access
- User feedback, which should be acted upon to continually enhance experiences
Best practices for user provisioning
The below best practices are crucial to secure and successful user provisioning.
Enable automated provisioning and deprovisioning
Employee access requirements evolve as they get promoted, switch teams, use new devices, adopt various new software tools, and leave the business. It’s also very likely that organizations will restructure or work temporarily with contractors and partners that require limited access to systems and networks.
Automating provisioning and deprovisioning is crucial to preventing mistakes in granting access. The process can also save IT huge amounts of time, removing the risk of human error and unnecessary frustration, and ensures only the right people have access to files and systems at all times.
Layer on extra security
In addition to managing individual user access, user provisioning software can help your HR and IT teams control access, application roles, and security policies across departments and other groups—which further secures IT systems. Group rules enable admins to set policies that determine membership, application permissions, provisioning, and more. Users can also easily be provisioned to third-party apps using features like group push.
Monitor continuously
Provisioning errors pose a threat to productivity, and also could compromise compliance and security by providing users with higher access rights than they should have. Businesses must continuously monitor users’ access and run regular reports that enable them to confirm user access, check assignments, and detect orphan accounts.
Providing access to IT is an ongoing process. Find out how Okta’s Lifecycle Management solution can help you automate user provisioning and deprovisioning and keep your systems secure.