Key Steps for Optimizing Full-Circle Identity Processes
Our last post on identity lifecycle management (LCM) covered common scenarios and actionable tips for perfecting your approach to managing identity data. This week, we’ll review some recommendations for automating employee lifecycle tasks surrounding what’s commonly referred to as “joiner, mover, leaver” (JML) processes. Many IT teams struggle with time-consuming workflows when it comes to staff and contractor onboarding, role changes, offboarding, and everything that happens in between. Each of these events requires a lot of manual effort to get the whole proliferation of users, devices, and apps connected properly.
This burden is exacerbated by the fact that, these days, less and less identity lifecycle decision making is actually contained within the IT department. Increasingly, business app owners are the ones who decide which users get access to what. In addition, many organizations have complex business logic that most identity solutions can’t handle out of the box.
As you’re about to see, our framework for modernizing identity processes with Okta Lifecycle Management covers four archetypes we typically see amongst Okta customers:
Stage 1: Manual Processes
During the earliest stage of LCM maturity, IT teams still handle user account provisioning and deprovisioning processes manually, and as a result, they struggle to scale. You’re often wasting considerable time on low-value “button pushing” work, partly because user lifecycle events (like hiring) aren’t well-coordinated with IT account creation. As a result, new hires rarely get timely access on their first day of work, and terminated users retain access for too long—creating dangerous security risks. If your organization is in this boat, you most likely have orphaned accounts all over the place, no record of provisioning events, and minimal accountability.
As you work to improve your onboarding and offboarding flows, keep in mind that some systems will be perfect for automating, while others might involve untangling or re-engineering business processes first. To prioritize effectively, we recommend that you:
- Take stock of all your current apps and their ownership.
- Survey your team to find out which apps have the most significant JML task load, differentiating apps provisioned via simple, consistent steps from those that require detailed business logic.
- Determine whether a major app purchase (e.g., Office 365) is on the horizon.
- Create a list of 5-10 target apps you want to provision through Okta LCM first.
Stage 2: Basic Automation
Organizations at the next level make inroads by automating their provisioning and deprovisioning processes for apps with the highest ROI. These are usually birthright apps that all of your employees use—like email and shared storage—so accounts don’t need approval chains, complicated entitlements, or other nuanced business logic. At this stage, you’re ready to leverage your primary IT sources of truth (AD and LDAP) to kick off all JML tasks (whether automated or still manual), while your IT team remains hands-on for ad-hoc exceptions like VIP onboarding, hostile terminations, or contractor offboarding.
Proven best practices at stage two include:
- Use triggers from IT sources (e.g., a new user, updated user, or terminated user) to drive provisioning or deprovisioning actions in Okta (e.g., create or remove an account in Okta, Box, Office 365, etc.).
- Configure fully automated on/offboarding for your first 2+ apps, choosing the highest volume tasks that contain the lowest complexity.
- In general, prioritize automated JML for employees, which will reduce orphaned accounts.
Stage 3: Leading Automation
By the time companies reach stage three, they’re successfully increasing productivity and security by driving lifecycle changes from IT sources of truth. At this point, the next big opportunity involves changing that model to one powered by HR systems. HR systems often have the most accurate employee data, so it makes sense to drive your processes from HR triggers such as hiring and terminating. HR systems also track granular lifecycle states, which can initiate workflows for less frequent identity use cases—such as changing access grants due to maternity leave, staging accounts before an employee’s start date, or granting alumni access to limited resources. Lastly, don't forget about offboarding external users who aren't commonly in HR systems. Create policies in your identity system to automatically revoke their access. Together, these changes will eliminate nearly all orphaned accounts.
At stage three, consider the following steps to elevate your game:
- Source identity profiles from your HR system and trigger all identity processes off of lifecycle changes in HR source(s) of truth.
- For external users (who are typically not in HR systems), you can initiate access changes based on preset policies (e.g., suspend after x days of inactivity).
- Automate deprovisioning for your highest risk applications, including:
- Internet-facing applications, such as public cloud apps or homegrown apps running in the cloud
- Critical internal systems that store personally identifiable information (PII), like your payroll system
- Any apps containing sensitive customer data, such as your CRM, ERP, or analytics platforms
Stage 4: Visionary Automation
Today’s evolving workplace dynamics, like the rise of remote and contract work, require more flexible, but also more complex, identity models. Businesses can achieve huge efficiency gains by automating their toughest processes, such as employee rehires, role changes, or time-based or project-based access grants for contractors. At this point in your LCM journey, you’re eliminating nearly all manual effort, although there might still be a small percentage of tasks you can’t automate. For these, you can at least auto-create IT tickets in your ITSM systems (such as ServiceNow) for tracking.
Once you’re ready for a more advanced approach, your next steps should be:
- Leverage the no-code Okta Workflows automation platform for your most complex IT tasks. If necessary, build bespoke JML processes to fit your organization’s needs, using easy-to-build workflows to perform deep, granular actions in your apps (e.g., setting default folder shares in Box when provisioning accounts).
- Auto-populate ITSM tickets with identity data to help facilitate manual tasks (e.g., creating an account in a legacy app like Oracle EBS, JDEdwards, or a custom-built app).
- Enable other departments to create automated workflows, for example:
- Security team regularly extracting identity data for audits
- Security team setting up live notifications for suspicious identity-related activity
- Salesforce admins automating complex assignment of entitlements
As you advance the methods your organization uses to manage both critical identity data and all of the lifecycle processes we’ve described, you’ll quickly see major time savings and scalability benefits. Our last two posts in this series will cover tips for automating access grants and better supporting audits and compliance. Feel free to check out our step-by-step guide in the meantime, and review our additional suggestions surrounding each of the four common stages of lifecycle management maturity.