Closed Loop Provisioning via IDM / ITSM Integration€¦ · Closed Loop Provisioning The best way to address all these challenges is to actually integrate your ITSM system with your

Closed Loop Provisioningvia IDM / ITSM Integration

2

Table of Contents

Introduction ...............................................................

Challenges With Existing Approaches .......................

Governance ......................................................................

IT Productivity ..................................................................

Security .............................................................................

End-User Satisfaction .......................................................

Closed Loop Provisioning ...........................................

ITSM as a Provisioning Channel .......................................

Governance ......................................................................

IT Productivity ..................................................................

Security .............................................................................

End-User Satisfaction .......................................................

SCUID Lifecycle / Zendesk Integration .........................

Conclusion .................................................................

3

6

7

8

8

8

10

10

11

12

12

12

14

20

3

Introduction

If you’re the CISO (with or without the formal title) for your company, you’re definitely dedicating more than a little bit of your time to getting your arms around how users within your organization (employees, partners, customers) are being provisioned and deprovisioned with assets and application access. Depending on where you are on the maturity curve as an organization, you’re in one of these phases:

- Infancy – All Manual, All The Time. Requests come in via hallway conversations, emails, and text messages. You’re probably the only “approver” in the process and handle all provisioning and deprovisioning personally. Probably because all 20 of you are in the same office. Or apartment.

- Toddlerhood – Your IT team is using an IT Service Management (ITSM) system (Zendesk, ServiceNow, and the like) to track and manage provisioning of laptops along with some staples such as e-mail, calendar, and file sharing. Anything that is being used at the departmental level (CRM, Time and Expense Tracking, Marketing Automation, Financials, Web Site Management, etc.) is being handled out-of-band by whoever is the de facto owner of that system, typically the head of that particular department. As CISO, you have no centralized or automated visibility into who-has-what in those systems.

- Adolescence – You’ve grown up some and deployed an Identity Management (IDM) system as well. Unfortunately, IDM is taking care of one set of apps and assets, ITSM is taking care of a different set, and there are still one-offs being used (“WTF do you mean marketing uploaded all our customer data into a new analytics website!?!?”) that no one is managing except for the self-appointed application

4

owners. You’re having nightmares about someone who has been terminated still having access to the CRM system.

- Teen Years – In between getting ready for your prom and your driver’s test, you’ve actually done some stitching together of your IDM and ITSM systems so that some systems that are not provisioned automatically by your IDM tool can still be requested through it. You’re a long way from where you started, but still face many challenges. Your users complain that they don’t know where to go to get what, and that the UI of the ITSM tool is confusing to them. Your IT staff now has to use multiple interfaces to track their tasks, and you know that can’t end well. And your governance framework is still fragmented across IDM, ITSM, and out-of-band applications.

And this is as far as companies have ever gotten in their maturity, if they’ve even made it this far. Your visibility into who-has-what is not only fragmented, but also incomplete. Users are unhappy because they have multiple places to request things and it’s not always clear to them where they need to go to request what. What’s probably really keeping you up at night (and if it’s not, it should be), is how deprovisioning is being handled in those systems that IDM is not automatically taking care of for you.

You’re stuck in this man-child limbo, with no clear path on how to reach the state of full maturity, where:

- You can run one report and find out who-has-what, regardless of whether it was manually provisioned by your IT team or it was automatically done by IDM

- Your level of visibility runs much deeper than simply knowing someone has an account, extending to fine-grained details about privileges attached to that account

- Your users have one simple interface from which to request

5

any asset or application that the company provides, using terms and names that they are familiar with or can intuit, instead of having to remember tech jargon like “fn.teller_access.desmoines”

- Your IT guys and gals can stick to using only the tools they already know how to use, while still delivering high quality service to your end users.

- You know how to properly order a martini. And drive a stick shift. And have the wisdom to not drive a car (stick or automatic) too soon after having consumed a properly ordered martini.

There is a way to finally grow all the way up. It lies in a concept called Closed Loop Provisioning (CLP) and it relies on intelligent integration between your IDM system and your ITSM system. In this paper, we’ll walk through the challenges at each level of maturity, and how the right type of IDM / ITSM integration can help address those challenges.

6

Challenges With Existing Approaches

There are several drawbacks to the approaches deployed at the various stages of maturity described above. Each of those drawbacks can have a dramatic effect on your risk and compliance profile, user satisfaction levels, and administrative productivity. The easiest way to spotlight these challenges is by looking at this problem across two dimensions.

Types of users:

1. End-users: Requesters and recipients of hard assets, access to enterprise applications, and other systems they need to do their jobs.

2. IT Staff: Responsible for fulfillment of provisioning and deprovisioning of users with assets and applications

3. Information Security / Compliance: Tasked with ensuring and being able to prove that the right people have access to the right assets and applications at all times.

These three user types each have to interact with multiple systems for requesting, approving, provisioning, deprovisioning, and validating access to company assets and applications:

1. ITSM System: In medium to large size companies, users come to the ITSM portal to request access, generally purely for physical assets like building access, laptops, etc. IT staff also use this system to track their task lists for provisioning and deprovisioning access.

2. IDM system: For companies that have rolled this out, users will also have to come to this portal for requesting logical

7

access to business applications and other resources. For those target systems that are provisioned manually, IT staff will also have to use this system to track their provisioning / deprovisioning tasks for assets requested through this system.

3. “Other”: This refers to the ad-hoc request / approval / provisioning / deprovisioning “system” that is actively in place at every company for handling those target systems that are managed neither by ITSM nor by IDM. This is the process that kicks in when you ask your boss for access to a needed system and she tells you “Bob can set you up with that, just tell him I said it was OK.” You may know this process/tool combination by a more familiar name – email.

The challenge with all the current deployment scenarios in wide use today is that all three user-types have to use all three “systems” to achieve their respective objectives, which creates several critical problems for an enterprise.

Governance:

The InfoSec team has to stitch together reports from both ITSM and IDM to get a view into which users have access to which assets and applications. And even this view is incomplete because this still gives them no visibility into anything tackled via the ad-hoc process described above. For items that are covered by the ITSM system, the data is usually unstructured (comments provided in the ticket), and so correlating this data back into a reporting model and gaining visibility on fine-grained entitlements like roles, groups or access settings is close to impossible. Additionally all the investment they have made into any type of recertification process is only realized for those applications controlled by IDM.

8

IT Productivity:

IT administrators use ITSM as their primary tool to track incoming requests and ensure that those get fulfilled in a timely manner. In existing IDM / ITSM integration scenarios, the IT staff also have to periodically look at the IDM system to ensure that they’re covering off their tasks there as well. If they’re “lucky”, their email Inbox is acting as a consolidated dashboard with emails flying in from both systems. This reduces their efficiency and productivity because they’re now responsible for learning a new system, and using both systems for tracking exactly the same types of tasks.

Security:

Crucially, the tasks for IT staff that can languish in the IDM system are typically of the most sensitive type related to deprovisioning departed users from business applications. This creates a dangerous scenario, where the most disgruntled users (e.g. people that have just been terminated) have inappropriate access to critical company systems such as CRM and Finance.

End-User Satisfaction:

Though this problem is perhaps the least “business critical”, end-users typically suffer the most in this type of fragmented environment.

- They have to deal with multiple systems from which to request the things they need which confuses and frustrates them. Typically, they request a laptop from ITSM, request access to business applications from IDM, and reach out directly to application owners for requesting access to one-off (typically SaaS) applications that are used at a departmental or team level.

9

- Compounding this problem, since there is typically no accountability between IDM and ITSM, their IDM-generated manual requests can go into a black hole with no way for them to track the progress of the request, and no way for IT management to track SLA compliance with the end-user community.

10

Closed Loop Provisioning

The best way to address all these challenges is to actually integrate your ITSM system with your IDM system, in a concept known as “closed loop provisioning” (CLP). This approach leverages your existing investment in ITSM, optimizes user behavior by funneling each user type to the one correct interface for doing their respective jobs, and gives you tight security and governance across all of your assets, both physical and logical.

A key requirement for this solution is that your IDM solution needs to be able to integrate with ITSM as a provisioning channel. Various IDM vendors provide other types of integrations with ITSM, such as providing strong authentication, single sign-on (SSO), and potentially even provisioning and deprovisioning accounts to the ITSM system. While those are obviously necessary, none of those integration approaches address the challenges laid out in this paper. While they certainly bring the ITSM system itself under governance, they do not address overall governance, security, IT productivity, or end-user satisfaction across the rest of your infrastructure.

ITSM as a Provisioning Channel

The ideal type of integration allows the IDM system to integrate with ITSM for the purpose of which the ITSM system was deployed – to track manual IT tasks and allow IT management to present IT as a set of business services to the rest of the company through the use of SLAs and other metrics.

The right type of IDM / ITSM integration needs to deliver these key pieces of functionality:

1. Establish a mapping between services (as defined in ITSM) and resources (as defined in the IDM platform)

11

2. Allow managers to “onboard” SaaS applications that they need for their departments into the IDM system, and indicate that they need to be fulfilled via ITSM integration.

3. Expose both the above types of applications from the IDM user interface, so that they can be requested by end-users and approved by the appropriate managers (if necessary). This should include supporting the request and provisioning of fine-grained entitlements through a user-friendly entitlement catalog.

4. Create an appropriate ticket in the ITSM system so that the ITSM’s defined ticket resolution process can kick in.

5. Monitor the status of that ticket for successful resolution, or the appropriate failure codes.

6. Reflect the disposition for that ticket in the IDM engine and UI so that IDM-centric capabilities, such as periodic access recertification, can kick in as needed.

If this type of integration is possible from your IDM system to your ITSM system, then you can deploy a truly integrated solution that addresses all of the challenges we’ve discussed in the following ways: Governance:

- CISOs and InfoSec staff get total, unfragmented visibility into who-has-what in the enterprise

- Compliance-oriented reporting can all be delivered from one solution

- Expand the umbrella of recertification to apps that are manually provisioned by IT admins

12

- Provide end-to-end metrics on critical compliance KPIs such as average-time-to-deprovision across all applications, including those that require manual deprovisioning

Security:

- Departmental users that are signing up for SaaS apps in your enterprise environment can now self add those applications into your existing governance and compliance framework, thereby eliminating a major cause of risk exposure and failed audits.

- Eliminates the “deprovisioning gap” that would exist if applications were being provisioned out-of-band, or via task-tracking in the IDM tool

IT Productivity:

- IT Staff no longer need to bounce between different UIs. They can stay within the one tool that they need to use to do their jobs (ITSM), which happens to be the one they’ve always used, and in which they are well-versed

- IT Management benefits because the existing business processes, SLAs, and other mechanisms and metrics they’ve put in place can now be leveraged for a broader set of corporate assets and applications.

End-User Satisfaction:

- End-users don’t need to be trained in using different portals for requesting different types of assets (building access, hard assets, application access)

13

- They only need to go to one place, and use a UI that is designed for them, as opposed to an ITSM UI that is primarily designed with IT Administrators in mind

- Ability to track the progress of their pending requests, even for target systems that are manually provisioned by IT administrators.

14

SCUID Lifecycle / Zendesk Integration

Let’s look at a practical example where Identropy’s SCUID Lifecycle platform for Identity Management (actually, Identity-as-a-Service, or IDaaS) has been integrated with Zendesk’s ITSM platform to deliver CLP capabilities for our joint customers.

1. An IT administrator (or any manager with the appropriate permissions) can go into the SCUID interface and define a new resource, and specify that this resource is to be fulfilled via Zendesk. They will need to supply some basic details about Zendesk as shown below. In this example, RACF is being created as a target application to be provisioned using CLP.

15

2. Once this resource has been defined within SCUID, an end-user can easily go in and create a request for a RACF account, either for themselves or for other users. In this example, a person named Jim Brown is requesting a RACF account for himself.

16

3. Once the request has been created, SCUID’s normal approval workflow kicks in, same as it would for any other type of resource. In this example, Jim’s manager, Cindy Clark, needs to approve this request before any provisioning activity can take place.

17

4. Even after Cindy has approved this request, it still shows as “Pending” within SCUID. This is because the account has not yet been provisioned.

18

5. Instead, SCUID has created a new ticket within Zendesk to inform the appropriate IT administrator that they need to manually create a RACF account. As we can see below, the details about the user and other details have been passed on so that the person fulfilling this request will have the appropriate context about what is being requested. In this example, the request was routed to a support team member named Kerem Kecel, who manually created the RACF account, and is now updating the ticket and closing it with a status of “Solved”.

19

6. SCUID has been polling Zendesk on a periodic basis to keep tabs on this ticket. Once it sees that the ticket has been closed in a “Solved” state, it reflects this appropriately in its own interface.

20

Conclusion

ITSM and IDM tools have both been designed with their own respective purposes in mind. ITSM tools are designed with the IT administrator in mind, and to help the CIO instrument the IT function to align with business objectives and demonstrate compliance with internal SLAs.

IDM solutions are designed for compliance and governance, and the UIs of modern IDM systems are specifically targeted at end-users that have little or no broad IT knowledge beyond the specific applications they need to do their particular jobs (in sales, finance, HR, etc.)

Too often in the modern enterprise, ITSM and IDM tools are clumsily mashed together by putting some provisioning capability into ITSM and putting IT administrator task management capabilities into IDM tools.

The better solution is to leverage each of those tools for those functions for which they have been respectively designed. As we saw from the practical example in the previous section, with this type of deployment model end-users only ever need to interact with the user-friendly IDM UI, IT administrators can continue to use the more power-user-oriented ITSM UI, and the organization benefits from tighter security and better compliance controls.

To learn more:

Contact us: [email protected] us: @Identropy Visit us: www.identropy.com