When considering the security of an enterprise, a key area ripe for automation should be user lifecycle management. The topic is important not only to the security of an organization but also to the overall function of an enterprise. By achieving effectiveness through automation in your user lifecycle management process you will not only increase the productivity of your operational teams through the reduction of work required to manage the user lifecycle, but also add effective security controls to your information security program.
User lifecycle management covers the full array of activities executed during the lifetime of a user at an enterprise. It begins with the initial contact of a prospective employee or business partner to the eventual onboarding of the user into their defined role at the organization. Any changes to user access or status and role at the organization are also covered in the lifecycle. The lifecycle management then comes full circle and is completed through the offboarding process when the user ends their responsibilities at the enterprise.
From a security perspective, user lifecycle management should be an important domain to include in your security program. While many of the operational tasks related to the lifecycle management are associated with Human Resources or Information Technology business units, the need to instill security controls into the related workflows and processes is paramount. This is because, one of the core functions of user lifecycle management pertains to access control which is fundamental to a security program because it deals with the identity, authentication, and authorization of users in the enterprise.
The need to automate the provisioning (creating) or de-provisioning (removal) of tasks related to the user lifecycle management process is derived from ensuring that there is better accountability in the operational tasks associated with access control. To not only have a well-defined lifecycle management process but also to ensure that those processes are initiated through automation, reduces the number of administrative controls required to validate proper completion of tasks and replaces them with more reliable technical controls.
In my previous experiences as a Security Engineer, as well as my current role as an Information Security Architect for Reputation.com, an industry leader in online reputation management providing customers with a full range of solutions to handle their presence online, I have found that any time you replace a reliance on a human task with an automated technical one, the likelihood of a breakdown in the process is reduced. It also frees up the human element to be leveraged in the process in a more intelligent way than previously utilized. Once repeatable tasks can be replaced with automation, the person can be used as a means to validate on a regular basis that the automated technical control has not failed. This is done through measures such as auditing and approval reviews for sensitive circumstances or types of access. Another simple way of looking at this is to use your human staff for intelligent processes and automate the mundane repeatable processes that do not deviate from the norm.
When looking to automate the user lifecycle at an enterprise there are numerous technical tools at your disposal. Whether you choose to leverage internal scripts or programs, or utilize a managed technical solution, is a personal preference pertaining to your available budget and technical skillsets on staff. However, if you implement the tooling to automate user lifecycle management, in my opinion, it is more important to ensure you include a number of key components in your automated lifecycle strategy and technical design, which will support your tooling.
The first component to ensure you incorporate into your lifecycle management should be an all-encompassing source of truth for your user records. Whether this is a directory service or a human resource information system (HRIS), the key is to ensure that it is accurate and continually maintained. Your source of truth should be the foundation of building out user lifecycle management and automate it because it will serve as the starting point for the overall process. In essence, until the user is in your source of truth the lifecycle has not yet begun.
Additionally, access control should be properly built into your strategy. As mentioned above, access control is a key security process and having proper controls in place will ensure you have security baked into your design and automation process. Consider using role-based access control (RBAC) or attribute-based access control (ABAC) as a model for designing your access control component. When I have personally rolled out user lifecycle management automation, I have done a combination of the two. However, relying primarily on RBAC will be easier to implement or at least serve as a starting point for your design.
The final component, which should be included in the lifecycle management strategy should be ensuring that data between your source of truth and any source of records that are utilized by various applications in your enterprise are updated as a part of your automation. This is again important in keeping your source of truth accurate as well as ensuring aspects such as deprovisioning or a status change in the user’s role, function properly. Once these three key components have been worked into your lifecycle management design, the tooling you choose will layer on top and function efficiently. It will also offer a higher level of implementation success and a holistic approach to your workflow and processes.
Automation provides an excellent means to layer repeatable and scalable security controls into an organization. By automating the user lifecycle management process you can ensure better accountability into the operational tasks associated with access control in the enterprise. Proper tooling combined with a well-maintained source of truth, an effective access control model and baking in the updating of information between sources allows you to add effective security controls to your information security program.
By Jeff Stein, Information Security Architect, Reputation.com