Automated Lifecycle Management & Easy Compliance with EmpowerID
Probably the critical component in maintaining Compliant Access is lifecycle management. Not only must you be able to manage who has access to what resources, but you must also be able to track changes across your organization in as close to a real-time capacity as possible. For many organizations this and, therefore, remaining compliant is a problem. EmpowerID can help.
HR-Driven, Flexible Identity Lifecycle
Once connected to your HR or HCM system, EmpowerID inventories it (to establish your compliant state), and then manages the entire lifecycle of your users.
Automated Systems Provisioning
Permanent workflows analyze your HR system for changes. These are compared with your compliance and risk policies and automatic provisioning/deprovision commences.
Easier Connections with SCIM
Our own unique, custom-developed SCIM Microservice Connector Framework allows easy connections between systems for all our customers and partners.
Here we look at the following aspects:
- HR-Driven Identity Lifecycle EmpowerID connects with your main HR (or HCM) system to inventory your entire organization and to establish both the initial and the desired, compliant state. It then begins to manage the entire lifecycle of your users.
- The Compliant Identity Lifecycle once EmpowerID knows your current state and your desired state, it can then begin to correct the imbalance—any gaps—between the two.
- Flexible Lifecycle Workflows unlike many identity lifecycle management systems, EmpowerID is process-based. This means that “Everything is a workflow”. This not only keeps it efficient, but easy to manage, work with, and integrate.
- Automated Provisioning to All Your Systems via permanent workflows, EmpowerID analyzes your HR system to detect changes. It then compares this with your compliance and risk policies and begins automatic provisioning/deprovision.
- Simplified Standards-Based Connector Development EmpowerID has not only embraced the SCIM standard, but has also developed our own SCIM Microservice Connector Framework to allow customers and partners easy connections.
HR-Driven Identity Lifecycle
Many organizations use a Human Capital Management (HCM) system to both maintain user data for employees and to initiate all status changes
Ideally, this should include the entire lifecycle—start-to-finish—of interactions and communications with that user.
This includes the pre-hire interview process, the start-date and birthright access provisioning (the entitlements they get when they start work with your company), transfers, and terminations – all of which would be managed and initiated within the HCM.
EmpowerID fully supports this by integrating closely with an organization’s HCM to detect all lifecycle changes and to then automate the management of Compliant Access throughout the Joiner, Mover, and Leaver (JML) processes.
Moreover, EmpowerID supports all the major HCM systems, including any that support the System for Cross Domain Identity Management (SCIM) standard.
The Compliant Identity Lifecycle
It is far easier to deliver access than it is to deliver Compliant Access. Unfortunately, IT organizations have traditionally seen provisioning technical entitlements as the finish line—it is not.
This provisioning has typically led to, among others, overprivileged users, increased organizational risk, regulatory violations, and vulnerability to hackers and malware
Though these situations were never ideal, due to industry regulations and technology limitations, they were tolerated.
However, changes in Compliant Access regulations means that the limitations of yesterday are only invalid excuses today.
Compliant Access is required, organization’s must comply, and there are no exceptions.
What Is Compliant Access?
In the Identity Lifecycle, Compliant Access is defined as a secure desired state against which a user’s current access must continuously be measured and adjusted.
This contrasts with the traditional, previous approach where lifecycle changes are merely a series of triggered scripted events.
With this scripted event approach, much like when taking your car for it’s annual TUV or MOT (or equivalent in your country), it only provides a snapshot in time and is out of date soon after.
This is inadequate for Compliant Access today.
EmpowerID Makes Compliant Access Automatic, Simple, and Fast
With EmpowerID, to detect and prevent risk, Compliant Access is defined using both positionbased roles and policies.
These roles and policies are those of your own, they are set by you, and they determine the desired “compliant” state for your organization. It is against this compliant state that EmpowerID operates.
When EmpowerID is connected to your HCM, it first inventories your organization’s systems to retrieve data about your users, roles, and technical entitlements
This data determines exactly who has access to what resources and entitlements at any moment in time—it is your organization’s current, live and up-to-date inventoried state.
EmpowerID then detects gaps by comparing the live, inventoried state versus your static, desired “compliant” state.
EmpowerID then initiates all required changes, achieves equilibrium, and your organization maintains its compliant state.
EmpowerID and the JML Lifecycle
Most compliance gaps occur based on your HR system’s lifecycle changes (the JML process):
- Joiners are quickly identified because gaps will appear when they do not have access to the entitlements that their role requires.
- Movers are typically users changing jobs or locations. In such cases, EmpowerID will detect incorrect access: This is usually because they are missing some access appropriate to their new position and also retain access to entitlements from their old position. Either way, this is no longer compliant and will be addressed
- Leavers are users that have been marked as no longer with the organization and all access from them is considered non-compliant.
EmpowerID’s state-based Compliant Access Delivery Engine continuously recalculates these variances of actual versus desired and then automates the provisioning of new access and deprovisioning of non-compliant access.
Flexible Lifecycle Workflows
No two organization’s JML processes are identical, so an IAM cookie cutter approach is no option.
Our own customers have told us that attempting to bend their organization’s processes to the configuration options available in most IGA platforms was painful.
Furthermore, it not only negated the benefits of automation, but also proved time-consuming, costly, and longterm unsustainable.
(In at least two cases, this was to such an extent that an entire team needed to be created to manage the customizations, that vendor updates forced them to revisit their own code to keep the software working, and their now modifed version bore little resemblance to the initial solution they intended to purchase.)
EmpowerID’s Business Process Automation/Low Code Orchestration Platform
EmpowerID has unique DNA among all IGA vendors as it was developed entirely on a Business Process Automation or “low code orchestration” platform.
In the EmpowerID model, entire processes are described and automated as visual workflows and not simply human approval processes.
The unique flexibility of the “everything is a workflow” model allows organizations to maintain their own business requirements for identity lifecycle without compromise or costly, unsupportable, and long-term unsustainable custom development.
EmpowerID’s JML processes offer common configuration options that fit the need of most organizations and with the ability to uniquely handle exceptions in the visually designed workflows.
The flexibility of this model not only allows for much greater automation but also the enhanced enforcement of, and reporting on, Compliant Access policies.
Automated Provisioning to All Your Systems
The real measure of any identity lifecycle solution is its ability to provision and maintain compliant access in as many of an organization’s systems as possible
After all, if it only provides partial coverage then it cannot ever succeed as a complete identity lifecycle solution.
EmpowerID provides one of the largest libraries of out of the box connectors for onpremise and Cloud systems available.
Out of the box systems can be quickly and easily configured using simple, drag-and-drop workflow-based processes.
When the connection is complete, EmpowerID inventories your system, monitors it for changes, and is ready for your automated provisioning and deprovisioning policies.
It is important to note that many of EmpowerID’s out of the box connectors offer much deeper support than is typically available for inventorying and managing fine-grained application permissions.
Simplified Standards-Based Connector Development
For systems not supported by out of the box connectors, EmpowerID has embraced the System for Cross Domain Identity Management (SCIM) standard.
SCIM is an open standard that was created to simplify, and automate identity management of users, groups, and devices across Cloud-based applications and services.
SCIM simplifies connector development, deployment, and maintenance for customers and partners.
EmpowerID’s SCIM Microservice Connector Framework
The basis of our SCIM support is EmpowerID’s SCIM Microservice Connector Framework
This framework is a ready-made SCIM Server Microservice that allows customers and partners to develop SCIM connectors for proprietary applications without knowing anything about SCIM or EmpowerID’s API.
In such cases, customers and partners are only responsible for their specific application connector code and nothing else is required to expose non-SCIM compliant applications as standards based SCIM microservices.
This unique model not only dramatically reduces the difficulty in developing connectors but also greatly expands their utility as they adhere to modern interoperability standards.