Closed Loop Provisioning via IDM / ITSM Integration

Similar documents
The Jamcracker Enterprise CSB AppStore Unifying Cloud Services Delivery and Management for Enterprise IT

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Identity Governance Evolution

Service Management from Serena Software. Orchestrated. Visibility, Flexibility and Ease of Use through Process-Based IT Service Management

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

IT Operations Management. Intelligent. Integrated. Innovative.

Riverbed Performance Management

Software Solutions Digital Marketing Business Services. SugarCRM Community Edition for Small & Medium Enterprises

HP Service Manager software

WHITE PAPER. Creating your Intranet Checklist

Sales and Marketing Alignment

White Paper The Benefits of Business Intelligence Standardization

How to Produce an Actionable IT Service Catalog

Solution brief. HP solutions for IT service management. Integration, automation, and the power of self-service IT

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

How To Use The Numara Track-It! Help Desk And Asset Management Solution

Service Catalog: Dramatically Improving the IT/Business Relationship

Delivering value to the business with IAM

Creating Service Desk Metrics

RSA Identity Management & Governance (Aveksa)

INTRODUCTION TO INTEGRATED MARKETING SALES AND MARKETING ALIGNMENT

The 5-Minute Guide to Customer Support

White Paper: AlfaPeople ITSM This whitepaper discusses how ITIL 3.0 can benefit your business.

Quest One Identity Solution. Simplifying Identity and Access Management

5REASONS WHY YOU NEED A CRM

Business Intelligence and Analytics: Leveraging Information for Value Creation and Competitive Advantage

How IT Can Help Companies Make Better, Faster Decisions

we can Automating service delivery for the dynamic data center of the future Brandon Whichard

Is it Time to Modernize Your Service Desk?

HP Service Manager software. The HP next-generation IT Service Management solution is the industry-leading consolidated IT service desk.

Process Efficiencies with Kinetic Request

Bu si n ess In tel l i gen ce: Leveragi ng D at a to B et ter Man age yo u r B u si n ess D r i ve r s

ORACLE IT SERVICE MANAGEMENT SUITE

WHITE PAPER. Digital transformation for insurers

ITSM Process Description

How To Make A Cloud Service Federation A Successful Business Model

1. Overview 2. Field Service Management Components 3. Joining the dots 4. Filling in the gaps 5. Implementing end-to-end Service Management

Briefing Paper Top 10 IT cost-saving benefits IT Managers should be getting from ITSM

Adaptive Case Management - Capabilities for Faster Decisions

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

INTELLIGENCE DRIVEN IDENTITY AND ACCESS MANAGEMENT

The Unique Alternative to the Big Four. Identity and Access Management

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Project Prism - Kyle Hochenberger Johnson & Johnson SAP IT Service Management David Birkenbach SAP Session 1603

Service Catalog and Configuration Management Database as the Foundation of SIAM. Eija Hallikainen

Contents of This Paper

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

IMPROVING CUSTOMER SUPPORT THROUGH UNIFIED OMNICHANNEL CUSTOMER SELF-SERVICE

Meeting the Challenge of Service Request Management SOLUTION WHITE PAPER

RSA VIA LIFECYCLE AND GOVERNENCE: ROLE MANAGEMENT BEST PRACTICES

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Process Intelligence: An Exciting New Frontier for Business Intelligence

Sonata Managed Application Lifecycle Services

Digital Marketing. SiMplifieD.

Creating an Enterprise App Store Addressing the Consumerization of IT without Jeopardizing Control

Automated User Provisioning

Your Complete Guide to Building vs Outsourcing Your Company s Service Desk

Redefining Infrastructure Management for Today s Application Economy

Securitay Inc. October 31, Self-Service Group Management

Summit Platform. IT and Business Challenges. SUMMUS IT Management Solutions. IT Service Management (ITSM) Datasheet. Key Benefits

SaaS the new normal. Service-now.com, Terry Brown

BOOST IT VISIBILITY AND BUSINESS VALUE

Streamlining Service Request Processes: A Key to Business Success

TEAM WORKFLOW MANAGEMENT SYSTEM

Sharing The Wealth. The Progression to the Complete CIF Environment

What s New With HP Service Manager and Universal CMDB December 18, 2014

Software Audits Three Ways to Cut the Cost and Pain of a Software Audit

CRM Integration Best Practices

The Importance of Information Delivery in IT Operations

GoldMine Datasheet Title. Subtitle: Reinvent your Sales, Marketing and Support Proceses. IT Must Innovate to Meet Rising Business Expectations

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

Automated Business Intelligence

Technical support in the healthcare industry is fast-paced and multifaceted. Support

Creating and Maturing a Service Catalog

Certified Identity and Access Manager (CIAM) Overview & Curriculum

SMB Intelligence. Reporting

How To Integrate Legacy Management With Distributed Systems

Picturing Performance: IBM Cognos dashboards and scorecards for retail

WHITE PAPER. The Five Fundamentals of a Successful FCR Program

Leveraging Your IT Service Management Solution for Business Process Automation

Transcription:

Closed Loop Provisioning via IDM / ITSM Integration

Table of Contents Introduction... Challenges With Existing Approaches... Governance... IT Productivity... Security... End-User Satisfaction... Closed Loop Provisioning... ITSM as a Provisioning Channel... Governance... IT Productivity... Security... End-User Satisfaction... SCUID Lifecycle / Zendesk Integration... Conclusion... 3 6 7 8 8 8 10 10 11 12 12 12 14 20 2

Introduction If you re the CISO (with or without the formal title) for your company, you re definitely dedicating more than a little bit of your time to getting your arms around how users within your organization (employees, partners, customers) are being provisioned and deprovisioned with assets and application access. Depending on where you are on the maturity curve as an organization, you re in one of these phases: Infancy All Manual, All The Time. Requests come in via hallway conversations, emails, and text messages. You re probably the only approver in the process and handle all provisioning and deprovisioning personally. Probably because all 20 of you are in the same office. Or apartment. Toddlerhood Your IT team is using an IT Service Management (ITSM) system (Zendesk, ServiceNow, and the like) to track and manage provisioning of laptops along with some staples such as e-mail, calendar, and file sharing. Anything that is being used at the departmental level (CRM, Time and Expense Tracking, Marketing Automation, Financials, Web Site Management, etc.) is being handled out-of-band by whoever is the de facto owner of that system, typically the head of that particular department. As CISO, you have no centralized or automated visibility into who-has-what in those systems. - - Adolescence You ve grown up some and deployed an Identity Management (IDM) system as well. Unfortunately, IDM is taking care of one set of apps and assets, ITSM is taking care of a different set, and there are still one-offs being used ( WTF do you mean marketing uploaded all our customer data into a new analytics website!?!? ) that no one is managing except for the self-appointed application 3

owners. You re having nightmares about someone who has been terminated still having access to the CRM system. Teen Years In between getting ready for your prom and your driver s test, you ve actually done some stitching together of your IDM and ITSM systems so that some systems that are not provisioned automatically by your IDM tool can still be requested through it. You re a long way from where you started, but still face many challenges. Your users complain that they don t know where to go to get what, and that the UI of the ITSM tool is confusing to them. Your IT staff now has to use multiple interfaces to track their tasks, and you know that can t end well. And your governance framework is still fragmented across IDM, ITSM, and out-of-band applications. And this is as far as companies have ever gotten in their maturity, if they ve even made it this far. Your visibility into who-has-what is not only fragmented, but also incomplete. Users are unhappy because they have multiple places to request things and it s not always clear to them where they need to go to request what. What s probably really keeping you up at night (and if it s not, it should be), is how deprovisioning is being handled in those systems that IDM is not automatically taking care of for you. You re stuck in this man-child limbo, with no clear path on how to reach the state of full maturity, where: You can run one report and find out who-has-what, regardless of whether it was manually provisioned by your IT team or it was automatically done by IDM Your level of visibility runs much deeper than simply knowing someone has an account, extending to fine-grained details about privileges attached to that account Your users have one simple interface from which to request 4

any asset or application that the company provides, using terms and names that they are familiar with or can intuit, instead of having to remember tech jargon like fn.teller_ access.desmoines Your IT guys and gals can stick to using only the tools they already know how to use, while still delivering high quality service to your end users. You know how to properly order a martini. And drive a stick shift. And have the wisdom to not drive a car (stick or automatic) too soon after having consumed a properly ordered martini. There is a way to finally grow all the way up. It lies in a concept called Closed Loop Provisioning (CLP) and it relies on intelligent integration between your IDM system and your ITSM system. In this paper, we ll walk through the challenges at each level of maturity, and how the right type of IDM / ITSM integration can help address those challenges. 5

Challenges With Existing Approaches There are several drawbacks to the approaches deployed at the various stages of maturity described above. Each of those drawbacks can have a dramatic effect on your risk and compliance profile, user satisfaction levels, and administrative productivity. The easiest way to spotlight these challenges is by looking at this problem across two dimensions. Types of users: 1. End-users: Requesters and recipients of hard assets, access to enterprise applications, and other systems they need to do their jobs. 2. IT Staff: Responsible for fulfillment of provisioning and deprovisioning of users with assets and applications 3. Information Security / Compliance: Tasked with ensuring and being able to prove that the right people have access to the right assets and applications at all times. These three user types each have to interact with multiple systems for requesting, approving, provisioning, deprovisioning, and validating access to company assets and applications: 1. ITSM System: In medium to large size companies, users come to the ITSM portal to request access, generally purely for physical assets like building access, laptops, etc. IT staff also use this system to track their task lists for provisioning and deprovisioning access. 2. IDM system: For companies that have rolled this out, users will also have to come to this portal for requesting logical 6

access to business applications and other resources. For those target systems that are provisioned manually, IT staff will also have to use this system to track their provisioning / deprovisioning tasks for assets requested through this system. 3. Other : This refers to the ad-hoc request / approval / provisioning / deprovisioning system that is actively in place at every company for handling those target systems that are managed neither by ITSM nor by IDM. This is the process that kicks in when you ask your boss for access to a needed system and she tells you Bob can set you up with that, just tell him I said it was OK. You may know this process/tool combination by a more familiar name email. The challenge with all the current deployment scenarios in wide use today is that all three user-types have to use all three systems to achieve their respective objectives, which creates several critical problems for an enterprise. Governance: The InfoSec team has to stitch together reports from both ITSM and IDM to get a view into which users have access to which assets and applications. And even this view is incomplete because this still gives them no visibility into anything tackled via the ad-hoc process described above. For items that are covered by the ITSM system, the data is usually unstructured (comments provided in the ticket), and so correlating this data back into a reporting model and gaining visibility on fine-grained entitlements like roles, groups or access settings is close to impossible. Additionally all the investment they have made into any type of recertification process is only realized for those applications controlled by IDM. 7

IT Productivity: IT administrators use ITSM as their primary tool to track incoming requests and ensure that those get fulfilled in a timely manner. In existing IDM / ITSM integration scenarios, the IT staff also have to periodically look at the IDM system to ensure that they re covering off their tasks there as well. If they re lucky, their email Inbox is acting as a consolidated dashboard with emails flying in from both systems. This reduces their efficiency and productivity because they re now responsible for learning a new system, and using both systems for tracking exactly the same types of tasks. Security: Crucially, the tasks for IT staff that can languish in the IDM system are typically of the most sensitive type related to deprovisioning departed users from business applications. This creates a dangerous scenario, where the most disgruntled users (e.g. people that have just been terminated) have inappropriate access to critical company systems such as CRM and Finance. End-User Satisfaction: Though this problem is perhaps the least business critical, end-users typically suffer the most in this type of fragmented environment. - - They have to deal with multiple systems from which to request the things they need which confuses and frustrates them. Typically, they request a laptop from ITSM, request access to business applications from IDM, and reach out directly to application owners for requesting access to one-off (typically SaaS) applications that are used at a departmental or team level. 8

- - Compounding this problem, since there is typically no accountability between IDM and ITSM, their IDM-generated manual requests can go into a black hole with no way for them to track the progress of the request, and no way for IT management to track SLA compliance with the end-user community. 9

Closed Loop Provisioning The best way to address all these challenges is to actually integrate your ITSM system with your IDM system, in a concept known as closed loop provisioning (CLP). This approach leverages your existing investment in ITSM, optimizes user behavior by funneling each user type to the one correct interface for doing their respective jobs, and gives you tight security and governance across all of your assets, both physical and logical. A key requirement for this solution is that your IDM solution needs to be able to integrate with ITSM as a provisioning channel. Various IDM vendors provide other types of integrations with ITSM, such as providing strong authentication, single sign-on (SSO), and potentially even provisioning and deprovisioning accounts to the ITSM system. While those are obviously necessary, none of those integration approaches address the challenges laid out in this paper. While they certainly bring the ITSM system itself under governance, they do not address overall governance, security, IT productivity, or end-user satisfaction across the rest of your infrastructure. ITSM as a Provisioning Channel The ideal type of integration allows the IDM system to integrate with ITSM for the purpose of which the ITSM system was deployed to track manual IT tasks and allow IT management to present IT as a set of business services to the rest of the company through the use of SLAs and other metrics. The right type of IDM / ITSM integration needs to deliver these key pieces of functionality: 1. Establish a mapping between services (as defined in ITSM) and resources (as defined in the IDM platform) 10

2. Allow managers to onboard SaaS applications that they need for their departments into the IDM system, and indicate that they need to be fulfilled via ITSM integration. 3. Expose both the above types of applications from the IDM user interface, so that they can be requested by end-users and approved by the appropriate managers (if necessary). This should include supporting the request and provisioning of fine-grained entitlements through a user-friendly entitlement catalog. 4. Create an appropriate ticket in the ITSM system so that the ITSM s defined ticket resolution process can kick in. 5. Monitor the status of that ticket for successful resolution, or the appropriate failure codes. 6. Reflect the disposition for that ticket in the IDM engine and UI so that IDM-centric capabilities, such as periodic access recertification, can kick in as needed. If this type of integration is possible from your IDM system to your ITSM system, then you can deploy a truly integrated solution that addresses all of the challenges we ve discussed in the following ways: Governance: CISOs and InfoSec staff get total, unfragmented visibility into who-has-what in the enterprise Compliance-oriented reporting can all be delivered from one solution - - Expand the umbrella of recertification to apps that are manually provisioned by IT admins 11

Provide end-to-end metrics on critical compliance KPIs such as average-time-to-deprovision across all applications, including those that require manual deprovisioning Security: Departmental users that are signing up for SaaS apps in your enterprise environment can now self add those applications into your existing governance and compliance framework, thereby eliminating a major cause of risk exposure and failed audits. Eliminates the deprovisioning gap that would exist if applications were being provisioned out-of-band, or via tasktracking in the IDM tool IT Productivity: IT Staff no longer need to bounce between different UIs. They can stay within the one tool that they need to use to do their jobs (ITSM), which happens to be the one they ve always used, and in which they are well-versed IT Management benefits because the existing business processes, SLAs, and other mechanisms and metrics they ve put in place can now be leveraged for a broader set of corporate assets and applications. End-User Satisfaction: - - End-users don t need to be trained in using different portals for requesting different types of assets (building access, hard assets, application access) 12

They only need to go to one place, and use a UI that is designed for them, as opposed to an ITSM UI that is primarily designed with IT Administrators in mind - - Ability to track the progress of their pending requests, even for target systems that are manually provisioned by IT administrators. 13

SCUID Lifecycle / Zendesk Integration Let s look at a practical example where Identropy s SCUID Lifecycle platform for Identity Management (actually, Identity-as-a-Service, or IDaaS) has been integrated with Zendesk s ITSM platform to deliver CLP capabilities for our joint customers. 1. An IT administrator (or any manager with the appropriate permissions) can go into the SCUID interface and define a new resource, and specify that this resource is to be fulfilled via Zendesk. They will need to supply some basic details about Zendesk as shown below. In this example, RACF is being created as a target application to be provisioned using CLP. 14

2. Once this resource has been defined within SCUID, an end-user can easily go in and create a request for a RACF account, either for themselves or for other users. In this example, a person named Jim Brown is requesting a RACF account for himself. 15

3. Once the request has been created, SCUID s normal approval workflow kicks in, same as it would for any other type of resource. In this example, Jim s manager, Cindy Clark, needs to approve this request before any provisioning activity can take place. 16

4. Even after Cindy has approved this request, it still shows as Pending within SCUID. This is because the account has not yet been provisioned. 17

5. Instead, SCUID has created a new ticket within Zendesk to inform the appropriate IT administrator that they need to manually create a RACF account. As we can see below, the details about the user and other details have been passed on so that the person fulfilling this request will have the appropriate context about what is being requested. In this example, the request was routed to a support team member named Kerem Kecel, who manually created the RACF account, and is now updating the ticket and closing it with a status of Solved. 18

6. SCUID has been polling Zendesk on a periodic basis to keep tabs on this ticket. Once it sees that the ticket has been closed in a Solved state, it reflects this appropriately in its own interface. 19

Conclusion ITSM and IDM tools have both been designed with their own respective purposes in mind. ITSM tools are designed with the IT administrator in mind, and to help the CIO instrument the IT function to align with business objectives and demonstrate compliance with internal SLAs. IDM solutions are designed for compliance and governance, and the UIs of modern IDM systems are specifically targeted at end-users that have little or no broad IT knowledge beyond the specific applications they need to do their particular jobs (in sales, finance, HR, etc.) Too often in the modern enterprise, ITSM and IDM tools are clumsily mashed together by putting some provisioning capability into ITSM and putting IT administrator task management capabilities into IDM tools. The better solution is to leverage each of those tools for those functions for which they have been respectively designed. As we saw from the practical example in the previous section, with this type of deployment model end-users only ever need to interact with the user-friendly IDM UI, IT administrators can continue to use the more power-user-oriented ITSM UI, and the organization benefits from tighter security and better compliance controls. To learn more: Contact us: info@identropy.com Follow us: @Identropy Visit us: www.identropy.com 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information