Five recommended self-service functions in an IAM solution
Identity and Access Management (IAM) is a concept that consists of processes and activities that control access (authentication) and rights (authorization) within one or more IT systems. The ability of self-service functions in an IAM solution is important because it allows users to perform tasks on their own without having to involve the helpdesk and also provides the basis for extensive use of automation.
The following are five self-service functions that Cloudworks recommends in an IAM solution.
1. Change password
At any time, a user should be able to change the password on their own user account; without help from helpdesk and without anyone else gaining access. Depending on the solution and security requirements, the user must first enter the old password and then select a new one. Some will also want to secure the process by using two-factor authentication. The Self-Service Portal checks that the new password meets the complexity requirements and, if necessary, transfers the new password to other systems associated with the IAM solution.
2. Forgotten password
Who hasn’t experienced forgetting a password? Expired passwords are a great source of irritation, especially if the user must contact IT for help.
Manual handling of “forgotten passwords” is inefficient and accounts for up to 40% of all inquiries to the helpdesk.
Furthermore, it is not very user-friendly because of additional delays, and security is reduced by the fact that another person is involved in the password change. Fortunately, it is possible to simplify and secure this process. A self-service password reset is a natural part of an IAM solution. For IT, it is often a “low hanging fruit” because of increased usability and efficiency.
Please take the savings as a result of a reduction in the number of inquiries to the helpdesk, into the “Return of Investment (ROI)” – consideration of an IAM solution
The “forgotten password” feature requires that the IAM system identifies the user through another method than regular password-based authentication, of course. This can e.g be done if the user provides answers to a given number of security questions, which were answered when the account was created. However, a better solution is to identify the user by sending a one-time token by SMS to a verified number or by using an previously configured authentication app on their phone.
3. Update of a user profile
Another feature of self-service in an IAM solution should be allowing users to change their information in the user profile. Usually, personal information is registered when the user’s profile is created. Pieces of this information may change over time, and the user needs a way to keep the information up to date. For example, a surname may change when a person is married, or the office location needs to be updated if there is a change in jobs. Note that this needs to be nuanced; some parts of the user information might be non-editable by the user but rather needs to be verified/updated by HR or management, especially if that information is used for access automtation purposes.
4. Requesting access
This feature allows a user to request access or additional rights to a restricted service, application or datastore. After logging in, the user gets access to a list of additional components (systems and features) that the user is authorized to order. This list can either show all applications or just an excerpt based on information already known about the user, such as department or region. The request is assigned a queue/workflow for approval by the user’s manager and/or an application owner, depending on business needs. Access to the requested resource is granted if approved.
5. Approval of access requests
The organization becomes involved in the security work when approval of access requests can be delegated to any and all relevant parts of the organization. Department managers or application owners within an identity system usually control access to specific areas (applications, systems, features, etc.). When a user requests access to a site, the manager needs an interface to approve or reject it. The self-service portal in an IAM system shows the manager all the unanswered access requests within their purview and allows them to reject or approve them. The manager and the security officer get an overview of the user’s overall roles and accesses, allowing for good assessments and well-founded decisions.
If roles and authorizations are relevant for the manager’s management duties, the business side will gain a better understanding of safety-relevant information.
Adding the authorization process to the IAM solution creates a history of changes; both who requested and who authorized. This enforces a mindset for security, as well as provides valuable information if later on, suspected abuse of access needs to be investigated.
These are five of the most common application areas for self-service in identity management, but there are of course many more possibilities. We can help your company both with the identification of the need and with implementation of a tailor-made IAM solution.