How to Navigate Ever-Changing Identity Data

As we discussed in our first post, 4 Ways to Elevate Your Identity Game with Lifecycle Management, one of your first hurdles during an identity initiative often surrounds the management of your identity data. This challenge can be mitigated by moving towards a single source of truth for, not just your employees, but also contractors, partners, and customers. Okta’s solution for this is Universal Directory (UD). Depending on your company’s current approach to identity and how far along you are in your journey, you’ll likely fall within one or two of our LCM maturity stages. 

Here’s a detailed breakdown of the most common scenarios we’ve seen when it comes to managing identity data amongst our vast customer base:

 

Stage 1: Manual Processes

Organizations in the early phases of implementing identity management typically still rely on manual tasks to establish and sync their user identities. Over the years, many have accumulated multiple disconnected Active Directory (AD) domains, LDAP servers, user databases, HR systems, and all types of other identity silos. If your team is manually creating accounts in each of these places and copying them by hand into other systems, you’re unnecessarily duplicating effort and introducing potential errors. If this is your approach, how will you scale when your business adds more users or resources to its ecosystem? 

At this stage, your primary focus should be on figuring out how to reduce the time your team spends on low-value data management tasks that can lead to dirty or incomplete data, non-unique identifiers, and other problems down the road. Given the many competing priorities every IT team juggles, it’s unrealistic to think that you’ll have time for the cleanup needed to resolve these issues later on. If this sounds familiar, consider how the following best practices could improve your approach to managing identity data:

  1. Sync existing directories into a single view in order to centralize control over all your identity data. Connect multiple silos such as AD and LDAP into Okta Universal Directory , prioritizing your largest population first and avoiding the long, costly undertaking of domain consolidation projects.
  2. Choose the primary data sources and attributes you’ll use to construct unique usernames. For Okta usernames, you should configure formats for each data source.
  3. Choose which data sources and data (attributes or groups) will be used to assign user access to various resources, and be sure you import it into UD.

Stage 2: Basic Automation

At the next stage of LCM maturity, most IT teams are getting started with some limited automation, but they still have many time-consuming processes in place surrounding identity data. To gain some basic efficiencies, we recommend automating tasks like account creation and updates from your system of record. At this stage, your IT team is still manually creating and updating accounts in AD and LDAP, but you can save time by configuring Okta to automatically import those changes and propagate them downstream to other apps. This strategy will help streamline provisioning or deprovisioning for company-wide “birthright” apps like email and storage, which gives you a quick IT win that doesn’t require much coordination with other departments. 

Useful next steps for managing your identity data during phase two include:

  1. Source user profiles and unique identifiers from all of your authoritative IT directories (like AD or LDAP), and pull them into Universal Directory. 
  2. Establish centralized control and one view of all user accounts, regardless of where they reside (in LDAP 1, LDAP 2, AD domain 1, AD domain 2, etc.)
  3. Manage your groups, credentials, and lifecycle states in AD/LDAP and configure Okta to regularly import these changes into its directory.

Stage 3: Leading Automation

Once you’ve got most of these foundational practices in place, you can integrate identity data from IT sources (such as people’s email addresses and phone numbers) with your HR sources. HR identity data typically includes personnel details like someone’s title and department, as well as lifecycle events like hiring and terminating. By bringing all of this identity data together, you’ll enable faster lifecycle signals to kick off deeper automation and accelerate your onboarding and offboarding processes across departments (more on that in our next post). 

Some key tips for managing your identity data with leading automation best practices are:

  1. Transition to sourcing user profiles and lifecycle states from your HR system (such as Workday or SAP SuccessFactors), with data constantly flowing from HR to Okta, and from there to other downstream IT resources, including directories.
  2. Configure a bi-directional sync of user attributes as needed, and automatically pull in identity data (especially data used for access logic and policies) from various departments.
  3. Replace manually managed AD/LDAP groups with Okta’s group rules, and start using data from both HR and other IT apps to automatically set group memberships.

Stage 4: Visionary Automation

Finally, your end goal is to aggregate all of your identity data and fully optimize identity processes so that you’re free to better serve the needs of various stakeholders across your business. For instance, you might want to proactively provide identity data like roles and access levels to your audit and security teams, or ensure more up-to-date employee records for your HR team by making it easy for people to update their own last names and home addresses in the system of their choice.

Our recommendations for achieving this kind of visionary automation with your identity data include:

  1. Find opportunities for your end users or line-of-business admins to update data themselves.
  2. Identify cross-organizational needs for identity data, and automate data sharing between relevant systems.
  3. Determine whether it’s feasible to ingest dynamic identity data—such as people’s current teams, projects, PTO schedules, and more—into Okta UD, and use it to set granular, temporary, or elevated access.

We hope these actionable steps can improve the ways your organization manages critical identity data today. Our next three posts in this series will provide related recommendations, so you can incrementally advance automation surrounding your lifecycle processes, access grants, and audits and compliance. In the meantime, for more tips on taking your identity strategy to the next level, check out our step-by-step guide with a practical framework for each of the four stages of lifecycle management maturity.