Keeping Your Applications Protected With a User Provisioning Policy

User provisioning has never been so important.

The global pandemic has shifted employee expectations, and the emergence of highly distributed “work from anywhere” company cultures is changing the ebb and flow of the workforce.

According to Slack, almost a third (29%) of UK workers are considering moving to a new job this year.  What’s more, 28% of workers claim that the reason they choose to stay at their company is down to having the option of hybrid or remote working. As organisations compete for talent, using flexible working as a bargaining chip for retaining and luring staff, employee life cycles are set to contract further.

These changes in employee turnover and flexible working are creating plenty of headaches for IT security managers.

Higher turnover means more time spent manually provisioning and deprovisioning access rights for joiners and leavers. It also significantly increases the chances of human error which can place the organisation at risk to security breaches

This is why adopting a robust and automated user provisioning policy is crucial.

User provisioning for a changing employee lifecycle

A robust user provisioning (and de-provisioning) policy allows IT security managers to ensure every worker has access to the specific resources they need right through the employee lifecycle, no more, no less.

IT security managers can confidently allocate appropriate systems access to any employee from day one. As staff members journey through the employee life cycle to take on new roles and different responsibilities, the policy facilitates rights management changes, to ensure workers only have access to the data they need to fulfil the job function they have.

But if user provisioning policies are not rigorous, employees may quickly find themselves able to access systems and data they no longer need as their roles and responsibilities change. Some may even have access to company data when the lifecycle ends and the employee leaves. 

Developing a user provisioning process: three questions to ask

Scoping out a user provisioning policy that’s fit-for-purpose in today's flexible, highly distributed workforce can be daunting. If you’re an IT manager about to take that challenge on, here’s three questions worth asking before you get started.

What access management processes are in place now? 

Consider the Identity Access Management (IAM) procedures currently in place. How straightforward is it to create new accounts, and to grant, change and ultimately delete permissions for staff as they progress through the employee lifecycle? Is high security compromising the user experience, or is a frictionless user experience opening up potential weaknesses that may, one day, become critical?

What’s the business case for user provisioning?

A user account provisioning policy equipped for today’s workforce is an investment, both in time and money. So developing a strong business case is going to be important. 

Help stakeholders and decision makers across the company understand the business benefits your user provisioning policy by highlighting the wider benefits better user provisioning will deliver. 

Will the new policy save the business time and money and enhance security? Will better user experiences and identity management systems improve productivity?

Which apps and systems are top of the critical hotlist?

In large businesses, where hundreds of employees need secure access to a widening portfolio of apps and systems, Identity Access Management may become cumbersome quickly. Make sure user provisioning focuses on the most critical applications first by creating a policy template that identifies apps most critical to the business. Use this template as the base your user provisioning policy builds on.

Testing and launching your user access provisioning policy

You’ve left no stone unturned. You’ve researched every app and system used across the workplace. You’ve modelled every vulnerability scenario anyone could ever conceive. But it’s still not time to release your user provisioning process into the wild. Follow these steps:

Set up small controlled experiments

First, launch small, controlled pilot programmes to senior stakeholders in the business, and create clear, simple review loops that allow your stakeholders to feedback quickly. 

Make feedback measurable by asking stakeholders to evaluate things like user experience, productivity boosts or time saved. Use an agile development approach to make sure feedback sparks action and delivers improvements your stakeholders can see fast.

Launch your user provisioning policy out to the wild

The small controlled experiments you’ve carried out with senior stakeholders in the early days should deliver a useful community of evangelists. These influencers can support the wider roll-out of your provisioning policy so do all you can to help them broadcast the positive experiences that won their buy-in. 

Marketing the goals and benefits of your user provisioning policy is critical at this stage so make sure internal comms, team leaders and the company's support services have all the information and resources they need to help make roll-out a success. 

Continuously improve

Security threats change, so the user account provisioning policy that guards the business today won’t guard it for long without continuous monitoring. Ensuring your policy is always fit for purpose is going to require a regular review and update programme, and that programme needs to consider potential threats from cyber attackers developing new, more sophisticated, penetration strategies daily.

Continuously communicate

The most robust user provisioning policy in the world will flounder without user support, so champion the positive benefits the policy brings to the business at every opportunity. 

Monitoring security threats mitigated by the policy is great, but being able to monitor and report on the wider business benefits the policy delivers is even better. When IAM improvements reduce requests to the help centre, tell everyone. When user reviews tell you the policy is delivering lower friction, highly intuitive security procedures, let people know.

Automate user provisioning with Okta

Developing and launching a robust user provisioning policy is the first step in keeping up with today’s hybrid work environment. Step two is automating that policy.

As well as draining precious time and resources, increasing IT friction, and escalating cost, manually provisioning access rights can significantly increase the risk of security breaches through human error.

Discover how to manage user provisioning like a pro by reading our interactive guide:  Automating the Joiner, Mover, Leaver process with Okta.
Also discover more about automation user lifecycles using Okta here.