Changing business functions or roles within an organization is a common practice and is carried out as a standard business process. This process is regarded as a “mover” process in the Joiner, Mover, Leaver (JML) user life cycle. However, the impact of the mover process on the access adjustments is probably the least recognized risk to the organizations.
Usually, the employee carries over almost all the previous access to their new role, creating an additional risk to the organization. Not only does this activity increase risk to the organization, but it also increases the burden of change to groups unaware of such access changes. A “mover process” within the access management process typically refers to reviewing a user’s current access, allocating new entries, and removing any access to systems and applications not required to fulfill the new duties, resulting in appropriate access. Companies that have matured their JML process utilize the least privilege principle to allocate access to any joiner or mover process.
Steps in a Manual Mover Process:
Request submitted by a hiring manager informing the Human Resources department to move an employee into the new department. This could mean a new hire request in some organizations or a transfer request to a new department or a group.
New manual requests are submitted to update access per the new role’s needs.
Additional requests may need to be submitted to the system(s), application team(s), or business owner(s) to remove access via a help desk process.
Manual action to remove access by system and application administrators
Not all access is removed if tickets are not created for all applications where the employee had access, as application access is not always well-documented
Submit new tickets to the help desk to provide access to new applications and systems
Manual fulfillment for application access
Provide manual reports for audit and compliance
Conduct manual access reviews for access certification
Challenges in a Manual Mover Process:
The mover process is one of the complexities in managing an employee’s access. The method of controlling access remains tedious and time-consuming for both IT and business owners. In addition, it is not always a perfect process and requires a mature access management system, processes, protocols, and procedures in place.
A typical process is to act and grant new access to meet business demands so the employee can function efficiently in the new role. Practices that have been in place for years and decades sometimes result in massive data access inconsistencies, increasing risk to the organizations.
Here are some of the main challenges with the mover processes:
Standardized business processes: Complex IAM processes dictate the standardization of access processes throughout the company to lower risk and costs
Standardized role definitions: Role definitions between business and technology groups have not been understood and mapped out.
Enterprise access management tools: Lack of mature tools that can be extended and customized to meet business needs.
Automating Joiner, Mover, and Leaver processes: Skilled resources are needed to automate complex IAM processes.
Integration of processes: IAM tools, enterprise tools, and application integration needs proper planning, execution, and business buy-in.
Meeting the Challenge
The manual process to accurately revoke access and provide new access timely increases risk, undesired user experience, long waits for users, non-compliance, and higher IT costs. To meet the very complex mover challenges, the following approach may be used:
Create a standardized role model for the organization- This will help in assigning the proper access rights for any mover identity.
Automate the mover process to reduce risk and cut IT costs- Utilize access management tools to automate most of the mover process.
Conduct mandatory access reviews for the mover process periodically- Any access remanence must be removed that will remediate the risk associated with a mover process.
Train managers and stakeholders and update them on the risks associated with the mover process- Conduct internal training, seminars, and talks about reducing risk.
Embedding IAM processes into business processes will result in lowered access risk, better user experience, lower IT costs, and better compliance.
Automating The Mover Process with IAM
In contrast to the above manual processes, an automated process can expedite mover changes in an organization to an efficient and secure mover process. Below are steps that IAM processes in conjunction with IAM tools can effectively be implemented to streamline the employee mover process:
Once an employee’s status changes due to a new role, the IAM process can review the change of employee status in the daily or authorization source feed.
Once the IAM tool receives the employee mover status and department or role changes, the IAM process can invoke the workflows to execute the changes.
IAM tools can automatically allocate new access for the user based on the latest business role and remove the previous entry.
IAM tools can also effectively create automated tickets for application administrators to remove or update access for the user in the new role. IAM tools are sophisticated enough to remove access to applications and systems directly or send API requests to applications to update access without manual intervention.
The IAM tool can generate Formal access reports for regulatory compliance, highlighting when a request for role change was submitted and executed.
IAM processes are complex and detailed. They cross many lines of business processes and need human expertise, tools, and technology experience to implement. Business sponsorship is mandatory to succeed, and IAM initiatives are the only way to provide transformation. A mover process is one of the functions but possibly the most complex parts of IAM transformation.
iQuasar Cyber offers organizations experienced consultants who have implemented large-scale IAM transformation projects to meet business goals. Schedule a consultation discussion to discover our IAM services and how we can automate your IAM processes to lower costs, improve efficiency, and safeguard your organization via access controls.