When provisioning users, keep compliance in mind. Most regulations like SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require strict auditing of who has access to which systems. A single tool is the best way to audit user access for compliance.
Now, this might sound a bit like single-sign on (SSO), but it's different. SSO is a single password for accessing multiple systems. A single user-provisioning tool is a single device for doling out different passwords to different systems. Having only one provisioning tool also means a system administrator can provision access to multiple systems, whether they're mainframes, servers or desktop PCs.
Along with compliance, the two other drivers for user provisioning are saving money and fighting security threats. Ideally, a user provisioning system should save money by administrating user IDs and passwords, which is often one of the biggest drains on time for a help desk staff. It can also shorten the time it takes for users to get access to systems they need, and fewer delays in getting access translates into less downtime and more productivity.
Make sure the user-provisioning system can review user accounts, privileges and authorization on a periodic basis. This increases security by pruning stale and dormant accounts and dropping excessive privileges or changes in roles from the system.
Some other must-have qualities to look for in a user-provisioning system are its ability to mesh with the directory architecture, such as Active Directory or LDAP, and its ability to enforce password policy and resets (another big cost to help desks). The system should have workflow capabilities to provide management approval of access, but include a self-service feature to allow resets and delegation without having to call the help desk.
User provisioning is the largest component of today's identity and access management (IAM) suites. But when considering an IAM suite, make sure it has all these features before investing.
This was first published in May 2008