Manage Learn to apply best practices and optimize your operations.

What guidelines do you recommend regarding best practices for user provisioning?

User provisioning is a very important aspect of information security; taking the steps to do it right can make data that much more secure. Learn best practices from identity and access management expert Joel Dubin.

What guidelines do you recommend regarding best practices for user provisioning? We want to be as efficient as possible in enabling people to do their jobs, but we want the right people to get the right access to the right systems.
The key to user provisioning is having a single system that provisions all users, no matter which systems they need to access. The worst-case scenario is a hodgepodge of tools, one for each system, that makes user provisioning not only chaotic but inconsistent.

When provisioning users, keep compliance in mind. Most regulations like SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require strict auditing of who has access to which systems. A single tool is the best way to audit user access for compliance.

Now, this might sound a bit like single-sign on (SSO), but it's different. SSO is a single password for accessing multiple systems. A single user-provisioning tool is a single device for doling out different passwords to different systems. Having only one provisioning tool also means a system administrator can provision access to multiple systems, whether they're mainframes, servers or desktop PCs.

Along with compliance, the two other drivers for user provisioning are saving money and fighting security threats. Ideally, a user provisioning system should save money by administrating user IDs and passwords, which is often one of the biggest drains on time for a help desk staff. It can also shorten the time it takes for users to get access to systems they need, and fewer delays in getting access translates into less downtime and more productivity.

Make sure the user-provisioning system can review user accounts, privileges and authorization on a periodic basis. This increases security by pruning stale and dormant accounts and dropping excessive privileges or changes in roles from the system.

Some other must-have qualities to look for in a user-provisioning system are its ability to mesh with the directory architecture, such as Active Directory or LDAP, and its ability to enforce password policy and resets (another big cost to help desks). The system should have workflow capabilities to provide management approval of access, but include a self-service feature to allow resets and delegation without having to call the help desk.

User provisioning is the largest component of today's identity and access management (IAM) suites. But when considering an IAM suite, make sure it has all these features before investing.

More information:

This was last published in May 2008

Dig Deeper on Privileged access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.