Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to use an automated user provisioning system for access control

Re-architect your provisioning system into a first line of defense for access management.

When organizations think of access management, single sign-on, login credentials and smart cards come to mind....

But before a single username and password is issued or a hard token is handed to an employee, the resources and privileges that he or she will access have already been set up. This action of provisioning a user's access is accomplished through a series of request channels, workflows utilized for approvals, and finally the set up of an account or multiple accounts on the organization's application servers. In the past, this was done through a series of coordinated processes and performed by a pool of local administrators. Today, these same functions are commonly done by an automated user provisioning system. However, despite the use of this technology, access management is still a big problem for many organizations.

One issue is that the focus of many of these systems is to provision, or on-board, an individual. But the services of deprovisioning, or off-boarding, accounts as an individual changes responsibilities within the organization or leaves are still not well defined. Human nature drives personnel to be diligent when application access rights are needed but when they no longer need to use these applications, the request to remove these same rights is often put on the back burner. This causes access creep, which is becoming a key data leakage and compliance concern for security professionals. What's more, a difficult economy and downsizing only exacerbate the problem and underscore the need for additional automated mechanisms to off-board users and cut off their network access.

Because of this problem, many organizations are going back to the drawing board and rethinking their provisioning--and now deprovisioning--strategies, and to begin to look at other identity management technologies to get access management back under control. Businesses have come to realize that by implementing the optional components that ship with these tools such as reporting, role-based access management and advanced workflow, and integrating them with other security tools such as audit re-certification and security information and event management (SIEM) tools, the provisioning system can be re-architected to become a vital component of an organization's access control infrastructure.


When provisioning systems were initially implemented to on-board users, four components were deemed mandatory: the request interface; a basic workflow engine; a logging system to troubleshoot and query the actions taken by the system; and the connectors used to join the targeted applications to be controlled by the system. With these components in place, an organization could automate access rights to many of their network and internal business systems. And over time, this configuration has been expanded to include any number of secondary level applications which extended the sphere of influence of the provisioning system.

Over the years, the evolution of provisioning technology has provided new features and services. Today's provisioning systems ship with services to provide access management governance. For example, the basic logging mechanisms were recognized to contain the system of record information for user access--who approved the access, when access was granted, and which applications were provisioned. With built-in reporting capabilities, this information has been found to be invaluable to audit and compliance personnel as evidence of authorized access for verifying compliance to regulations such as Sarbanes-Oxley, PCI, GLBA, FERC/NERC, Basel II and HIPAA. But work is still needed as organizations are finding this information is incomplete. With the struggle to deprovision users, many times showing when a user's access rights were removed is missing from the record.

Also, in the past, provisioning systems managed user access rights on an individual-by-individual basis. Inconsistencies were continuously found due to the customization of individual access and in how users were provisioned. Two users performing the same function were sometimes provisioned with different access rights even if this was done only hours apart. This approach also didn't provide much business benefit over the manual provisioning process since automation showed very little cost improvement. But several years ago, provisioning systems started shipping with role-based access controls (RBAC). RBAC revolutionized provisioning by allowing user access management to be based on the function the individual performed. RBAC profiles are now in place in many provisioning systems, allowing economies of scale in managing access rights for large populations of workers performing similar tasks--such as software engineer, account manager or surgeon.

With advancements in workflow engine technology, the provisioning workflow engines have also been enhanced to the point where they compete with many commercial standalone workflow engines used by many business functions. This has allowed provisioning systems to develop complex workflows and to take advantage of process options like delegation of authority, identification of separation of duty problems, line of business approvals, and temporary approvals--to compensate for temporary worker changes like vacations and extended travel.

Provisioning systems have also modified their request interfaces to allow easy development of Web-based request forms that can be integrated into internal and external portals. Intelligence has also been added to the forms so self-service requests can be customized based on RBAC roles and a series of rules to provide customized request forms based on who the person is, the role they play and where they're located: on premise, in a controlled remote facility or a hotel kiosk.

Finally, many provisioning vendors such as IBM, Oracle and Novell have now recognized the need for data normalization. This function ensures that identity data replicated across several identity stores are in synch. In the past this has been the responsibility of identity management meta-directories. But this feature has been merged into the provisioning product. This has not only eased the internal integration that was required to allow these two technologies to work together, it has provided better data quality for the identity repositories managed by the provisioning system.


Organizations have found that just implementing a standalone provisioning system doesn't necessarily mean the company has control over its access management struggles. A common flaw of a provisioning system is its configuration. Many provisioning vendors have been asked by their potential customers, "If we buy this system will it work correctly?" And of course the answer is, "Yes, if you configure it right." Provisioning systems are like a block of wood and a picture of a sailing ship: The ability to carve the block of wood to recreate the sailing ship is directly proportional to the skills of the person welding the knife. Due to the complexity of access management processes and workflows, poor management of existing stand-alone applications and incomplete business requirements, many provisioning systems have been found to inaccurately provide proper access rights. Some have faltered to the point of being decommissioned--even though in post mortem analysis the system was found to be working correctly but was misconfigured.

This requires a provisioning system's actions to be checked to ensure the access rights provisioned are correct. Organizations have found that besides using a provisioning system as an access governance tool, a recertification system is also needed to perform these checks. These tools are implemented with connections to the same endpoint systems managed by the provisioning system. By extracting information from these systems and independently analyzing the access permissions based on the same roles and rules used by the provisioning system's configuration, the recertification tool can independently verify the provisioning system is correctly issuing access rights.

Also, errors in access may not be the fault of the provisioning system but rather that of the requestor. Recertification systems address this problem by providing the ability to assign management roles to the user rights under scrutiny. This service entails notifying responsible managers that a recertification task is required, usually through an email message with a link back to the recertification interface. The manager is then presented with the users under his or her domain and the access rights and services they have access to. The manager is responsible for reviewing the accesses and determining any changes required--add, delete or modify. Once the changes are identified, the recertification system can then execute a series of electronic requests to the provisioning system to make the appropriate changes.

Because of the complexity of today's provisioning environment, even using a reliable recertification tool doesn't ensure 100 percent access management coverage. But perimeter monitoring tools used to thwart insider attacks, malware and external hacker attacks can help guard against unauthorized or incorrect access. These SIEM tool suites, along with data leakage protection tools, log monitoring, and firewall traffic analysis tools, sit in many large organizations performing constant monitoring of network traffic, looking for sensitive information attempting to leave the perimeter of the organization.

These tools capture both premeditated attacks and inadvertent information leakage events. While they don't proactively modify end user access, they do log, and if configured to do so, block sensitive information from being sent outside the organization's domain by unauthorized users. Many times the way the user who initiated this information transfer gained access to the data from inappropriate access, or access that was not removed as the user's role changed over time. Information captured by the SIEM tool can be used to determine which system the information originally came from, and many times who the user was that originated the action. By having security incident response personnel working closely with identity management administrators, errors in access management can be quickly resolved.


Provisioning systems work well in controlling access but the world continues to change and so does the access management environment. To date, terminations, or off-boarding events, are still difficult to manage. With the recognition of this problem, many provisioning architects and administrators are learning to work with their counterparts in human resources, compliance and security administration to understand the complexities of off-boarding individuals. As the processes are better understood, new connections to the provisioning system from the applications used by these groups are feeding the provisioning system's workflows to enable deprovisioning.

Another area under exploration is the impact on access management of a federated business model using a blended workforce of internal and third-party personnel. Today's provisioning systems have been configured as "push" systems. This means requests are made to the provisioning system and access rights are pushed to the applications and systems under its control. But provisioning systems will have to be at least partially reconfigured as an access "pull" system. With ongoing work to establish strong external identities through standards like OpenID, SAML, and OAuth, provisioning systems will have to have the ability to consume, or pull, identities from other sources outside the organization's domain in order to manage a changing workforce.

This movement towards external identities is clearly indicated by the Kantara Initiative. Kantara is developing strong Internet identity service profiles where, much like PayPal provides verified funds services, independent vendors will provide verified Internet identities. The hope is that an individual will sign up to have a service manage their identity, and using the standards listed above, will verify and communicate this identity to all the companies that want to consume an identity for the individual, including their workplace. This means that in the near future, enterprise provisioning systems will have to base their access management capabilities on a combination of Internet, asserted identities and local roles in order to accommodate this changing federated business model.

Identity management virtual directories, like RadiantOne Virtual Directory Server, will also have a strong impact on provisioning systems. These technologies abstract identity information from the individual sources of identity within the organization's infrastructure. By rolling up identity and access information to a single virtual view, provisioning systems will no longer need individual connectors to the systems they manage. One connection to the virtual directory will service many underlying identity stores, minimizing the complexity of end system access.

Finally, just as meta-directory functionality has been melded into the base provisioning platform, recertification services are becoming more closely coupled with provisioning. Soon these two will merge. But the jury is still out on whether recertification will consume provisioning systems or if provisioning systems will consume recertification. There is movement from both sides and the marketplace may have to determine which wins out.

With all these changes, the evolution of the provisioning system is still in a state of rapid change. This requires organizations to closely monitor the state of the market and plan a multi-phase architecture enhancement for this technology. But does that say that those few who haven't implemented a provisioning system should wait for change to slow? No. Access management can be a business inhibitor if ignored. With federated business models, cloud computing, ever-growing regulatory compliance requirements, and blended workforces, provisioning technologies are needed to provide the necessary controls to keep these factors in check. As previously stated, provisioning isn't the only answer but it must be positioned at the center of an organization's access management tool set in order to enable the business to be granted seamless access to its services and resources.

While companies are reluctant to speak about their provisioning experience -- many see their provisioning system deployment strategy as a competitive advantage -- it's easy to identify which have done access management well. All that's necessary is to look at any list of the most innovative and creative companies in the marketplace. No doubt if the covers of the company were lifted up, a hard working provisioning system will be found successfully chugging away.

Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures. Send comments on this article to [email protected].

Dig Deeper on Privileged access management