Employee Provisioning

Provisioning new hires, deprovisioning departing employees, and managing their access and passwords while they're onboard can suck up a tremendous amount of time and money. Welcome enterprise user administration solutions.

August 12, 2002

11 Min Read
NetworkComputing logo in a gray background | NetworkComputing

EUA solutions also bring continuity. By centrally managing workers' access to directories, databases, servers, legacy applications and identity-management applications, these products let you migrate access rights and resources as an employee changes jobs within the organization and revoke rights when an employee leaves. Centralized auditing offers a complete view of who was granted access when and by whom, and workflow capabilities ensure that security policies are followed.

Finally, employee-provisioning solutions provide financial benefits, however indirectly, by increasing employee productivity, enterprise security and workflow automation.

From Zero-Day Start...

New hires require the basic office equipment--a desk, a computer, a phone--as well as access to job-related systems and applications. If all isn't in place, a new employee can't immediately become a productive member of the organization. And colleagues might waste time attempting to set up the correct access for the new co-worker. You need to be able to click a button and generate a "zero-day start" process--complete provisioning in less than a day.

You need a similar process when an employee moves from one role to another. Modifications to existing rights and migrations to new groups take time to perform and verify. But because the employee has access, there often is no rush to perform the migrations. Automating such processes ensures correct provisioning as soon as possible....To Zero-Day Stop

When employees leave, their access rights must be removed from some or all systems. If the original rights were granted without sufficient documentation, revoking rights will take some time. It's possible to overlook some systems, leaving unused and unmanaged user IDs and passwords in applications, thereby opening security holes. An EUA solution automatically removes all issued user IDs and passwords across systems, following defined business processes. This occurs even for access granted outside the system, if the system was synchronized before the revocation process kicked off. This practice is often referred to as zero-day stop, because it almost instantaneously removes all resources and accounts used by an employee leaving the organization.

An EUA solution's auditing and reporting features document what access levels were granted to which systems at what time. These trails provide information for security-policy reviews and a better understanding of the access necessary for roles across systems. If administrators, for example, are given access to systems above and beyond the documented set of systems, the EUA solution's auditing and reporting tools will show this pattern and may suggest you adjust your security policy, saving time in the future. If employees are being granted access that violates security policies, the software will help determine why it is occurring or point out that someone needs a reminder of the corporate security policies.

Failure to give employees the access they need and no more can be financially painful. Those organizations and workers who must follow the HIPAA (Health Insurance Portability and Accountability Act; see Does HIPAA Affect Me?) or GLB regulations (Graham-Leach-Bliley Act)--aimed at financial services, banking, securities firms and insurance companies, as well as title companies and retailers that maintain credit operations--can get hit with penalties as high as $250,000 and 10 years in prison for failure to comply.

HIPAA, which regulates access to employees' health-related records, affects more than just pharmacies and health-care providers. Essentially, any company that pays for the health-care plans of more than 50 employees must follow these regulations. Among other things, HIPAA requires users to be uniquely identified by biometrics, a token or a user ID and password combination. The act also requires a company to record and audit activity related to access of patient medical information, online and offline as well as by electronic transfer.GLB, meanwhile, restricts financial institutions' ability to share consumers' personal information, both with other companies and within the organization. EUA products help meet these requirements by providing audits and controlling employees' access to critical customer data. For example, a bank employee in a loan-processing department can see an applicant's data but can't get information about credit-card applicants. Setting up these rights correctly is critical, both to comply with the law and to keep public trust.

Just think of the negative publicity and loss of consumer confidence that follows a security breach. Many large auditing firms (KPMG, for example) require public companies to pass an information security audit or risk having the failure noted on their SEC filings. There's no legislated financial penalty, but shareholders don't like to see such things.

By providing centralized management of access and resource allocation, companies can ensure that strict security policies are followed and identify when access is granted outside the normal processes. This is the basis of provisioning products and can reduce the chances of employees being granted unnecessary access that may breach security policies.

Automating Process Workflow

We've all suffered through manual processes that depend on undocumented phone calls, e-mail or interdepartmental routing of paper-based forms to provision employees. These methods can be time-consuming ("Sorry, the person who handles that is on vacation this week") and error-prone ("I wasn't sure if that box was checked so I didn't create the account"). Auditing is nearly impossible.An EUA solution addresses these problems with a workflow component that manages the communication and sequence of required approvals to speed the process. Once approved, a request can be routed to an administrator for action or acted on automatically by the EUA package. The workflow component might provide a Web-browser interface that lets users and security administrators track the request and provide e-mail notification whenever the request is awaiting approval or action, when it has been acted upon, and if it is declined at any stage.

Many EUA products include in their workflow solutions an escalation procedure that allows for backup approvals of resources and access requests if the primary authority is unavailable or fails to deal with the request quickly. Requests, therefore, are handled within the organization's designated time frame, minimizing productivity loss while the employee waits for the request to be approved or denied.

The ROI Factor

Perhaps the prospect of paying $250,000 in fines and forwarding your mail to a federal penitentiary isn't enough reason to consider an EUA solution. Or perhaps HIPAA and BGL don't apply to your organization. In that case, you'll need other justification for the purchase of one these admittedly pricey systems.

A good EUA solution offers password self-service. If the product lacks this feature, don't buy it. Some products also offer configurable attribute self-service, which lets a user update his or her name, address and marital status without spending time filling out paper forms and routing them through HR.Most EUA solutions can provide a relatively fast ROI simply through those self-service features. Because the solution provides centralized management and can synchronize with all the disparate systems across your enterprise, it's simple to let end users change and synchronize their passwords across applications, databases, directories and servers.

Password-related issues represent a call volume range of 10 percent to 30 percent for IT helpdesk support, according to Gartner. The reduction of these calls can bring big savings in personnel productivity and IT support costs. "In a nonautomated support model, password reset costs range from $51 (best case) to $147 (worst case) for the labor alone," the Gartner report says.

Personnel at one Fortune 1,000 research firm supported the Gartner report, indicating that in January, 43 percent of 3,000 calls were password-related, with more than half of that 43 percent needing password resets. In April, 29 percent of 2,000 calls were password-related. The noticeable reduction was due to a change in password policy that relaxed the password-expiration time period. Using Gartner's estimated best-case labor cost, the total spent in April for this company dealing with password-related issues was $27,948. Assuming the percentage of calls stays the same for an entire year, that's $335,376 annually. Best case. Just passwords.

Compare that cost with the price of an EUA solution that provides password self-service. The ROI on the password self-service alone makes the solution worthwhile for companies like the research firm we interviewed, without giving any consideration to the benefits of the core functionality of such a solution.

One of an EUA's core features, which can be used to determine ROI, is account management from the systems administration point of view. For every account that must be created or deleted, there is a definite labor cost. Figure out the time and cost to create just one account on one system, then multiply that by the number of systems and accounts necessary for the typical employee. Now double it, because at some point you'll need to delete that account across your enterprise. What's the total cost? Remember, that is for one employee and doesn't take into consideration a change in responsibilities during that person's tenure.By the time you add these expenses to the password-reset costs, you're well above the price range for an EUA package. (For an example of some costs, based on our conversation with that Fortune 1,000 research organization, see the graphic, "First-Year Cost Comparison").

First-Year Cost ComparisonClick here to enlarge

Now imagine that a solution can automate these tasks and notify each administrator that the process has been completed. Although the ROI on this is likely to take longer than the password self-service aspects of an EUA, it's still starting to look good, right? And don't forget to consider that your systems administrators can be doing something else during the time they would have spent creating and deleting accounts.

If you're ready to consider employee provisioning tools, check out our RFI-based evaluation of EUA products, starting on page 43. We graded these packages on a number of criteria: interoperability with directories and applications, auditing and management tools, self-service capabilities, workflow features, and ability of the products to be fed from external systems--such as a PeopleSoft implementation delivering information on a new hire, kicking off the provisioning process or the manual granting of access to a database system.

Nearly all the products we tested met our scenario requirements, but we discovered that not all EUA solutions are created equal. Some require extensive development to integrate, while others provide almost all the necessities out of the box. One thing is clear: The ROI makes implementation of EUA solutions in large-scale environments worth the effort. The products also all ensure that our fictitious CEO won't be spending time in the pretend big house any time soon.

Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at [email protected].Every new hire comes with logistical complications for the human resources, IT and facilities departments. Roles must be defined, passwords assigned, equipment delivered; it's enough to cut productivity for days. Employee provisioning, or EUA (enterprise-user administration), software can give some of that lost time back.

EUA solutions centrally manage workers' access to resources, control passwords and make sure the employees' data is entered in all the right systems, from HR to accounting. Furthermore, when employees leave, this software makes it just as simple to remove their access rights from all systems, to prevent their unauthorized access.

We sent a Request for Information to Access360, Business Layers, Novell and Waveset Technologies, asking them to propose EUA solutions for a fictional retailer, Stuff4U. The vendors sent us their proposals, and then brought the software to our Green Bay, Wis., Real-World Labs® and implemented two or more pieces of our scenario. We were impressed most by Business Layers' eProvision Software 3.0, which combined great flexibility with top-notch password self-service, a critical feature.

Although EUA systems are expensive, the best ones are likely to pay for themselves over a period of one to two years, once you factor in the time and labor saved by automating the process: far fewer calls to the helpdesk for password changes, and fewer wages lost to the process of provisioning employees.

The Health Insurance Portability and Accountability Act is aimed primarily at health-care providers and clearinghouses, but it affects just about every large organization (large being defined as an organization with more than 50 employees).HIPAA is often recognized as the act that ensures coverage, removing pre-existing condition clauses and other insurance-coverage issues. What often isn't known is that there are quite a few regulations within HIPAA that relate to controlling access to health-related records. These are the privacy and security rules that have been implemented in accordance with HIPAA. And these rules affect many more organizations than is commonly expected.

If your company operates a pharmacy -- as many grocery stores across the United States do -- you must comply with HIPAA regulations. If you pay for health-care plans for your employees, your organization falls under HIPAA regulations. Yes, that means that just about every organization needs not only to understand HIPAA, but to comply with its regulations regarding security and privacy of

health-related information.

Two key requirements of HIPAA to be aware of:

• HIPAA requires that users be uniquely identified by biometrics, a token or a password/PIN combination.• HIPAA requires the ability to record and audit activity related to the access of patient medical information. This includes online access and electronic transfer.

You need to be able to control access and provide information on who had access to what and when. This includes documents, databases, applications and e-mail.

For more information:

General information on HIPAA

For a discussion of the regulations and the potential impact of security and privacy issues on your organization

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights