Identity and Access Management (IAM) has taken a crucial part in the enterprise security due to the inability of companies to rely solely on network protection and isolation. However, many companies still adopt IAM solutions by relying on HR-driven triggers only. Thus, Joiner/Mover/Leaver (JML) processes are usually the only automated ones, and the focus is primarily on standard user accounts.
Yet what about management of Technical Identities or Service accounts?
From an ITSM perspective most of the companies tend to use one ticketing system to track new users' requirements or to report their problems to helpdesk. This option, whilst simplifying the process for users, becomes a bottlenecked, due to the limited number of helpdesk agents. As the company grows in numbers, it puts greater and greater pressure on the support teams. On the other hand, although IAM solution resolves the issue of manual processing, quite often it has limited access and request retention policy (usually a month or a quarter). That is where the integration of the Ticketing system and IAM truly shines.
Every organisation has unique requirements and challenges when it comes to integrating and optimising the current IAM processes with different systems (e.g., HR and ticketing system). We have been tasked recently to assess and integrate identity management processes into ServiceNow instance for our client in order to centralise and streamline user access, authentication, and authorisation across systems and applications.
Let us review the benefits of such integration:
Unified experience. Users may have a single helpdesk point of contact (for our client this is ServiceNow), where new requirements are logged. Registration should be done in a structured way, i.e., for each type of request there should be one request form.
Transparent workflow. IAM-related tickets are processed by a standard ServiceNow workflow. This workflow may include approval, resources reservation, etc. Once the request is fully approved, it is sent to IAM for execution. In order to keep the user notified of the progress all the steps are reported back within the ServiceNow ticket. Therefore, the requestor and IAM team can see the state of each ticket in a single place.
Automation. IAM process can be triggered automatically based on pre-set conditions. For example, entitlement (e.g., group membership, distribution list) or license assignment which may depend on a user’s role.
End-to-end process. When a ticket is successfully resolved by the IAM solution, its state is automatically updated and then the ticket is closed. The requestor is informed via standard ServiceNow communication channels.
Improved security. Each change implemented to any user profile could be done based on HR data (for employee data changes) or user's request which must be approved (in case of user-initiated requests).
Traceability. At any moment, we can tell which security entitlements have been assigned, based on the conditions met by the user. This is greatly beneficial for auditing purposes.
Increased efficiency. The integration of IAM into the ServiceNow ticketing system increases efficiency thanks to the requests’ processing automation. As most of the IAM tasks do not require operator, the typical response time can be reduced down to 1 hour, thus not only speeding up the process but also taking off workload from support staff, allowing them to concentrate on more challenging tickets.
Reduced risk. Such integration greatly reduces the risk of security breaches, data leaks and human errors because everything is achieved in an automated and predicatble manner.
The diagrams below show on the high level the before and after states of the "New hire request" process.
How the situation looked like before the change:
A new hire request coming from the HR system is submitted as a ticket in ServiceNow (SNOW) for creation of user account, mailbox and access grant to systems and resources.
A helpdesk agent is assigned to the SNOW ticket who then manually creates the user account, mailbox and required privileges.
SNOW ticket is then updated by the helpdesk agent and in turn closed. Based on the ticket details the HR system is then manually updated with the new user details.
What happened after the project was completed:
A new hire request coming from the HR system is submitted as a ticket in ServiceNow (SNOW) for creation of user account, mailbox and access grant to systems and resources.
An automated workflow is triggered which processes the request and automatically creates user account, mailbox and required privileges for the different systems.
Mail notification is sent back to the user’s manager for further processing or approval (if required).
The SNOW ticket is then automatically updated and in turn closed.
The HR system is also automatically updated with the new user details.
Aside from the main workflow, which handles user accounts, our automation provides also the following additional functionalities:
Privileged accounts creation with mapping to primary non-privileged account.
Service account creation by storing initial password in a dedicated vault.
Automated licence assignment.
Many more customer-specific processes and integrations with other systems.
Conclusion
Thanks to the integration of IAM with the ServiceNow ticketing system our client benefited from an improved security, increased efficiency, and reduced risk. Having learned about the benefits of IAM firsthand, they also expanded its use to other areas of their IT infrastructure.
Contact us if you are looking into automating your JML processes with an identity and access management product. We can help extend its value by connecting many more systems such as ITSM and achieve a holistic integration across the enterprise.