Managing the identity lifecycle of Joiners, Movers, and Leavers (JML) is the backbone to strong identity security
Frank Vukovits
Protecting your assets, resources, and data appropriately starts with securing identities and managing authorization. Identity management isn’t a once-and-done activity. Rather, it follows a lifecycle as identities, access requirements, and risk factors change.
In this blog, you’ll learn the fundamentals of Identity Lifecycle Management (ILM) and best practices to optimize the practice of administering access—making sure people and non-human resources in your organization have the accounts and access that they need, when they need them, and removing access when it’s no longer required.
There’s a lot of jargon to sift through when looking at ILM. So, let’s start with some practical definitions.
An identity is simply a digital representation of a person or machine in your organization. Identities can be employees, contractors, partners, customers, devices, APIs, workloads, or anything you authorize to access your systems.
An identity’s lifecycle encompasses all the things that happen to an identity that need to be provisioned, tracked, and managed. In general, this is typically broken down into three high-level lifecycle events: joining, moving, and leaving.
What are Joiners, Movers, and Leavers?
Joiners:
The beginning of ILM starts with the Joiners. Joiners are identities, human or machine, that are joining your organization and need access to resources. These could be new employees who have just been hired, customers who have registered on your website, or contractors or third parties who need access to your systems and resources. An identity is required before entitlements can be assigned or access to resources can be provisioned.
To learn more about the Joiner's onboarding process, check out our Onboarding Checklist.
Movers:
Movers are identities that are changing in some material way from how they were initially provisioned. An employee may have changed job roles and need different access to an application or cloud platform. Perhaps a third-party consultant is moving to a different project and needs access to new systems or resources.
In those cases, it’s essential that the old access for Movers be removed and only the access for the new role or project be provisioned.
Leavers:
Leavers are identities that are moving on from your organization. A Leaver could be an employee who is retiring or taking a new job elsewhere, a third-party vendor who has been replaced, or any other situation where you need to end the relationship between the identity and your organization.
To learn more about the Leaver's offboarding process, check out our IT Offboarding Checklist.
What’s the risk of mishandling permission for Joiners, Movers, and Leavers?
Without strong management of identities through their lifecycle, risks from external and internal threats abound. Provisioning, re-provisioning, and de-provisioning processes are critical to ensure all identities have access to only the resources they require in accordance with the Principle of Least Privilege.
Overprovisioned access can allow bad actors or employees to access data or execute inappropriate transactions, leading to fraud. You can’t have a strong security posture without a robust ILM solution and associated controls to ensure users and identities have the right access, to the right resources, at the right time, no more, no less.
Joiners who are third-party contractors can often be brought on board quickly, off the radar of IT, and even HR
Business decisions to hire Joiners generally go through Human Resources (HR) departments and are communicated through internal channels and multiple systems, like ticketing systems and requests to IT for provisioning. Yet, the approval process for granting access to specific resources can take some time and require a lot of back and forth, even sometimes manual or via email, as HR often doesn’t know what systems are necessary for their job. Additionally, Joiners who are third-party contractors can often be brought on board quickly, off the radar of IT, and even HR.
Once a Joiner is onboard, teams may shift responsibilities frequently, particularly in a matrixed or Agile organization. Movers may need access to resources only for a brief period, which can be cumbersome for business teams waiting on IT to provision or reprovision access. At the same time, there is no way for IT to know when access requirements change unless the business tells them.
Business teams are anxious for Joiners and Movers to start contributing value as quickly as possible, so without rapid user access and identity provisioning, they may use shared credentials, or find other workarounds to provide them access to perform their job duties, all of which impact a strong enterprise security posture.
Leavers can also pop up suddenly. Layoffs often happen quickly, giving HR and IT departments little time to prepare for a smooth and safe offboarding process, including the critical need for accurate and complete deprovisioning of users and identities.
Third-party Leavers may end their projects, but the organization may believe they will use that contractor again for a future project, so instead of revoking access permissions, they leave them in place to save onboarding time in the future.
25% of employees still have access to company data from past employers
When Leavers aren’t managed carefully, risks of insider threats and cyberattacks increase along with compliance and privacy violations. It's been reported that 25% of employees still have access to company data from past employers, with 87% admitting to taking data they created—like strategy documents and presentations—when they leave.
For all these reasons, user identities are often overprovisioned with broad-standing access to resources whether they truly need them or not, regardless of job function.
How to streamline provisioning and deprovisioning for Joiners, Movers, and Leavers with IGA
Using a variety of solutions to request access is time-consuming, prone to errors, and often leads to provisioned access being in place long after a user or identity has moved into a new role or left the company. You can replace manual or multi-solution ILM provisioning processes with comprehensive Identity Governance and Administration (IGA), an automated, end-to-end solution for managing Joiners, Movers, and Leavers through a single platform integrated directly with your HR system.
IGA lowers the risk related to over-provisioning users and identities to help protect your company’s critical assets and applications. When choosing an IGA solution, look for one that is easy to use, quick to implement, and shows rapid ROI.
IGA as part of identity security
Along with authentication and authorization, IGA is an essential component of identity security. By managing Joiners, Movers, and Leavers throughout the Identity Lifecycle, you ensure users and identities are provisioned accurately and efficiently from the start of their relationship with your organization and as their roles, access requirements, and associated risks inevitably change.
Again, check out our IT Offboarding Checklist and Onboarding Checklist for more best practices to help you reduce risk and make your identity management processes more efficient.
Free Privileged Access Security Toolkit