Automated Provisioning Capability

As defined in the ICAM Services Framework, Section 3.2.4.3, provisioning is the process of creating user access accounts and assigning privileges or entitlements within the scope of a defined process or interaction. Provisioning provides users with access rights to applications and other resources that may be available in an environment, and may include the creation, modification, deletion, suspension, or restoration of a defined set of access privileges. Provisioning, as referred to in this document, includes the process for permanently removing an individual‟s access to particular agency resources when it is no longer required to perform job functions. This process is often referred to as de-provisioning.

Terminology

Orphaned Account – An account belonging to a user that has left the organization or no longer requires access to the resource. Orphaned accounts are most often the result of ineffective de-provisioning processes wherein user access privileges are not removed immediately upon a user leaving the organization. These accounts create security vulnerabilities, which may be exploited by individuals seeking to do harm.



In the current environment, provisioning to PACS differs slightly from provisioning user privileges to other IT systems. Currently, automated provisioning capabilities that are integrated with PACS solutions typically provision user identity data for the purpose of establishing a user account, while entitlement privileges (e.g., access to specific sites or doors) are managed and controlled within the PACS solution itself. In the ICAM target state, however, agencies should develop automated provisioning capabilities that enable the provisioning of desired baseline physical access privileges to the PACS solution.

Throughout the majority of the Federal Government, provisioning is currently performed via an array of manual processes that create new instantiations of a user‟s identity within each resource, often employing paper-based approval workflows. This heavily manual process greatly reduces the ability to remove access when it is no longer needed (de-provision), in a timely fashion. This arrangement creates a great administrative burden for local resource owners and administrators, and is labor and time intensive. Additionally, the inability to efficiently and rapidly revoke access can inadvertently allow users to retain access to information or sites unnecessarily, or result in the existence of orphaned accounts. The target state ICAM segment architecture proposes the use of automated provisioning capabilities as a means of reducing redundant collection and use of digital identity data and streamlining the process of pairing identities and resources.

ROI

The National Aeronautics and Space Administration (NASA) performed an analysis of its logical resources to determine what basic resource entitlements should be granted to new users. A provisioning capability was deployed to automatically grant new users access privileges to these resources immediately upon record finalization by HR. This has resulted in significant administrative and time savings for resource owners and

allowed new users to gain access to resources immediately upon beginning employment.



Automated provisioning tools leverage existing, authoritative sources of digital identity data to automatically link those identities to agency resources based on an analysis of the entitlement privileges. This capability standardizes the provisioning process across an organization for all protected resources. Figure 16 illustrates the numerous efficiencies that can be achieved by deploying an enterprise-wide automating provisioning capability.

Benefit Category Example Benefits

User Experience

 Reduced manual account linking

 Automated account linking and reconciliation  Elimination of per-application paper-based workflow  Access provisioning when required by role

 Reduced sign-on to non-web based applications  Faster access to resources

Operational Efficiency  Streamlined provisioning of accounts for new users

Benefit Category Example Benefits

 Reduction in per application account administration  Automated reconciliation response workflow  Attribute synchronization

 Business friendly workflow for approvers and/or administrators

Security

 Ability to easily automate detection, reporting, and response to orphaned accounts  Ability to detect and resolve excessive access privileges across multiple resources  Elimination of custom account linking code

 Ability to centralize audit and access reporting  Standardized provisioning

 Ability to digitally sign access approvals  Automation and enforcement of enterprise ID

 Visibility into PII reduced based on business and job requirements  Centralized preventative policy enforcement

Figure 16: Benefits of Employing Automating Provisioning Capabilities

An effective provisioning framework has a strong foundation comprised of standardized, easily deployable, and repeatable approaches that simplify processes, eliminate infrastructure stovepipes, and streamline access control within agencies. Provisioning capabilities should be tightly integrated with an agency‟s overall ICAM architecture and remain flexible enough to accommodate resource-specific approval processes.

Privacy Tip

Using technology to automate manual paper-based provisioning processes does not eliminate the privacy requirements associated with the manual process. Privacy protections, such as approvals from required personnel, must be embedded into new electronic applications or processes that are replacing a paper format (e.g., a paper request form), in order to prevent additional privacy risk. Agencies should build these protections into the automated workflow from the initial design.



9.2.3.1. Common Design Characteristics

In order to successfully build and deploy an automated provisioning capability, as defined in the target state ICAM segment architecture, it is necessary to understand the common characteristics that the solution should include in order to meet the objectives of the ICAM target state. These common characteristics are identified in Figure 17; however it is also important for agencies to consider their specific needs when designing a provisioning tool.

Characteristic ID

Automated Provisioning Characteristics

Provisioning 1 The automated provisioning service includes resource requirements for creating a valid

resource user account.

Provisioning 2 The automated provisioning service includes network configuration requirements between

provisioning component and resource user store.

Provisioning 3 The automated provisioning service includes workflows for provisioning resource accounts

(including accounts for PACS solutions).

Provisioning 4 The automated provisioning service includes forms for requesting access to a protected

resource (including physical sites, buildings, rooms, etc.).

Provisioning 5 The automated provisioning service includes approvals required for granting authorization to

Characteristic ID

Automated Provisioning Characteristics

Provisioning 6 The automated provisioning service includes requirements for how the identity management

component will create / modify / delete authorization.

Provisioning 7 The automated provisioning service includes any data schema attributes needed for

provisioning for each protected resource.

Provisioning 8 The automated provisioning service includes any notifications that will be triggered during

the provisioning workflow.

Provisioning 9 The automated provisioning service includes audit/reporting requirements for provisioning

workflows.

Provisioning 10 The automated provisioning service includes workflows for de-provisioning resource

accounts.

Provisioning 11 The automated provisioning service includes the ability to map identities to resource

accounts.

Provisioning 12 The automated provisioning service includes the ability to retrieve and evaluate authoritative

attributes from other agency systems to make provisioning decisions.

Provisioning 13 The automated provisioning service includes the ability to detect and act on attribute

changes to provision and de-provision access.

Provisioning 14 The automated provisioning service includes any resource account lifecycle management

requirements.

Provisioning 15 The automated provisioning service includes any user interface requirements for

provisioning workflows and providing help desk support.

Provisioning 16 The automated provisioning service includes the ability to detect, prevent, and resolve

conflicts with established segregation of duties policies.

Figure 17: Common Characteristics of an Automated Provisioning Capability

9.2.3.2. Implementation Considerations

Deploying an automated provisioning capability is an undertaking that requires planning, support, and coordination from various groups within an agency. Specific planning and coordination considerations include the following:

 Understand current workflows. Awareness of current provisioning workflows and technologies allows integrators to fully understand which resources require which information, while at the same time allowing integrators to analyze these needs and streamline, where applicable.

Lesson Learned

When configuring automated provisioning workflows, consider leveraging a small set of baseline workflows to start. The workflows can then be modified and customized over time to support additional resource-specific needs or as mission and/or business needs change. National Aeronautics and Space Administration (NASA) found that a single baseline workflow with several alternate approval options enabled rapid deployment of provisioning services to the majority of its resources.

 Determine approval requirements. Knowing resource authorization requirements facilitates the mapping of roles and entitlements to access privileges. Providing an escalation path when approvals (or denials) are not given in a defined timeframe can significantly decrease the overall time taken to provision a user and improve the end user experience.

 Develop technical requirements. Define the development, test, and production environment configurations in which the automated provisioning system will run,

including the solution architecture and configuration specifications for hardware processing nodes, automated provisioning component deployment, communications interfaces and protocols, network interfaces, and disk storage.

 Define de-provisioning processes. A key benefit to automated provisioning solutions is the ability to accurately and reliably de-provision user access when it is no longer needed. Currently, many agencies have fewer triggers to review and remove access than for providing access. An agency can see significant efficiencies and security benefits by carefully defining rules for de-provisioning users, whether temporarily (suspend access) or permanently (revoke access).

 Determine appropriate auditing requirements. Logging defined approval and provisioning steps is critical in establishing who has been given access to what and by whom. Agencies should determine appropriate auditing requirements and ensure that the provisioning solution is designed to log the appropriate events.

 Define user reports or dashboards. Automated provisioning provides the ability to capture information regarding account requests, approvals, and assigned permissions. Agencies should determine requirements for user reports or dashboard capabilities using this information to make the user management process more transparent to business and application owners.

ROI

Automated provisioning capabilities support an enhanced level of transparency and a more accurate understanding of the number of required active user accounts for a given resource. Upon implementing its provisioning solution, a federal agency was able to significantly reduce its software licensing costs at the resource level by eliminating

unnecessary user licenses for duplicate or orphaned accounts.



developed or purchased as part of a Commercial Off-The-Shelf (COTS) solution suite. Agencies should analyze a variety of workflow products and existing investments, aligning where appropriate, and determine which approach best suits the overall needs of the organization. In some cases it may be more cost effective to build a custom

provisioning capability rather than purchase and configure a COTS product.

 Determine appropriate provisioning architecture. Provisioning architectures typically operate in one of two ways: by initiating the transmission of identity data (attributes, roles, privileges, etc.) through data feeds at predetermined time intervals or based on events; or by allowing relying parties (resources) to initiate the transmission of identity data from LACS components by request, when needed. Agencies should evaluate the business needs and technical constraints of the resources that will be integrated with the provisioning solution and define the appropriate architecture.

 Gain approval and seek funding. Regardless of the technology path chosen, agency implementers will need to gain investment approval from ICAM decision makers and secure funding if existing investments are not feasible sources.

 Link user IDs to an enterprise digital identity. User identifiers often vary from resource to resource. As part of implementing an automated provisioning capability, these unique identifiers should be mapped to the user‟s enterprise digital identity to provide visibility into user permissions across the organization. This concept is further discussed in Chapter 7.

 Maintain data privacy. Provisioning involves transmitting and/or sharing user data with integrated resources to facilitate account creation and access control. Agencies must ensure that appropriate controls are in place to maintain data privacy and prevent unauthorized disclosure.

 Communicate and train the user population. As with all other organizational changes, an agency should ensure that the changes are communicated to the user population and that appropriate training is provided. In provisioning, this is especially important for personnel holding a sponsor or approver role.

Implementation Tip

When establishing automated provisioning workflows, it is important to evaluate current process steps and maintain necessary approval steps that are not inherently managed through the automated workflow (i.e., human intervention) to ensure that resource access is appropriately provisioned. In many cases, provisioning automation may allow an agency to streamline the account request steps. For example, approvals that were previously performed by sequentially signing a paper form may be approved

concurrently, where appropriate, and offer non-repudiation of the approval through use of digital signatures.



In addition to planning considerations discussed above, implementation and enablement considerations for automated provisioning solutions are provided for PACS and LACS solutions in Chapters 10 and 11, respectively. Once an organization has a privilege management process in place to grant access privileges to individuals and an automated provisioning capability, the next step is correlating these access privileges with access rules that are intended to protect resources. The resulting access control policies are then used to control access to protected resources based on individual access privileges and may be reused with future resources. Authorization models for streamlining access control and the process through which access control policies are developed and enforced are discussed in detail in the following section.