Non-human accounts are essential for automation in today’s service-oriented and cloud-based IT environment. However, many IAM teams face challenges in managing these accounts. In this blog post, we explore the core design principles for implementing effective non-human account management in SailPoint IdentityIQ, focusing on automation, auditability, and ease of management.
Core Design Principles for Non-Human Account Management
- Automation: Streamline the non-human account lifecycle, eliminating manual steps in request, approval, provisioning, modification, recertification, and disablement/deletion processes.
- Auditability: Ensure your organization can demonstrate compliance with established policies and regulations by maintaining comprehensive records of non-human account activities.
- Management and Monitoring: Optimize the representation of non-human accounts in your IAM system for visibility, reporting, and administration.
Effective Strategies for Non-Human Account Management
- Intake Process: Analyze your organization’s current intake process for non-human accounts. Identify pain points, and bridge the gaps related to your prioritized design principles. Determine whether to implement the process in IdentityIQ or enhance existing tools. You’d want to understand:
- What tool (if any) is used to request non-human accounts.
- What metadata (e.g. application, purpose, owner, lifespan, etc) about the account is captured.
- Who approves the creation of the account.
- How the account provisioning occurs. During this step, you’ll also make the determination on whether to implement the intake process in IdentityIQ (e.g. via a custom quick link, forms, and workflows) or enhance the current tool being used.
- Lifecycle Management: Establish clear processes for requesting, approving, and provisioning additional access for non-human accounts, as well as recertification and ownership transfers.
- Implementation: Base your implementation on your understanding of current processes, design principles, and identified gaps. Consider how to represent non-human accounts in IdentityIQ, customize the intake form, set up vaulting, and configure recertification.
Options for how you represent the accounts in IdentityIQ:
- Bring each non-human account into the system as an individual identity. This option might be preferable if management/monitoring ranks higher on your design principles. It might also be preferred if you desire some level of consistency in governance with human identities. The potential downside is you have a lot more identity records in your IAM system which if not well managed can have performance implications
- Create identity cubes (i.e. identity records) for a group of accounts based on a logical grouping such as by application, by platform, by owning business unit/department, by function, etc. If you’ll be going with this approach you want to ensure to consider fat identities i.e. Identity cubes with 200 or more accounts as these could have performance implications.
You could also implement a hybrid approach where some accounts are grouped and some are mapped to individual identity cubes. All of this will depend on your organization’s specific needs. Regardless of the approach, you want to ensure you capture all relevant metadata and store them appropriately to facilitate governance.
In conclusion, understanding the core design principles is important in designing an effective non-human accounts management program. It is very important for organizations to know where and how non-human identities are used in their IT environments and to ensure they have the necessary systems and processes in place to manage them properly.
Are you looking to enhance your non-human account management in SailPoint IdentityIQ? Our expert team can help you optimize processes, automate tasks, and ensure compliance.
Contact us today for a personalized consultation and let us assist you in securing and managing your non-human accounts more effectively
