In-Depth
How Identity Management Complements ERP
Enterprise resource planning (ERP) applications can automate business processes but do nothing to solve security problems. Identity management software, working in tandem with ERP, can help.
by Stephen Wolford
Introduction
Enterprise resource planning (ERP) applications have become a ubiquitous element in modern corporate strategy to automate business processes. From benefits, payroll, and performance management to recruiting and talent management, training, and employee self-service, many critical business processes surrounding lifecycle events for all members of the enterprise are managed by an organization’s ERP solution.
However, for most companies, process automation and quality data management for personnel lifecycle events ends where the ERP application ends. The business processes outside of ERP that are concerned with “identities” -- role and access management, risk management and compliance, resource and account provisioning, authentication and authorization -- also have a critical impact on a company’s business, yet more often than not these processes remain labor intensive, expensive, inefficient, and error-prone. They are not scalable or easily distributed and are inherently difficult to secure and to audit.
Consider the following questions:
- How long does it typically take for new employees to be granted access to the applications and systems necessary for their jobs?
- Are employees and contractors given the correct access according to policy? Is their access changed as their roles and responsibilities within the company change? Is their access ever revoked when they leave the company?
- Are key applications made available to partners and customers? Is this access provided while critical corporate resources are kept secure?
- How easy is it to generate reports requested by auditors to show who has access to what in critical business applications?
Relying on traditional processes and systems to manage the challenges of granting and maintaining such access for thousands of users connecting to thousands of systems creates far-reaching problems for even the smallest organization. The result is that most companies have no idea of the answers to these questions, and what’s worse, no easy way of finding out.
Identity Management Challenges
This situation results in a number of business challenges:
Increased costs
No single source of truth for identity information usually exists. Since applications have no reliable means of locating the data needed to make important decisions such as personalization, authentication, and authorization, local administrators collect and manage such information themselves.
Once new identity and organization events occur, the changes take weeks or months to propagate through all of the relevant systems. Updates to data are necessarily manual and, therefore, error-prone. The maintenance of this duplicate data with multiple, overlapping processes represents an enormous hidden cost.
Increased security risks
Administrators try to cope with complex and error-prone manual processes for managing user privileges across disparate systems. Users have to maintain far too many passwords, which increases the likelihood that they will be managed in an insecure manner. As employees move from position to position, leave one organization and rejoin another, access privileges are not modified to reflect these changes in business function and responsibilities.
Compliance and audit risks
To demonstrate compliance, businesses need to show that access controls have been in place and working as required. Without a centralized process to manage access policies and without an infrastructure to assign and track user entitlements, most companies have to start from scratch for each audit. This “pick up all the pieces and put them back together” approach is not only time-consuming and costly, but is increasingly failing current compliance standards and requirements.
Lack of business agility
Organizations must derive as much value as possible from their existing IT investments while adding new functionality quickly. One way of doing this is to move to a services-oriented architecture (SOA). A major obstacle to implementing SOA is that user information is spread across applications. New services can be introduced more quickly and securely if user management, authentication, authorization, and provisioning are core services made available to developers and are not duplicated in silos.
Identity Management Solutions
By extending the automation of business processes beyond ERP, identity management solutions help solve these challenges in the following fundamental ways.
Establish an enterprise identity
An identity management infrastructure starts with consolidating data from multiple, complex identity environments into a single enterprise identity source. This enables automated linkage of employee and contractor records with user accounts, and the immediate elimination of rogue and orphaned accounts.
Establish and enforce enterprise-wide security policies
Upon this foundation of identity consolidation, a consistent set of security policies can be established. Comprehensive role-based access control policies for enforcement across applications can be created. Segregation of duty rules that prohibit combinations of entitlements that violate policy serve as a proactive means of compliance. Uniform password policies across applications can be implemented, and for business critical applications, strong authentication mechanisms offer greater protection against improper access.
Automate security-related processes
Once policies are established, process automation can be implemented to reduce costs and improve services levels. Rules drawn from an identity’s context within the organization dynamically determine role memberships based upon changes in the business. Users receive access based on the roles they hold and gain or lose access based on changes in roles, ensuring that people are granted the right access at the right time.
Once a new employee is entered into the ERP system, an automated user-provisioning process creates the appropriate accounts and privileges in business applications. When an employee leaves the company, the same infrastructure ensures that such access is immediately revoked, closing security holes and lowering administrative costs.
Define an audit and control framework
Establishing a centralized view of people, roles, and privileges will immediately result in more accurate and efficient reporting as well as significant improvement of policies and controls.
To ensure that access remains current with changing business needs, a feedback loop attests to the policies in place and certifies that correct access has been granted. Workflow-driven forms present this data to authorized reviewers for sign-off and provide a means to document and correct any violations or exceptions.
Deploy a scalable integration architecture
Lastly, identity management solutions provide an integration framework to enforce access management policies across the entire infrastructure. The use of a scalable and standards-based architecture connects all of the pieces of the puzzle together transparently and in a cost-effective manner: from applications to user directories and underlying databases and operating systems
Conclusion
Extending ERP deployments with identity management solutions offers companies a unique set of capabilities to address business process, integration, and data management challenges:
- Maximize productivity by ensuring that new employees have the tools and information they need to do their jobs on day one
- Increase security and compliance by ensuring that user access is based on business policy
- Reduce administration costs and increase security by automating processes when employees and contractors join, transfer, and leave an enterprise
- Minimize the total cost of compliance and reduce the risk of a failed audit by providing documentation of who has access to what, granted by whom, and when
- - -
Stephen Wolford is a director of product management for Oracle Fusion Middleware. You can reach the author at stephen.wolford@oracle.com.