
IBM i administrators and industry experts agree that effective and efficient user profile management is behind all IT success stories, yet so few organizations are able to consistently hit both targets. The time spent on manual onboarding takes away from more pressing matters, incomplete or inaccurate privilege sets cause conflict and confusion, and belated de-provisioning raises an untold number of risks.
Current Considerations
As companies bounce back from recession and place a stronger emphasis on digitally-driven innovations, IT departments are finally receiving the funds they need to hire qualified, new colleagues who can lighten the workload. However, the first order of business will be getting these recent hires up to speed.
Considering most hiring is piecemeal, managers have traditionally elected to map out a unique set of privileges for each new employee as they come onboard. Unfortunately, taking the time to manually input the profile characteristics associated with each managed system and application can be an exhaustive process. Even managers are susceptible to making stress-induced errors and oversights that could compromise security down the road.
Even if you achieve perfect accuracy with your first pass, IBM i administration is anything but a static process. IT managers can count on new systems and applications being added to data center operations, and hopefully they expect employees to take on new responsibilities as they gain tenure.
In any case, user profile management is a continuous process in which the settings engineered today could be irrelevant in a matter of weeks. As a result, those who went the manual configuration route from the start will grow accustomed to adjusting their handiwork—potentially from square one—when a certain update needs to be applied.
Finally, the inefficiency of user off-boarding remains a dirty little secret that a number of IBM i administrators would prefer be swept under the carpet. No one wants to see colleagues removed from their posts or leave voluntarily, and perhaps that explains the lack of detail seen in plans associated with such contingencies. In the wake of their departure, de-provisioning access rights suddenly slips to a back-burner task while more immediate priorities take precedence. Then days or weeks later, managers notice that their former teammate is still erroneously afforded database management responsibilities.
Risks Raised
The effects of these errors and inefficiencies leak into many areas of data center administration, but the consequences can extend far beyond the typical administrative headache. Ironically, the risk-averse impulse which drives IT managers to manually configure user profiles often works against their goals as the scope of the task exceeds the due diligence they are able to provide alone.
As any IT security professional knows by now, privilege escalation no longer solely describes cybercriminals gaining and abusing illicit access and power. Ponemon Institute researchers have revealed time and again that the leading cause of corporate data breaches continues to be a combination of insider threats. Although careless, line-of-business employees certainly contributed to these statistics, the scarier takeaway was the frequency and gravity of attacks launched by workers who knew exactly what they are doing.
With that in mind, user profile management is the first best way to “watch the watchmen” and make sure IT administrators are not abusing their powers. This concept is most readily recognized during on-boarding, and IBM i shops typically do a fair job with initial setup. But the more prevalent threat comes from those capable of setting privileges and those who erroneously retain access after they have left the company.
Perhaps a trusted systems administrator wants a little extra insight on how he or she is being paid in comparison to colleagues. Or worse yet, maybe a former teammate is attempting to leverage his remaining responsibilities to siphon off product development designs and present something similar to his new employer. In any case, misaligned privilege management strategies can introduce everything from compliance sanctions to silent assassins like an intellectual capital drain.
Identifying a Solution
With data center operations growing more complex and IT directors increasingly pressed for time, centralization and automation should be the two themes fueling user profile management plans.
The advantages of centralization have been seen in a variety of arenas across the IT industry over the years, and it’s an objective that only looks more appealing as workloads are diffused across more platforms, systems and work groups. By finding a tool that unifies profile management tasks from end-to-end, IBM i users gain access to an asset of immense value. Not only will the simplicity help them save precious time, it will also lessen the probability of any unfortunate oversights.
To amplify the efforts made to centralize oversight, IBM i users should also look to apply automation solutions that can further reduce the potential for user error and time-intensive resolutions. Template utilities, for example, help ensure fast and faultless onboarding in the future after setting the unique parameters for that user group just once.
Finally, IT directors will never have to worry about sentimentality or simple forgetfulness delaying de-provisioning and putting the company in a precarious position. With the flick of a switch, the right solution will efficiently administer the proper sequence of events to ensure any redundancies and discrepancies are eliminated.
Powertech Identity Manager for IBM i provides a centralized approach for administrators to create and manage IBM i user profiles. With unlimited templates, comprehensive event history, and automated remedies, Identity Manager secures your system with effective and efficient user profile management.
Get Started
See for yourself how easy user provisioning can be with Powertech Identity Manager for IBM i.