Innova Solutions > Perspectives > User Lifecycle Management

User Lifecycle Management
in the Cloud

Robert M. Toups, Jr
Cloud Services

One of the most prominent challenges organizations encounter during their journey from the Datacenter to the Public Cloud and SaaS solutions are proper onboarding and offboarding of employees, contractors, interns, and temporary staff. With the impact of Covid-19, many organizations are working through the effects of employee furloughs as well. Still, even in 2020, organizations have manual processes driven by multiple employees, spreadsheets, and institutional knowledge. These manual processes are time-consuming and eventually lead to the organization’s identity state that does not match the universe of information workers. This mismatch causes security breaches, compliance failures, licensing issues, and potential legal impacts.

Typical with many organizations that have transitioned workloads outside their datacenter walls to the Public Cloud is the presence of Active Directory as the original identity source of truth. To reach out and establish relationships with SaaS solutions, organizations have looked towards Single Sign-on (SSO) tools such as Microsoft ADFS, Okta, OneLogin, and Azure AD to federate their on-premise identity to these services. Using these SSO tools, organizations realize the positive impact of using best-of-breed SaaS solutions, gaining productivity benefits without the operational burdens of application infrastructure management. What these SaaS solutions do not provide is a cohesive platform for managing employee identity across different services. The same issues with application access in the Datacenter exist in the Public Cloud and SaaS solutions.

In a perfect world, User Lifecycle Management (ULM) is automated, removing the spreadsheets, manual steps, and human error from the process. The corporate HR IT platform primes the ULM pipeline with all stages of an employee’s journey through their employment. Document storage, e-mail, instant messaging, group membership, application access, and permissions are added, modified, or revoked in near real-time with automated approvals, notifications, and auditable logs.

Achieving this level of ULM automation is difficult as it requires limited staff to codify those stages from processes that evolved over the years. Most organizations end up with a mishmash of manual processes and bespoke scripts that a previous staff member wrote. Move out of the Datacenter into the Public Cloud and SaaS solutions, and managing the ULM magnifies

In the real world, most organizations have gaps in their ULM. IT staff turnover, and with it, the loss of institutional knowledge can have disastrous results. In a recent project, Innova Solutions eliminated 20,000 inactive identities in an Active Directory forest for a large client because of failure in processes created by previous staff long into their next career. Working together with different internal organizations, we mapped out the joiner, mover, and leaver experience to automation, reducing the manual burden, human error, and ensuring an audible workflow. Correcting the ULM workflow helped this organization determine licensing needs, reduce the account attack surface, and lower the burden on Active Directory maintenance.

For on-premise Windows applications, achieving a high level of automation is possible because of the typical dependence on Active Directory. Microsoft Active Directory provides a rich API via Active Directory Web Services. Leveraging Windows PowerShell and the Active Directory module, administrators can achieve basic ULM for their on-premise applications. Once the ULM breaches the corporate firewall and reaches out to the Public Cloud and SaaS solutions, these PowerShell scripts lose their effectiveness. Instead of one API to manage, Active Directory administrators must figure out how to use Invoke-WebRequest and the various API schemas presented by their SaaS providers. The Active Directory Web Services API has gone mostly unchanged since its introduction with Windows Server 2008 as radical changes in Active Directory are rare. That is not the case with SaaS applications.

As administrators, we want our identity platforms to maintain a stable API, and Microsoft provides that with Active Directory Web Services. As SaaS solution consumers, we want our SaaS applications to deliver new features and services regularly. As these applications are rapidly deployed, feature and setting changes must be accounted for in the bespoke ULM processes.

Instead of focusing on ULM, administrators start chasing disparate APIs to prevent their brittle workflows outside of Active Directory from failing.

Discovery of failures in these ULM SaaS workflows are usually found at the worst moments, security breaches, data leaks, and compliance failures.

How can ULM administrators maintain the same control in the Cloud as they do in the Datacenter without chasing SaaS APIs?

Working with our partner, BetterCloud, Innova Solutions can provide the same ULM experience on-premise with SaaS applications. Not only handling basic application access but adding value to the user experience in SaaS applications. Beyond granting and revoking application access, imagine workflows that uniquely configure SaaS offerings such as Office 365, GSuite, Slack, Salesforce, GitHub, Box, Dropbox, and Zoom for your employees. BetterCloud ends the administrator API chase allowing standard workflows across services to various SaaS offerings abstracting API changes from administrators. We would love to demonstrate the value of going beyond basic access to providing new employees a feature reach onboarding experience, current employees faster access to new services & capabilities, and information security a secure, auditable offboarding process.

For more information about SaaSOps

Please contact us below. We will reach out to you to discuss how we can improve your SaaS delivery?