Manage employee identities and access rights with a single click

It’s possible to issue an access card and/or a mobile phone ID to a new employee – and to grant the correct digital and physical access rights – with a single click of the mouse. Any large company could set up such a solution in just a few months without any trouble, writes Magnus Malmström, vice president for Product & Delivery at identity and security company Nexus Group.

Access, both digital and physical, is a topic I have spent a lot of time discussing with customers and industry experts, yet I still find it a struggle to explain it to my kids or parents. The technical terms, the shorthand that makes sense at a conference or in an industry insiders’ conversation, mean nothing to them. It’s no surprise then that such insider talk means little to any business whose main focus is, well, another business than security by better identities.

So, demoralized by their blank stares, I tried a new approach, such as: “An employee can trust in the convenience of a mobile log-in from anywhere to her corporate network, just as she does for log-in to her bank with a mobile device” or…

“A prospective employee can now sign his employment contract digitally, then celebrate with his family instead of travelling for the sake of a signature ceremony that is closer to the year 1901 than 2018” or, even my favorite.

“That Hillary Clinton might have got closer to the 45th Presidency of the USA if she had been empowered with a secure log-in and protected her email with encryption.”

However, even going in this direction, it remains true that in a large enterprise there are hundred of systems where passwords are still used; where you can’t get access to all locations with a single card; or, when you leave the company you can still access some sites because your user profile has not been terminated.

We have come a long way in the security industry

In the last year the security industry has changed though – we have come closer to business reality. Now we talk about Identity & Access Management and a password free society. This is a big step forward.

However, looking at large enterprises, they are typically built up through many acquisitions, with outsourcing strategies, many locations, and therefore a lot of legacy systems. The processes for identity management are often time-consuming for all parties, with many systems managed separately in terms of identity and access management, and they often lack modern features such as audit trail. In too many cases, the on-boarding process in terms of identity management is completely siloed from the HR system, meaning that employee access to applications and data is not automatically orchestrated for new employees, nor is it revoked at termination of employment.

The beauty, when we stop talking technology and address real life improvements instead, is that this says as much about what we do, as about why or how we do it. I know this feeling is shared by most who work in this industry.

When I say that I believe we can use technology to improve mobility, ease of use , all at a lower cost, then I don’t mean all of this in ten years; I mean now. We already know the challenges we need to solve here and now. More than before, we can leverage the tremendous body of collective experience available to us.

So let’s learn from the successes of other industries

Large enterprises are under a pressure. Everything that can be digital, will be digital; and everything goes faster and faster in the era of digitalization. But first we have to strip away the excuses for why large enterprises are different and why transformation into new usage behaviours often takes such a long time. Some of the most transformative ideas are now within reach. Ones that will shape large enterprises for the better are only as far away as your phone, sitting right in front of you. It’s in the mobile phone’s power to bring you a virtual identity, empowered with a personal user experience, and an economy of scale. Going a bit further, it’s also a transformative step just to recognize that the trusted enrollment of a digital identity can connect to innovative new practices within an enterprise – such practises could be trusted voting, confirmation of attendance at a meeting, secure login to get a quick update while on the move, or small signing transactions such as travel expense reporting and approval.

Today, large enterprises are indeed remarkable. They generate as much revenue as a small country, or employ as many people as a large Scandinavian city. But there is still much to learn from other industries, or even start-ups and medium sized enterprises. We can’t ignore the complexities that make it so difficult to disrupt, the simple evidence of which is reflected in the fact that large enterprises are still the problem group that every major tech company wants to fix, with its own solutions, but just can’t seem to.

Why do we behave like ostriches?

How do you eat an elephant? Why do the insights that others act on successfully elsewhere, sit trapped like passwords, instead of moving to a smooth login with a fingerprint or your own choice of biometric? Why do we behave like ostriches? Continuing to pretend that all systems are secured today, and before every system can by given a security upgrade we choose to stand completely still? Isn’t a moving target harder to hit?

When I look at the basic barriers preventing us from improving large enterprises, that block us from enabling for every employee a trusted identity, then I believe Human Resources (HR) driven processes, such as on-boarding and off-boarding, can navigate the path to a smooth solution. All large organizations need only two factors to host their identities:

  1. smart cards for offline users or spaces like factory floors, and
  2. a mobile identity for all office workers. In high assurance cases, such as access to legal documentation or protected research information, these two form factors combine well to a highly trusted digital identity.

Just these two identities coupled with the HR process – which is the first and last to see an employee or worker – would in turn allow real time security for access to all digital and physical environments.

With one automated, self-service driven process I can bet many orphaned accounts can be terminated, and as a result mitigate the risk of a wrongful user gaining inappropriate access.

Transforming the impossible into the possible

We know the challenges we need to solve, and now we can leverage the power of simplified on-boarding and off-boarding of personnel. All people want a friendly environment, and access with trust and privacy in mind, and it is my conviction that one cornerstone is to transform the impossible into the possible, and therefore identity management and HR makes sense.

So, with an Identity First CIO and HR strategy it would take months, not years, to ensure that a single click in a HR process grants the right access at the right time for the right person. One click in, and one click out.

Published 24/5 2018

News, customer cases and blog posts