Provisioning and deprovisioning user accounts is the bane of any IT organization’s existence. It always needs to be done immediately, but it’s monotonous, time-consuming, and fraught with opportunities for human error to overprovision, underprovision, misspelled names, and resort to insecure password sharing or duplication. Instead of creating a great first impression and a productive first day, user onboarding can often turn into hassle and frustration.
What’s more, employees often take the “initiative” of signing up for every other app that is announced on Product Hunt, leaving corporate data exposed and IT oblivious to the risk of exposure. Manual password management (e.g. sticky notes, spreadsheets, emails, etc.) stirs up myriad points of failure and irritation that not only make your job harder and create friction between IT and users, but also increase the threat of significant business integrity and intellectual property security failures. And when an employee quits or is let go at 5 p.m. on a Friday, how often will access to key data and applications, like Box or the corporate Twitter account remain accessible until sometime Monday morning?
Top 8 reasons to use a cloud-based IAM solution such as OneLogin for provisioning and deprovisioning:
1. Give new employees access to important apps really fast.
How fast is fast? When you add a new employee to your directory, such as Active Directory, LDAP, Google Apps, or even Workday, OneLogin synchronizes users in real-time, automatically provisioning new accounts in the applications your organization uses, such as Office 365, Box, Google Apps, Salesforce, Slack, Concur and AWS, freeing up valuable IT resources.
A new employee doesn’t have to futz with creating logins, storing passwords, resetting temporary passwords, or jumping through other hoops. The first time they sit (or stand) at their desk, a single login provides them a portal to all assigned applications that are accessible in a single click.
2. Make it easy for IT to provision app access based on user needs, reducing Shadow IT.
Since employees generally need access to different apps based on attributes like role, department, and location, OneLogin makes things easy for you to map applications to roles and other directory attributes. For example, everyone gets access to Slack, Box and Office 365, but only developers are provisioned in AWS and only Sales and Marketing get Salesforce accounts. You can even set up role-based app access for contractors, partners, and customers. As a leading vendor in the space, OneLogin has a catalog of more than 4,000 pre-integrated applications that makes it simple for IT to enable any application in minutes.
3. Make sure users have the correct level of app permissions.
Users are frequently provisioned with the wrong level of access control when using manual provisioning. OneLogin provides a flexible configuration for establishing role-based controls by syncing custom user attributes from external directories and pushing them to applications that support them, such as Google Apps. This ultimately removes one more step for IT staff and increases security.
4. Enforce security policies and reduce risk.
With OneLogin, you can restrict app access by IP address, as well as enforce multi-factor authentication for increased security. For example, Office 365 may be always accessible without multi-factor authentication, while Box requires a second factor when a user is not on the corporate network, but opening an application with highly sensitive data such as Workday HR always prompts for multi-factor authentication. Companies often adopt multi-factor authentication without the means to adapt it across the organization and turn to OneLogin to apply complex conditional rules to protect their data.
5. Protect sensitive data and applications by cutting off former employees’ access to apps in seconds.
When an employee leaves, deactivating their account in AD or OneLogin can automatically log the person out of all connected applications, which not only protects data but also helps prevent paying for unused licenses. Even if an application doesn’t support automatic deprovisioning, as long as the application uses SAML-based authentication (over 1,000 applications in our library do), users whose OneLogin accounts have been deprovisioned will be unable to authenticate into the application. Therefore, once OneLogin is disabled, former employees are effectively cut off.
6. Allow any application to take advantage of automated user provisioning and management through Open Standards and Toolkits.
If your application doesn’t support SCIM for user provisioning or SAML authentication, our developer portal and integration team can help you quickly integrate support into your applications. OneLogin’s toolkits have been used by hundreds of software vendors, including Dropbox, New Relic and Zendesk to make their applications accessible through these leading standards.
7. Empower end users, increase operational velocity.
Empowering users to use cloud applications is key to increasing operational velocity and creating a competitive edge in a fast-paced environment. However, the loss of business integrity is an unacceptable consequence of the Bring Your Own App (BYOA)/Shadow IT reality. OneLogin is a win-win-win for security, IT administration overhead and end user productivity.
8. Do all of the above in one centralized spot, saving time and money.
IT can maximize departmental and organizational efficiency by using the strong, centralized management of applications that OneLogin provides—eliminating passwords and the need to manage app permissions one-by-one, or change user permissions. An independent Forrester Total Economic Impact Study has shown the payback period for OneLogin implementation and licensing costs to be a single month.
The only prerequisite for finding value in Cloud Identity Access Management (IAM) is the use of cloud applications.
Feel the power of using OneLogin for cloud app provisioning and deprovisioning by signing up for your free demo today or watch the How to Automate User Provisioning Webinar.