What is access provisioning in Identity Access Management (IAM)?

Every year, hundreds of thousands of protected healthcare information (PHI) records are compromised, sometimes in one incident. Many data breaches are caused by inappropriate employee access, in addition to cybercrimes committed by computer hackers and unsecure storage in the cloud. When implemented correctly, identity access management (IAM) solutions should simplify and reduce the time it takes to set up multiple accounts, applications, and user provisioning tasks. Robust solutions enable companies to secure a wide array of business applications, decrease errors and potential for abuse, and ultimately prevent data breaches caused by inappropriate access by any user who interacts with these systems.

Challenges posed by increasingly complex work environments

Before the digital age, access provisioning (also called user or account provisioning) was often as simple as giving keys to authorized personnel. Today, provisioning can still include non-IT equipment and resources such as access badges, phones, cars, and corporate credit cards. Due to diversification, the margin for error has increased exponentially, in particular when it comes to managing identities in larger organizations such as hospitals.

A survey conducted by The Aberdeen Group on thousands of companies with an average size of 21,000 employees uncovered a tangled web of complexity with an average of 198 applications per company for which accounts had to be set up and managed. This survey reflects increasingly complex business environments that require sophisticated access provisioning solutions addressing an astounding number of applications and systems. These include cloud computing, onsite or legacy systems, mobile, social media, software as a service (SaaS), and remote access. For healthcare organizations, though, an average of 198 applications is likely a small number, given all of the department-specific applications that would be needed.

Access provisioning involves coordinating creation of user accounts, password management, email authorizations, and other tasks (e.g. provisioning of physical resources associated with enabling new users). A user may be granted the ability to view, create, or modify files based on specific security and role parameters. When done correctly, provisioning encompasses the entire lifecycle, including changing roles and retiring user accounts across all systems.

Types of access provisioning

Discretionary access provisioning: Often used in small to mid-sized companies, this approach allows a network administrator to decide which applications and data end users can access.

Self-service access provisioning: Typically, this approach is used to help reduce an administrator’s workload. It enables users to participate in some aspects of the provisioning process such as requesting an account and self-managing passwords.

Workflow-based account provisioning: Approvals from designated approvers are required before granting user access to an application or data. For example, access to finances would require approval from the company’s chief financial officer.

Automated account provisioning: With this method, every account is added in the same manner through a centralized management application interface. This streamlines the process of adding and managing user credentials and provides administrators with the most accurate way to track who has access to specific applications and data sources. Although provisioning and identity management processes are the same, the extent and type of provisioning varies greatly among different users (e.g. patients, clinicians, customers, and partners).

IAM access provisioning best practices

It helps to view IAM as a governance hierarchy – processes, mechanisms, and principles that dictate business should be at the top, with implemented tactics such as access management and provisioning under that. IAM should not be used as a solution to fix governance problems – that should be reserved for hospital administrators and board members. Rather, IAM should be viewed as a vehicle to streamline user access and provisioning and protect PHI and company data.

Imprivata offers the only integrated identity and access management solution designed for healthcare that reduces security and compliance risk while also improving clinical and IT operational efficiency. Imprivata Identity Governance is an end-to-end solution with precise role-based access controls, automated provisioning and de-provisioning, streamlined auditing processes, and analytics that enable faster threat evaluation and remediation.


Sources: 
http://searchsecurity.techtarget.com/feature/Identity-and-Access-Management-Provisioning
https://blog.varonis.com/the-difference-between-iams-user-provisioning-and-data-access-management/
http://www.mcrinc.com/Documents/Newsletters/201507_IAM_Access_Management.pdf
https://searchsecurity.techtarget.com/definition/user-account-provisioning
https://www.scmagazine.com/is-your-perimeter-secure/article/755177/
http://www.information-age.com/identity-access-management-modern-enterprise-123471200/
https://healthitsecurity.com/news/kromtech-security-discovers-health-data-breach-of-150k-patients