For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

Identity Lifecycle Management

Control the Who, What, and When

Digital identities, and their associated permissions, tend to change with time. If a person is promoted, their privileges must be elevated; if a vendor becomes a partner, they must be given a different profile; if an employee resigns, their access rights must be revoked immediately. To ensure high levels of productivity and security, it’s crucial to have an efficient way of managing the lifecycle of digital identities.

What is Identity Lifecycle Management (ILM)?

Digital identities represent an entity’s relationship with an organization. The entity can be an employee, a partner, a customer, or an application. As these relationships evolve, the digital identities must adapt accordingly. This is where identity lifecycle management (ILM) comes in.

ILM defines the processes to create, adapt, and delete digital identities, as and when required. For example, when an employee joins, ILM creates a digital identity for them. If and when their role is changed, ILM tweaks their privileges accordingly. When their employment is terminated, ILM deletes their digital identity, ensuring that they can no longer access company resources.

What does ILM encompass?

A well-built ILM system manages digital identities of all entities that want to access an organization’s network, across different ecosystems. This includes employees, partners, contractors, customers, cloud applications, and on-site applications.

  • Employees: A software engineer for Application X may only require access to servers where Application X is deployed. However, when they are promoted to the architect role, they may require access to all the application servers. With ILM, administrators can create separate roles for engineers, architects, managers, etc. and assign them to people, as and when required. If the employee leaves the company, admins don’t have to go to every system to delete all their accounts, they just have to delete their identity from the ILM system.
  • External entities: You can define an exhaustive list of assets that customers, partners, contractors, and third-party service providers are allowed to access, for a limited period of time.
  • Applications: An onsite web application only needs to access one database present in the cloud. The application supports a customer whose subscription lasts for a year. An ILM solution can create a custom role that allows the application to access nothing but that one database, for no more than one year.

Benefits of an automated ILM

  • Faster provisioning and deprovisioning: New employees can get all the required permissions instantly, instead of waiting for days for manual provisioning and approvals. This not only boosts productivity, but also reduces the chances of human error. The deprovisioning process is also fast-tracked, as deleting an identity automatically revokes all required accesses.
  • Automate identity governance: Update roles, adjust permissions, or revoke rights in real-time.
  • Password management: The best ILM solutions provide a way to synchronize passwords across applications and allow users to reset/change their passwords.
  • End-to-end visibility: ILM solutions give you a holistic overview of all digital entities that exist within your system, and their corresponding permissions.
  • Better security: Create well-defined roles to ensure that no one has more privileges than they need to do their jobs. Automated deprovisioning also eliminates the possibility of zombie accounts, which are accounts belonging to people who left the company, but their access rights weren’t completely revoked.

ILM and Privileged access management (PAM)

Privileged access management (PAM) defines ways to protect identities with elevated privileges. For example, administrators who can add or delete users, spawn or decommission virtual machines, and stop/restart applications. Misuse of elevated privileges can lead to system-wide compromise; hence these privileged accounts warrant additional protection.

ILM and PAM go hand in hand. Most ILM solutions provide a way to minimize the number of entities who have, or can request access to, sensitive resources/operations. They also offer ways to grant privileged access rights for limited periods of time.

Identity lifecycle management can boost an organization’s productivity and security. By controlling who has access to what, and for how long, you can implement the principle of least privilege, i.e. no one has more rights than they need to do their job.