Digital identities, and their associated permissions, tend to change with
time. If a person is promoted, their privileges must be elevated; if a vendor
becomes a partner, they must be given a different profile; if an employee
resigns, their access rights must be revoked immediately. To ensure high
levels of productivity and security, it’s crucial to have an efficient
way of managing the lifecycle of digital identities.
What is Identity Lifecycle Management (ILM)?
Digital identities represent an entity’s relationship with an
organization. The entity can be an employee, a partner, a customer, or an
application. As these relationships evolve, the digital identities must adapt
accordingly. This is where identity lifecycle management (ILM) comes in.
ILM defines the processes to create, adapt, and delete digital identities,
as and when required. For example, when an employee joins, ILM creates a
digital identity for them. If and when their role is changed, ILM tweaks their
privileges accordingly. When their employment is terminated, ILM deletes their
digital identity, ensuring that they can no longer access company resources.
What does ILM encompass?
A well-built ILM system manages digital identities of all entities that want
to access an organization’s network, across different ecosystems. This
includes employees, partners, contractors, customers, cloud applications, and
- Employees: A software engineer for Application X may only
require access to servers where Application X is deployed. However, when they
are promoted to the architect role, they may require access to all the
application servers. With ILM, administrators can create separate roles for
engineers, architects, managers, etc. and assign them to people, as and when
required. If the employee leaves the company, admins don’t have to go
to every system to delete all their accounts, they just have to delete their
identity from the ILM system.
- External entities: You can define an exhaustive list of
assets that customers, partners, contractors, and third-party service
providers are allowed to access, for a limited period of time.
- Applications: An onsite web application only needs to
access one database present in the cloud. The application supports a customer
whose subscription lasts for a year. An ILM solution can create a custom
role that allows the application to access nothing but that one database, for
no more than one year.
Benefits of an automated ILM
- Faster provisioning and deprovisioning: New employees can
get all the
required permissions instantly, instead of waiting for days for manual
provisioning and approvals. This not only boosts productivity, but also
reduces the chances of human error. The deprovisioning process is also
fast-tracked, as deleting an identity automatically revokes all required
- Automate identity governance: Update roles, adjust
permissions, or revoke
rights in real-time.
- Password management: The best ILM solutions provide a way
passwords across applications and allow users to reset/change their
- End-to-end visibility: ILM solutions give you a holistic
overview of all
digital entities that exist within your system, and their corresponding
- Better security: Create well-defined roles to ensure that
no one has more
privileges than they need to do their jobs. Automated deprovisioning also
eliminates the possibility of zombie accounts, which are accounts belonging
to people who left the company, but their access rights weren’t
ILM and Privileged access management (PAM)
Privileged access management (PAM) defines ways to protect identities with
elevated privileges. For example, administrators who can add or delete users,
spawn or decommission virtual machines, and stop/restart applications. Misuse
of elevated privileges can lead to system-wide compromise; hence these
privileged accounts warrant additional protection.
ILM and PAM go hand in hand. Most ILM solutions provide a way to minimize the
number of entities who have, or can request access to, sensitive
resources/operations. They also offer ways to grant privileged access rights
for limited periods of time.
Identity lifecycle management can boost an organization’s productivity
and security. By controlling who has access to what, and for how long, you
can implement the principle of least privilege, i.e. no one has more rights
than they need to do their job.