Until recently, a new employee at oil giant BP might have had to wait five days for access to email, file servers, intranets, and other IT systems. Multiply five days by the more than 20,000 employees who joined the company last year, and you’re left with an annual loss of hundreds of worker-years.
To help employees hit the ground running, BP turned to user access management (UAM) software, which automates the granting and removal of rights to internal systems. BP has begun a partial global rollout of enRole, a UAM product from Access360. Paul Dorey, BP’s director of global security, expects that enRole will “reduce the time to create access from five days to 10 minutes,” which could save BP millions each year by putting new staff to work sooner.
Software from companies such as Access360 and BMC Software enables a single HR administrator — rather than one gatekeeper for each IT system — to enter a new employee’s details into the software via a Web browser. This unleashes a bevy of “connectors,” or chunks of programming code, that instruct an operating system or application to set up a new user name and password at the appropriate access level.
Security is another benefit of UAM software, says Jim Fullarton, a marketing manager at BMC Software. He cites the case of One2One, Deutsche Telekom’s mobile phone subsidiary. BMC began by reconciling the number of users that One2One’s HR department said it should have with the actual number of “live” users on its systems. “The company apparently believed it had 11,000 users,” recalls Fullarton, “but we actually found 6,000 to 8,000 on the network.”
Many phantom users — and your IT systems probably have a few of their own — are simply legitimate, alternative identities for authorized users, but many others are lapsed or unauthorized. Determining which is which, if done manually, requires someone to sift through old authorization forms, and many companies don’t always bother. The result, says Mark Edge, Access360’s European sales vice president, is a lot of “opportunities for someone to misuse an account that wouldn’t typically be tracked or picked up.”
UAM software essentially removes this risk by creating a single, central repository that covers all users and the access privileges that they’ve been granted on different systems. If an employee is fired, the company can withdraw access rights within minutes, confident that the individual can’t take revenge by abusing an overlooked user name and password.
Companies that haven’t invested in UAM software may change their tune when they take on new business partners, according to Christy Hudgins of research firm The Burton Group. Business-to-business ecommerce demands that firms open their systems to partners, but many will not do so, notes Hudgins, “until it’s clear that both parties have built or outsourced automated systems that can strip terminated employees of access privileges.” That may be one reason research firm Gartner predicts 40 percent of leading-edge companies will install UAM tools by 2004.