Most customers I speak to at conferences and speaking engagements know that they should implement identity management technologies. In fact when they see what these technologies can do for their business, there is often excitement; or a light bulb-world-of-possibility moment that follows. Unfortunately, most of these customers often lack the clear direction on why (and how) to move forward. This most often causes paralysis and the process fails to gain momentum, even before it ever started. Other companies are committed to process, but after steering committee debates and task force investigations; the project becomes about as effective as a mainframe modernization project.
Years ago I tried to capture some of the main technical and business reasons why I think companies fail to effectively gain momentum on the subject. The primary reason I mentioned first was a lack of goal or problem statement. As Simon Senik would say, there is no clear Why?
Reasons to Implement Identity Management
Over the past 12 years of doing identity management project, I have seen all kinds of requirements and solution implementations. These have shaped my perception of why customers engage the identity and access management process. In an effort to reduce the problem to a manageable size, I have grouped all identity management requirements into three main categories. Almost all identity management “why’s” can be found when categorising a companies goals into these three.
The category is probably the most common reason why companies embark on identity management projects. This is also (most of the time) a project that is driven from requirements within the IT department. Challenges that are address here includes:
- Getting new employees the tools they need in a quick and efficient manner
- Allowing users to action as much of their entitlement requirements through self-service tools and services
- Moving / transitioning users effectively between roles when their job changes
- Reducing the workload on the corporate service desk
- Increasing the value that the IT department provides to business
- Increasing user satisfaction
Examples for how identity management technologies provides value in Operational Efficiency includes:
- Keeping user identity information updated in core IT systems (synchronization of information)
- Creating user accounts and access based on authoritative information or requests (provisioning access from authoritative systems such as HR or contractor management into directory services, database and line-of-business systems)
- Providing self-service information update and service request features (self-service group and access management)
- Providing self-service credential management features (self-service password reset)
The second main reason why companies deploy identity management solutions is in order to increase or mitigate security concerns. These requirements are sometimes driven from risk, security or IT stakeholders. The focus is often looking at the systems of highest risk. Challenges address through identity management includes:
- Closing access when an employee or contract leaves the company
- Managing privileged accounts within systems
- Creating an effect model for managing permissions across multiple systems within the enterprise
- Using user master data to drive security automation (HR, contractor, etc)
Examples of how identity management can provide value in Security concerns includes:
- Removing system access or accounts when an user is no longer valid (de-provisioning)
- Enforcing permissions and user state; i.e. when a user is disabled, the solution ensure the user remains disabled even if someone tampers with the account in the target system
- Management of privileged account permissions
- Increasing assurance of service desk password reset’s with the introduction of self-service (two factor) password management
- Introduction of second factor authentication with certificates and smart cards
Governance and Compliance
The final grouping is the auditing, reporting, governance and compliance requirements category. In this category companies are trying to answer the questions, “Who had access to what, when, because who said so; and for how long”. There is an entire world of requirements ranging from business to technical requirements that are included in this category. It is most likely driven by risk and audit findings; and are most often a priority in government and financial services sectors.
The primary concerns in this category includes:
- Delegated permissions management
- Audit reporting that has a high level of assurance
- Business process automation with advanced approvals
- Segregation of duty management
- Attestation of permissions on various levels
- Delegation of authority during periods of leave, etc
Identity management (and governance management) solutions can provide value in this category through:
- Role mining of existing permissions and accounts
- Role Based Access Control engines to automate permissions assignment
- Functional or enterprise roles to group various role models
- Segregation of duty and delegation of authority rules based on roles permissions
- Integration with governance, risk and compliance systems like SAP GRC
Identity Boundaries are Blurred
The challenge (and opportunity) that resides with the IT industry these days centre to a large extent around the opportunity that is provided by consuming cloud services. This opportunity to a large extent has started to highlight the need to an integrated and well defined identity management strategy. The irony of the cloud era is that it is just exposing a challenge that companies have been facing for many year. The same challenges of identity provisioning / de-provisioning, credential management, operational efficiency through self-service, security mitigation, and GRC that existed within the boundaries of the company for years; have now just moved outside the boundaries of the company. Ironically many companies have been facing this challenge with external hosting, service and outsource providers for just as long a time. The “cloud conundrum” has just brought it to the foreground through provisioning / sync services such as Microsoft DirSync / Microsoft AADSync (that are used with the Microsoft cloud offerings).
The bottom line is, the need to manage systems in a secure, auditable and effective manner is universal and applies when the systems are in the local company datacentre or they are in cloud services. The cloud will only become more prevalent, so the need for a well defined identity and authentication management solution and deployment pattern is just that much more important.