Identity Management: Observations from the Trenches
0 Comments Published by John Dillard on Monday, June 26, 2006 at 4:01 PM.
Identity Management is often treated as an IT project, when in reality it is a combination of business process redesign, regulatory compliance, and IT infrastructure. We find that our clients are increasingly taking on identify management as a strategic initiative of the business, and making smart decisions about IDM strategy is critical.
Identity Management begins with a proper foundation Identity Management has been around for several years offering organizations the benefits of reduced IT administration, improved security, and efficient auditing and reporting tools to meet regulatory requirements like those dictated by Sarbanes-Oxley. Although the benefits of Identity Management are compelling, many organizations struggle to develop a solid infrastructure before jumping ahead to pursue more high value projects. It’s like building a house before your foundation has been properly completed; this is always a bad idea.
What brought us here in the first place…
Organizations experiencing rapid growth often find that their existing manual processes and tools are no longer adequate to get the job done. For large organizations, the IT staff will create, delete, and modify accounts for tens of thousands of people a year. Are these the kinds of activities your IT staff should be spending the bulk of their time on?
Worse yet, Sarbanes-Oxley compliance requires the ability to audit your systems and know who has access to what accounts. In many cases, contract labor or additional IT staff are hired to comb through systems and remove orphan accounts, revoke access to unauthorized users, and ensure that generic and admin accounts have not been misused. At the end of the day, throwing more bodies at these issues isn’t going to solve the underlying problem – manual processes don’t scale.
This is not just another IT project
Unlike a server consolidation project, or upgrading an email platform, Identity Management (IdM) has a broad scope that affects both business processes and IT systems. Partnerships will have to be built across internal IT silos (networking, security, UNIX, mainframe, user applications, help desk, etc.) as well as with the business. The most important relationship on the business side of the house is with Human Resources, which controls all employee data (job title, department, manager, location, contact information, etc) and owns the hire and termination processes that affect the account management lifecycle.
Identity Management relies on triggers in the enterprise ERP system to create, modify, disable, and delete accounts in all connected systems according to well-defined business rules. Thus, an employee hire will automatically create a user identity, assign the user appropriate accounts, and rights, for their role and then turn around and remove that identity and delete accounts when the employee leaves. Clearly, there is a lot more complexity involved here than simply slamming in a new application and training a few users.
Doing it right the first time
A common problem with Identity Management projects is that organizations want to jump ahead to realize the benefits of IdM, without having built the foundation required to support the solution in the first place. This is tactical approach that attempts to cherry pick the high value projects, without building the fundamental components of the solution first.
One common shortcut to this end is placing a special purpose directory in the position of metadirectory. The special purpose directory is one intended to support a particular system, say your SendMail application. Its user objects, schema, namespace, and architecture are tuned to manage accounts and user data for that application, but are not designed to perform the same function across multiple systems. In the end, organizations run into issues with data quality, application integration, and scalability. They often find that the directory structures that worked well to support an application are not fit for an enterprise class solution.
“Doing it right” means having the discipline to build out your core IdM infrastructure before tackling high value initiatives like provisioning, single sign on, and automated workflows. Big Sky Associates recommends establishing an Identity Management strategy and road map and having the discipline to follow it.
Identity Management begins with a proper foundation Identity Management has been around for several years offering organizations the benefits of reduced IT administration, improved security, and efficient auditing and reporting tools to meet regulatory requirements like those dictated by Sarbanes-Oxley. Although the benefits of Identity Management are compelling, many organizations struggle to develop a solid infrastructure before jumping ahead to pursue more high value projects. It’s like building a house before your foundation has been properly completed; this is always a bad idea.
What brought us here in the first place…
Organizations experiencing rapid growth often find that their existing manual processes and tools are no longer adequate to get the job done. For large organizations, the IT staff will create, delete, and modify accounts for tens of thousands of people a year. Are these the kinds of activities your IT staff should be spending the bulk of their time on?
Worse yet, Sarbanes-Oxley compliance requires the ability to audit your systems and know who has access to what accounts. In many cases, contract labor or additional IT staff are hired to comb through systems and remove orphan accounts, revoke access to unauthorized users, and ensure that generic and admin accounts have not been misused. At the end of the day, throwing more bodies at these issues isn’t going to solve the underlying problem – manual processes don’t scale.
This is not just another IT project
Unlike a server consolidation project, or upgrading an email platform, Identity Management (IdM) has a broad scope that affects both business processes and IT systems. Partnerships will have to be built across internal IT silos (networking, security, UNIX, mainframe, user applications, help desk, etc.) as well as with the business. The most important relationship on the business side of the house is with Human Resources, which controls all employee data (job title, department, manager, location, contact information, etc) and owns the hire and termination processes that affect the account management lifecycle.
Identity Management relies on triggers in the enterprise ERP system to create, modify, disable, and delete accounts in all connected systems according to well-defined business rules. Thus, an employee hire will automatically create a user identity, assign the user appropriate accounts, and rights, for their role and then turn around and remove that identity and delete accounts when the employee leaves. Clearly, there is a lot more complexity involved here than simply slamming in a new application and training a few users.
Doing it right the first time
A common problem with Identity Management projects is that organizations want to jump ahead to realize the benefits of IdM, without having built the foundation required to support the solution in the first place. This is tactical approach that attempts to cherry pick the high value projects, without building the fundamental components of the solution first.
One common shortcut to this end is placing a special purpose directory in the position of metadirectory. The special purpose directory is one intended to support a particular system, say your SendMail application. Its user objects, schema, namespace, and architecture are tuned to manage accounts and user data for that application, but are not designed to perform the same function across multiple systems. In the end, organizations run into issues with data quality, application integration, and scalability. They often find that the directory structures that worked well to support an application are not fit for an enterprise class solution.
“Doing it right” means having the discipline to build out your core IdM infrastructure before tackling high value initiatives like provisioning, single sign on, and automated workflows. Big Sky Associates recommends establishing an Identity Management strategy and road map and having the discipline to follow it.
Labels: Identity Management
0 Responses to “Identity Management: Observations from the Trenches”
Post a CommentLinks to this post
Create a Link