Identity Management is arguably one of the more complex endeavours for any organisation to undertake. The need for properly managing user access is clear; users are the main boundary for access to important business assets and processes. Failing to manage these accounts opens one to all manner of risks, including potential compromise. The phrase, “Identity is the new perimeter” is particularly apt in the face of a growing thirst for ubiquitous access to business data and applications.
The priesthood from the world of Identity and Access Management might suggest a correct way to approach user management. They’ll establish overarching goals for such, and provide a path in which these goals can be achieved. This covers everything from on-boarding new employees, provisioning access to applications and of course disestablishing said access when the users no longer need it.
The problem at hand can be vast, sometimes daunting. Think of all of the applications and users that require oversight. In light of today’s modern digital organisation, a typical user could be entitled to dozens of different applications and require varying levels of access within them. Sorting out each user’s entitlements is not a simple proposition. Many organisations balk at the sheer complexity and in many cases, end up abandoning the effort or worse, doing effectively nothing. This unfortunate scenario is played out often, and is commonly called the “Do nothing approach”. Thus, it’s back to spreadsheets with Microsoft Excel ruling the day. Unfortunately many identity-related projects often languish in this pool of complexity. Often, this is largely of their own making.
Why is this? And more importantly, is there a real solution to this?
One of the most common issues with identity projects is that first, they’re treated as just that. Projects. So in reality, efforts within the identity space are typically treated (and funded) as a project. Yet “projects” are usually defined as having a clear beginning and end. Thus, the problem is revealed right from the outset. Identity is actually a process; one that directly touches every application, every database and every user account. The notion of identity and access management should be woven into the fabric of the organisation. Treating it as anything other than an unending, on-going process will effectively doom it.
It also doesn’t help that many traditional IDAM platforms are difficult to deploy and use. Many will treat identity management as an IT problem, when it’s actually a business problem. The tool should provide a means by which business owners and managers get to decide (sometimes together) upon the correct access levels needed for a given user role. Moreover, once the access level is determined, there would be some means of ensuring that appropriate controls are in place for that application to ensure the identities of their users. This can be in the form of strong authentication such as a security token, but it’s important to take into account user experience for this. If users are constantly challenged with tokens or phone messages to do their jobs, they’ll rebel. The ideal solution would take this into account, and offer convenience as well as security. That is, if it needs to challenge the user at all. Modern risk-based authentication approaches are ideal for this, as they’ll account for user behaviour and other “factors” and only challenge (aka, “bother”) the end user when warranted.
Another issue is that the acolytes of the IDAM world will insist that every account, every application, every user should fall under their program. They might say that once these plans are built, nirvana will be achieved and the organisation will benefit. This is a noble ambition and provided as an ideal, it makes sense. Again, the trouble is that this sentiment is flawed, and in many cases, fatal.
Here is our suggestion - perhaps a better way of approaching identity management altogether.
Starting small is good. This proves the solution approach on a much smaller scale. Initial investment is lower, and it allows the problem to be manageably solved. It also provides a way to weave good identity hygiene into business processes, owned and managed by the primary stakeholders, application owners and individual managers. This allows identity management to emerge as the defacto method in providing access. With respect to approaching things on a smaller scale, the inevitable questions arise. Where to start and with whom?
The answer is relatively simple. Criticality and risk. More specifically, ensure that one identifies the most critical business process that bears the most risk to the business. Attached to this process are the most critical users. And between those users and processes, sit the data and applications.
In short, start with the critical processes, critical users and critical applications, and work from there.
Another “tip” would be that any technology investment in this area should fulfill several simple criteria:
- It must scale and it must integrate with the majority of the organisation’s platforms and applications. This provides the organisation to “grow into it”.
- It must include a tie-in to strong authentication, preferably one that drives convenience and security simultaneously. An integrated risk-based approach is ideal.
- It must provide a means to start small, ostensibly providing a governance and risk-driven approach. This allows the problem to be communicated (and managed) in terms of business risk, and not solely an IT problem.
The implications of this should obviously entail a certain amount of introspection on behalf of the organisation. Approaching this from a risk point of view enables the problem, and the solution, to be framed in business terms. In other words, dollars.
In this way, the smaller is better approach is precisely that – smaller. The result? A better strategy and a realisable outcome, no matter how large or small the organisation.