The goal of the IT organization is to create and protect business value. The "create" element seems widely understood; the IT service management function demonstrates value through the support and delivery of high-quality, cost-effective services that enable the business to meet their goals and objectives. The better the support and delivery of services, the faster the business can go.
The "protect" element however, requires the IT organization to demonstrate value of control, which can be difficult because the tighter and more restrictive the controls, the slower the pace the business moves at.
However, this trade-off is not an acceptable one. The business needs to move quickly, but with adequate controls in place.
One of the most common intersections of ITSM and Security is with Identity and Access Management (IAM). IAM works to make sure that the right people have the right access to the right resources to perform work on behalf of the business. Poor IAM capabilities can spell big trouble for the business. Conversely, sound IAM practices and technologies can reduce costs and better enable business agility.
Business users have a constantly changing array of needs as members and contributors to a company. When the right people don’t have the right access, the common practice for many organizations is to contact the IT service desk to request access, which initiates a process workflow to verify whether, in fact, the requestor should be granted the access they desire.
And then the funs begins…
Over 40% of contacts to the IT service desk are related to password reset (a subset of IAM). IT organizations looking to reduce costs and improve efficiency must begin by establishing access request processes and workflows to effectively manage the largest percentage of contact volume. However, there are other IAM processes that can be automated, such as user provisioning requests and the enforcement of group policy to ensure groups include the right members.
From an ITSM perspective, focusing on access requests and password reset provides the necessary controls, but has historically sold the value of IAM short. Security professionals designed their own custom portals to manage requests that many users found to be daunting, thus driving low utilization and subsequent return on investment.
IAM-ITSM Value Redefined
IT organizations can better demonstrate the value of IAM in an ITSM construct. Most organizations would benefit from creating a distinction between business user requests made via an ITSM solution versus those made via an IAM system. This can be accomplished using the ITSM solution to manage all incidents and requests not associated with users, while the IAM system can handle all self-service and automated requests tied to user accounts. This approach will result in fuller automation, more productive users, greater cost savings and a better use of IT staff.
Granted, users request services from all areas of an organization. Many of these requests can now be automated through open APIs to enterprise applications and cloud apps. Identity and access management systems leverage these APIs by providing connectors for automating requests. IAM solutions are built with a business user focus and intuitive interfaces, and IAM self-service portals look and feel similar to consumer-oriented online experiences such as ecommerce, email and app stores. In leveraging shopping carts and familiar online experiences, business users are more likely to embrace the mindset required to adopt self-service and fully return the value.
With user-centric identity and access management systems, IAM is positioned to govern over service catalog requests as part of the user management lifecycle. In fulfilling ITSM requests, IAM systems can open tickets in the system so one interface can be used for all requests. A single portal for users simplifies processes to ensure greater efficiency. With self-service IAM, automated ticketing captures efficiency gains by reducing a help desk’s time to close tickets.
When you deploy an ITSM solution, think innovatively about ways to improve upon the management of costs, controls and security. Identity and Access Management can improve service management in these areas by making users more efficient through self-service and automation.
In doing so, an IT organization can deliver on its promise to produce—and preserve—as much business value as possible.
Original publication, Merchant, Corey. "How Identity Access Management (IAM) Makes ITSM Better—And Why They Belong Together." Cherwell Blog. Cherwell Software™, 1 Nov. 2015.
Get the Free KuppingerCole Identity Management Analyst White Paper
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.