An interesting discussion came up recently on the Gartner Identity & Access Management XChange on LinkedIn. A participant asked for a breakdown of the elements that make up Identity and Access Management (IAM).
A number of opinions were offered, most differing only slightly from the others. Perhaps the most different take on it was one respondent who provided a link to a lengthy paper that made a case for IAM being an amalgamation of two separate, yet symbiotic platforms — Identity Management and Access Management. While I can see his point, I think that in today’s world of business the two really need not and should not be separated.
Here’s how I see the components of IAM:
- Identity mining and analysis: Identity mining and analysis: Unless the IT strategy is being created from scratch, there already should be multiple applications and services that maintain multiple user and resource lists. As a matter of forming an initial baseline, an organization needs to understand, resolve, and refine those identity lists and remove duplicates, junk accounts and unnecessary deleted accounts to create an authoritative identity list that can then feed IT, business and service management programs.
- Identity definition and user provisioning: An authoritative identity list is needed to simplify and automate the process of creating, refining and provisioning user access to resources. Role creation and definition tasks should be distributed to individual team or business managers who best understand both needed access and user roles.
- Active group management: Obsolete or duplicate groups can clutter up authoritative identity lists and create both process confusion and operational inefficiency. As with identity definition, group management should be pushed out of IT and into business team management through self-service group management to ensure active update and regular maintenance based on business need. IT tasks such as Active Directory group management memberships should be defined by rule sets and automation whenever possible to help overcome an error-prone ad hoc process, and to enable reusable definitions based on validated roles and well defined business rules. This process should be tied to task automation to ensure that the results of those AD group management rule sets flow back into stakeholder applications such as HR or directory services.
- Compliance management and audit: The key to compliance is capturing history data at the moment of execution for relevant events. Identity, group, role and access changes are always relevant, as are resource assignments such as taking possession of a computing device that can receive access. Which specific events are monitored depend on specific standards and regulations, but it’s wise to capture all identity, resource and access changes.
- Increased security at the point of identity verification: The practice starts with ensuring password security through periodic and systemic changes and updates. It continues with increasing password strength according to corporate policy, and moves into supplementary identity verification technologies such as biometric and token-based user validation, which are common access technologies for newer devices. This move toward separating identity and access management into independent practices or process disciplines is reflected by an increasing number of tools and technologies focused at those individual practices. Task initiation is distributed to end users, teams and business managers to increase accountability at the same time while improving efficiency and auditability. This enables IT to strengthen tools and technologies as business drives process and accountability, and lays the foundation for modern service management, regulatory compliance and standards conformance.
Ideally, all of these elements should be made available through an actionable service catalog that uses an internal "application store" approach, thereby enabling both managers and individual users to request new or updated access through a user-friendly, shopping cart style self-service provisioning portal tied to an automated approval management system. This encourages more consistent maintenance, which in turn increases overall security effectiveness while creating an audit trail of changes and approvals… and that’s what IAM is all about.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.