Most organisations are approaching identity and access management (IAM) in the wrong way by working with production requirements first, according to Gartner.
“Between half and two-thirds of organisations attempting to establish a truly-effective IAM programme approach it in the wrong way,” says Earl Perkins, research vice president at Gartner. ”IAM process requirements should always precede organisation and technology decisions. But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes.
“The ‘build’ experience of IAM projects has traditionally not been a good one,” says Perkins. “While some experiences have improved and technologies are evolving, major efforts to formally build an IAM system for an organisation overlook a key lesson — planning for IAM often starts from the wrong direction with the wrong people, or at least not everyone who should be involved.”
IAM started out as a “fix the plumbing” concern. However, with the advent of risk, compliance, accountability and transparency, this has changed. Now, the basis for good IAM involves a very active role by the organisation as a whole, as only they can truly say what and how accountability and transparency of access should work for them. In an era where accountability and transparency are required and must be formalised, this means a more focused and structured approach for all parties affected, and not just IT.
“IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organisation relative to policies, processes and people,” says Perkins. “Products are actually a relatively small focus of the decision process in an IAM programme.”
Gartner says that looking at IAM as a process has several advantages. First, it removes the product-centric pattern the market has placed on IAM. “Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organisation, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively ‘inserted’ to fulfil the practices and policies of the organisation,” says Perkins. “It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture.”
IAM as a process also helps to identify the key questions that need to be asked during IAM product selection, (such as how those products fulfil specific process steps). Viewing IAM as a process helps an organisation articulate its requirements and target them through prioritisation of need. It helps map the IAM process on top of known business processes to determine the convergence or touchpoints for control and intelligence purposes. Process steps that are best performed manually or are people-intensive can be identified as can different IAM process flows for different organisations, applications or system environments.
“IAM as a process essentially serves as a lens for enterprise customers to permit a ‘horizontal’ view of the identity and access process across the vertical landscape of business and IT within an organisation,” says Perkins. “As such, it encourages customers to discover for themselves the current manual and automated processes supporting IAM, and to map them to this core process view to identify current problem areas in their process.”
Perkins adds that the operational process view of IAM can also enable the customer to define organisational roles for managing IAM and developing an identity and access governance model that incorporates those operations. By linking operational IAM process to the policy model of the organisation, this part of IAM governance can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way to access and identity problems. IAM as a process can be effective in converging business and enterprise processes with IT processes and accelerating IAM program maturity for the long term.