Jun 19, 2012 4:38:04 AM
A Case for Formal Identity Capability Management

During the typical sales cycle, a key success factor is getting the end customer to accept the "pain points" or challenges that exist in his or her organization at that point in time. Hopefully the flip side of these challenges are the essence of the capabilities of the solution that you're trying to sell. What if the pain points are evident, but the customer is not there yet? Worse yet, what if the customer doesn't understand the root cause of the problem? Instead they are constantly reacting to fires or to requirements from powerful users instead of addressing the real problem!

In these cases, the most common indicator is that the customer does not practice Enterprise Architecture Management or IT capability management for their IdM needs. This means that the customer shows a lack of maturity in understanding the capability triad (people, process, technology) around IdM. Ideally there is a balance in which organizations have educated their teams around the security implications of having a proper identity management strategy; the processes have at least been identified, and it is understood that technology is only an enabler - Identity Management problems exist with or without technology.

We can build an Identity Management roadmap elaborating 3 basic questions:

  1. What do we want the user or organization to do? (onboarding, offboarding, self-service)
  2. What are the operational aspects of what we want to enable? (HR-IT synergy, Database operations, Online or Paper forms)
  3. What are the trends in the industry? (Cloud-based IDA or IDaaS, Internal Federation, etc.)

The idea is to build an IdM portfolio management matrix that can be the compass of these activities during the next 6 to 18 months and that can be revised quarterly to adapt to organizational needs or priorities.

Let's use a single process and elaborate on it using questions from the point of view of IT?

Onboarding

  1. What are the administrative and technical controls that are required by regulation?
  2. What are the administrative and technical controls that are required by policy?
  3. What are our realistic risks related to onboarding?
  4. How does our onboarding process look like today?
  5. How should our onboarding process look (ideally)?
  6. How should our onboarding process look (ideally) from an HR point of view?
  7. How should our onboarding process look (ideally) from the user's point of view?
  8. How many job families have been identified?
  9. Have we catalogued the basic applications and access for each job family?
  10. How many of these applications can be provisioned automatically?
  11. How many of these applications have to be provisioned manually?
  12. How many of these applications have their own identity repository?
  13. How many of these applications support LDAP or Kerberos authentication?
  14. How many of these applications require complex approvals?
  15. How well do we work together with HR when it comes to onboarding?
  16. Can we obtain provisioning data directly from the HR system or do we need to duplicate data entry?
  17. What types of identities are being provisioned? (Part or Full-time employees, Contractors, Suppliers, etc.)
  18. What are the industry trends user provisioning?
  19. What are our peers doing to approach the issue?
  20. What are the plans of our current IdM provider?
  21. Do we have M&A activities looming?

The answers to all these questions start shaping up a set of requirements that when compared with the current state, provide an idea of where the organization should go next. With an exercise of prioritization, a statement like this can emerge:

Our priority for the next 6 months in the IdM-Onboarding capability is to automatically provision and deprovision users into the JD Edwards application. This is required by our SOx regulatory needs and the finance department has stated that access to this application is key for their productivity.

It is somewhat unrealistic that IT organizations will keep a proper roadmap for all the capabilities in the enterprise -especially considering the current times of trying to do more with less- it seems that IT folks are drowning in operational issues while trying to keep up with projects, however Identity Management can get very complex and is constantly evoving; my suggestion for organizations to build a case for IdM capability management to get "off the ropes" and take control over those needs.