More often than not that an Identity Strategy is non-existent. It’s not that Identity Management is being ignored, because plenty of companies have some form of IdM initiative under way, but, what I find is that there is a non-cohesive approach being taken.
When visiting a client, prospective client, or just having general discussions with folks, I find more often than not that an Identity Strategy is non-existent. It’s not that Identity Management is being ignored, because plenty of companies have some form of IdM initiative under way, but, what I find is that there is a non-cohesive approach being taken.
At some point in time, perhaps, it is determined that a provisioning solution is required in a company. A solution is procured, installed, tested, and then placed into production generally supporting a few end-points. In many cases, the initiative stops there, while in other cases additional end points are added in an ad-hoc manner.
Typically there is another project undertaken, possibly by another group within the same company, to provide access management. Once again a few end-points are protected in the initial implementation with others added in a rather casual manner. Often this is done in silos without any regard to other initiatives or existing technology.
Subsequently the auditors come in and expose some or all of the violations of various regulations related to access, data protection, and the like. A flurry of activity occurs throughout the organization with people riffling through spreadsheets, adjusting access on the fly, and making somewhat ignorant decisions in a hurry. A COTS (Commercial off the shelf) solution may be brought into the mix to assist in expediting the overall process but by now you’re already behind the infamous eight ball.
In this example three different yet inter-related challenges have been approached to some degree. Chances are that the technologies that were obtained don’t play well together, different firms were used to assist in the implementation, and let’s not even get into the details of integration, trouble-shooting or cost containment.
Unfortunately this scenario is commonplace and is disruptive at best.
Keeping this in mind and knowing that these issues exist within your organization does it not make sense to develop a strategy on how to holistically approach the challenge? You may be thinking that you already have one or two of the key elements that would be considered part of an Identity Management solution; thereby leading you to believe that you have a strategy. I would argue that having a few components does not necessarily imply that you have a strategy, or for that matter, a well though out solution.
So where do we go from here?
First and foremost take into account the current environment:
- What does the current IT infrastructure look like?
- What are the current business processes?
- Do we understand the current state use cases?
- Is the organization exposed to internal and/or external attacks?
- Are there active audit requirements?
- Are there regulations to adhere to?
- Are current and future business requirements understood?
So I pose this question, can you answer all of the above questions and provide the documentation to back it up? If the answer is yes then you are in great shape to begin putting together a strategy. If the answer is no then you are not quite ready to draft a meaningful strategy that will address short-term requirements and long-term goals.
Let’s assume for the sake of the discussion that all the information outlined above is available and in one place. The next step is to prioritize objectives. The drivers behind these objectives generally have meaningful business impact some of which are more urgent than others.
Now you need to understand the current state, potential exposures, business requirements, and priorities. It appears that you are ready to start applying solutions based on priority. Right?
Well…..not so fast. If we are to apply new solutions we should really know:
- How will the organization process change?
- What do the future state use cases look like?
- How are the exposures addressed?
- Can the organization pass audits?
- How does the organization achieve and maintain regulatory requirements?
Answer these questions and you are at the point where the actual strategy can be developed. This initial part of the strategy should be done without taking specific products into consideration. Instead a process re-engineering approach that highlights functionality over technology should be pursued. Technology is a method to implement your strategy but it is not your strategy. Once the above questions can be addressed, documented, and prioritized, it’s time to start considering specific technologies that will address the strategy.
At this point the business can decide to go through a Request for Proposal (RFP , Request for Information (RFI) , or go directly to a couple of trusted vendors in order to secure the best technology to address the strategy. Regardless a decision can then be made on the best approach, the old one technological vendor (i.e. one throat to choke) to address all of the needs or a best of breed technology selection (like a Chinese restaurant menu, a little from column A a little column B) to address all of the needs.
Both of these approaches carry merit and a lot depends on your organization’s approach, methods and often, political leanings.
Once done it’s time to begin the tactical deployment and the real fun to begin.
Not that I am suggesting that any of this activity outlined within this blog is overly easy but ultimately taking the time and money up front to define a complete strategy is going to provide:
- High impact by addressing the high priority business requirements first
- Reduction of overall cost by having a defined plan and incorporating solutions to meet business demand as needed
- The ability to define, build, maintain, and adapt a long term enterprise wide solution versus applying point solutions on the fly
- The ability to apply technology solutions to address specific business needs (and not for the sake of the technology itself)
These can be muddy waters to navigate without a lot of understanding in process engineering, industry knowledge, technology skills, understanding of best practices, and broad insight into what has worked for other organizations.
Now for the rub…IDMWorks is a World Class consulting organization bringing years of proven experience in the Identity Management arena. We welcome the opportunity to help you define your Identity Strategy.
So feel free to contact us and let us show you how we can assist.