In the third in a series of posts, Jagdeep Bhambra examines how an enterprise can evolve its Identity and Access Management (IDAM).
I hope that you will find this post useful when thinking about how you will put in place IDAM in relation to various factors, including:
- business requirements i.e. user / customer needs
- user experience
- operational cost and overhead. For example password resets, onboarding and offboarding users, self-service, and ‘Choose your own Device’.
- business strategy (and, as a result, the technology strategy)
- current state of maturity
- cost, delivery and resource constraints
As you can appreciate, each IDAM implementation is unique based upon the needs of a particular organisation. I have attempted to outline the journey an organisation needs to take through the use of examples.
A Strategic Vision
Implementing an IDAM solution / strategy can be complex. The impact on the business often depends upon the the current state of the organisation i.e. its maturity and its appetite for change.
Different organisations will have varying levels of maturity with regards to IDAM and its implementation. Depending on this maturity, the capability and strategic requirements of an enterprise will also vary. These will quite often be in constant evolution as the business keeps up with demands placed upon it.
To illustrate this, I have categorised IDAM adoption into 5 broad categories. How mature the enterprise is may be a combination of these. I have also given some example characteristics to help gauge their level of maturity.
Key characteristics of basic or low maturity:
- No directory services
- no server-based identities
- most users have unrestricted admin access to systems and services
- inconsistent password management
- manual management of user credentials
- little or no adoption of standards / compliance
Key characteristics of standard maturity:
- Minimal Directory services used for authentication only
- Uncontrolled use of administration modes for the majority of users
- no or limited provisioning of resource assignment to users
- minimal adoption of industry standards / compliance / policies / security protocol best practices
Key characteristics of consolidated or medium maturity:
- Directory services are available and have central administration
- server-based identity and / or access management in place and utilised
- full usage and adoption of policies / security templates
- strong compliance to industry standards / compliance / policies /security protocol best practices
- role-based access to resources
Key characteristics of dynamic or high maturity:
- Centrally-managed user provisioning and deprovisioning across one or more heterogeneous systems
- use of federated IDAM across the organisation, including external partners and suppliers
- full automation across business and technical processes
- strong compliance to industry standards / compliance / policies / security protocol best practices
- all IDAM activities can be (and are) measured and trackable
Key characteristics of identity as a service or advanced maturity:
- Enabled ‘Identity and Access Management as a service’ to itself, and external organisations
- providing full federation as a service across a trusted network, and across many organisations, but managed centrally
- ability to act as an Identity Provider both to internal and external services
Transitioning to Higher Levels of IDAM Adoption
Consider the following 6 steps for transitioning to successful strategic IDAM solution:
- divide the production of identities from their consumption i.e. introduce a virtual directory interface between the provisioning system and the identity source(s)
- plan a set of identity consumption policies i.e. determine who has the authority for which set of credentials
- when supporting many providers, assume many sources of identities will exist (with varying qualities of attributes). In some cases for the same user across many directories
- remove authentication and authorisation capabilities from applications and systems. Design systems and applications that need this to query the IDAM platform
- consider authorisation in context, for example, role-based access. Develop and utilise XACML authorisation policies to ensure you give the right role-based access (at runtime if needed)
- have exit strategies for applications and systems. Ensure there is a roadmap to phase out legacy systems and applications, and with this, their use of IDAM
While your organisation is on its way to IDAM maturity, you will need to analyse its progress.
The example below provides a high level view of the present state of an organisation. The list is not exhaustive but shows the varying levels of capability it may have, the transformations required, and the strategic vision. In all 3 cases, one or more scenarios may apply.
The Present State (one or more may apply)
- Individuals have more than 1 identity across many systems
- Duplicate identities (and across many systems)
- Identity is inconsistent across domains, platforms and systems
- Many forms of physical identity security passes exist across many locations
- User provisioning and deprovisioning is manual. Administration is archaic, error-prone, inefficient and expensive, increasing security risk profile
- Federation is nonexistent, poor, or is incapable of meeting future demands. This could be cost, people, processes and technology
Transformation (one or more may apply based upon present state)
- Put in place an IDAM solution to manage all identities within an organisation
- Enable a holistic physical security strategy that integrates into logical security tiers
- Provisioning of a single, secure and trusted credential per user to enable access to assets
- Allow business process automation for user provisioning and de-provisioning. Also for self-service and repeatable processes, e.g. enabling self-service for password resets
- Deliver an IDAM data strategy (and data model) to enable information management across domains
- Realisation of the benefits that an IDAM solution can bring. For example single sign-on, federation, centralised user management, APIs, etc.
Strategic Vision (one or more may apply)
- The right people have access to the right information at the right time, with the right level of access / trust
- Individuals have one identity across an enterprise (or across an organisation). Store it is once, and manage it centrally
- A security pass that works across the organisation, and could work across many organisations
- Open standards and protocols enables system to system interoperability. Extra leverage can be via use of APIs
- Improved and (potentially) automated processes. For example joiner / leaver processes, user provisioning / de-provisioning.
- Enabling an adaptable organisation with reduction in calls to Help Desk
- Reduction in administration-based cost, such as password resets, self-service, etc.
- Enterprise utilises single sign-on, federation, shared / common services, etc. as standard
- You know and can measure your organisation’s security footprint. Audits are more efficient and compliance is easier to achieve and track
- Organisation makes use of an enterprise-wide ‘Identity as a Service’
An important step in understanding the strategic vision is for an organisation to map the capabilities / features of an IDAM solution to key business benefits. The example below shows one way of achieving this mapping. I have listed 3 example features but the actual analysis may be far greater depending on the strategic vision vs. present state.
Fig: An example of achieving mapping IDAM capabilities to benefits
|IDAM Feature / Capability||Key Benefit(s)|
|Automated user provisioning||
|Federation (and interfaces)||
|Identity Management Service||
Following on from such analysis, a further step is to match the benefits to cost savings. Also determine how much, or how little (estimated) cost is currently incurred through processes.
An enterprise should use a strategic roadmap to put in place a successful IDAM solution. It requires a lot of thought and understanding from the start, especially around what it enables for the business.
The steps you take are dependent on the level of maturity of your organisation, and its appetite for change. This often depends on many factors e.g. cost, resources, delivery timescales, business expectations, etc. You may require an audit of its current state, before transitioning to a new one. Without this initial work, IDAM implementation will be fraught with issues.
Finally, mapping the business benefits to IDAM delivery will allow an organisation to understand the potential cost savings.