The IAM market is experiencing a renaissance with the emergence of new options for how and where to deploy IAM technology, both on-premises and as a service. At the same time most organisations are struggling with how to best utilise the IAM solutions they have to manage their changing world of IT infrastructure.
New technologies like cloud and mobile are being mixed with established mainstays like SAP, Oracle and RACF and must be managed with an increasing focus on governance, compliance and automation. Regardless of the delivery model selected, and whatever the mix of applications being managed, many best practices of IAM remain unchanged.
As we look back on what we’ve learned in the industry so far, and we lay out a path to the future products and solutions for tomorrow, some basic and very simple patterns (or tenets) of IAM approach emerge that can help guide a solution and a deployment today and ten years from now. Below are five of the critical IAM tenants that are necessary for defining, securing and managing identity across the enterprise:
1. Think Identity, Not Account
Even before the advent of cloud computing, we learned that more often than not, an end user in the organisation typically has multiple accounts and multiple entitlements per person across the infrastructure. If an enterprise only focuses its IAM program on managing at the account level, it will never get the total visibility needed to properly know “who does have access to what.”
Understanding the relationship between the identity and the account, between the account and the entitlement and between the entitlement and the data/information that it protects is key. By centralising data around an identity, enterprises have a single place to model roles, policies, and risk to support compliance, provisioning, and access management processes across the organisation.
2. Visibility Is King! Silos Are Bad!
While new technologies like cloud and mobile are being mixed with established mainstays like SAP, Oracle and RACF, all enterprise applications that contains “valuable” or sensitive data, or perform mission-critical operations within the organisation must be managed with an increasing focus on governance, compliance and automation – in one single place.
This allows the organisation to leverage common detective and preventative controls to ensure a view of identity data, which can help the business effectively analyse risk, make informed decisions and implement appropriate controls in an automated and more sustainable fashion. Many of today’s cloud-based identity solutions only manage cloud apps – so they require implemention of a second solution, or leave the organisation exposed.
3. Full Lifecycle Governance Is Required
It is critical to always manage the lifecycle of an identity by tying it to the business policies and business owners that are responsible for it. We must allow detective and preventative controls to span the entire lifecycle of an identity as request, review and revocation takes place. By embedding policy and controls throughout the full identity lifecycle process, enterprises can achieve ongoing, sustainable compliance and reduce the need for after-the-fact remediation.
4. Consistency Throughout The Lifecycle
It’s more important than ever to apply centralised, automated controls and policy to key identity business processes safe, secure and compliant. Adding consistency and repeatability will allow enterprises to strengthen their controls, work more efficiently, and promote good governance policies over the long-term. Importantly, cloud apps should always be handled using the same processes and centralised controls as the applications in the data centre.
5. User Experience Is Everything
IAM tools and technology must continue to evolve to more closely mirror the user experience that consumer-focused technologies provide. Having the right overall user experience for IAM is a critical part of achieving widespread participation from business users inside and outside of the enterprise. The right user experience is key to ensuring that organisations get active ongoing participation from business users throughout the identity lifecycle. The user experience has to be part of the business flow not apart from the business flow.
While it could be argued that there are more than the five tenets (even 10 to 20), it is important to remember that the only thing an organisation can and should do is focus on the core things that have been proven to work over the storied history of IAM. By defining, securing and managing Identity regardless of the IAM deployment technology, the application being managed, or the infrastructure it all runs upon, the organisation can stay compliant and secure as the technologies they implement continue to evolve.