Wednesday, September 28, 2011

The Dirty Secret of Identity Management

When engaging with a customer, I like to begin by asking them a simple question: What is the first thing you think of when you hear the term Identity Management? In nine out of ten cases, they will mention user provisioning. Yes, we all love the idea of automated user provisioning. Provisioning rocks. In fact, provisioning is arguably the most prominent driver for most identity management projects.

There is one small problem, and it is a problem that most IAM practitioners are often terrified to admit. Provisioning projects are rarely successful. By which I mean that they generally fail to deliver promised benefits. Based on my own experience and that of other IAM professionals with whom I've discussed this topic, it is extremely rare for an organization to implement automated provisioning for more than 20% of all systems, regardless of what identity management product they are using. This isn't because commercial identity suites are technically inadequate, or even because organizational bottlenecks prevent the introduction of automated provisioning processes. It is because ultimately, provisioning is only a relatively minor element of a comprehensive IAM strategy, and practitioners have a tendency to overstate its importance. I've seen numerous cases where IAM project leads have focused on universal provisioning like Captain Ahab pursuing a whale, and their refusal to acknowledge that identity management involves much more than the mere deployment of provisioning connectors and workflows can lead to catastrophic project failure.

In the abstract, the expected benefits of automated provisioning make perfect sense. Operational efficiencies, reduced labor costs and faster onboarding are all legitimate metrics for an identity management ROI. But as identity management has matured, it has become increasingly apparent that provisioning is perhaps not quite as important as many practitioners once thought, and there is a compelling case to be made that identity governance has emerged as a more critical factor in the success of IAM projects.

To demonstrate this, let's begin by decomposing the various phases of a typical identity provisioning lifecycle:
  • Aggregation: Core identity data is seeded from an authoritative source such as an HR system or contractor database.
  • Reconciliation/Correlation: Existing accounts on target systems are discovered and inspected, and identities are linked to accounts on target systems using correlation rules.
  • Request: The user requests an entitlement on the target system. Alternatively, a request can be initiated by manual or birthright assignment of a role.
  • Approval: A designated individual approves or rejects the request.
  • Provision: The user is granted an entitlement on the target system.
When one considers identity lifecycle in these terms, it puts the importance of provisioning into stark perspective. Let's think about it another way. If we remove provisioning from the above lifecycle and just focused on the first four phases, would the ROI for identity management be significantly reduced? Think about how much easier it would be to deploy an identity management solution if provisioning were not a factor. I'll come back to this momentarily.

From a purely technical perspective, automated provisioning isn't terribly complex. Most commercial identity solutions ship with provisioning connectors for the vast majority of common enterprise systems and provide frameworks that enable the rapid development of connectors for custom applications. So why is automated provisioning so difficult to implement? The most common factor is poor data quality in target systems. This creates the risk of corrupting existing entitlements data when the provisioning system attempts to compensate for inconsistencies. Another reason is that system owners refuse to allow a provisioning system to touch their data. These two factors alone can create enormous bottlenecks for a provisioning-centric identity management project. Not to mention that some manual business processes, particularly in the Approval-Provision stage, can be extremely difficult to automate since they may require some discretionary judgment on the part of the provisioner. Such actions are not always possible to replace with automated logic, at least not in the short term.

It may sound like I'm contradicting my earlier statement that organizational bottlenecks are less significant than inadequate corporate governance in the failure of provisioning projects, but a robust governance frameworkat the core of which is a holistic IAM strategyis essential to avoid such bottlenecks from arising in the first place.

When considering the TCO of manual provisioning processes, labor costs tend to be relatively low, as there is usually minimal effort required of provisioners. Besides which, it is not uncommon to find that provisioners have developed their own automated techniques for assigning entitlements on the back end of the provisioning process. More significant labor costs are typically found in loss of productivity incurred by end users waiting for access requests to be approved, in addition to labor costs incurred by the need to perform manual access recertifications.

With all this in mind, let's return to my earlier question. If we take provisioning completely out of the mix, is there a significant impact on the ROI for identity management?

Consider the identity provisioning lifecycle I described earlier. If we raise it to a higher level of abstraction, we can describe it as follows:
  1. Aggregation/Reconciliation/Correlation
  2. Request/Approval
  3. Provision
If you focus on delivering just the first component in the knowledge that there is absolutely no risk of corrupting existing entitlements data, then it becomes possible to build out a large number of connectors and produce a unified view of entitlements data across the enterprise within a very short timeframe. This also creates the opportunity to perform data cleansing, because the identity management system is aggregating and correlating accounts and flagging any inconsistencies.

In the meantime, you can begin to layer centralized request/approval workflows on top of your identity data, using generic, parameterized workflow templates. If designed properly, workflows can be configured to generate a ticket for the human provisioner once all requisite approvals have been completed. Once the entitlement has been provisioned, the provisioner is required to sign into the identity management system and certify the request as completed. This will be verified by the identity management system during the next periodic reconciliation. Delinquent requests, unmatched/orphaned accounts and unapproved entitlements are discovered and flagged for review as part of the reconciliation process.

Finally, once you have analyzed and cleansed your data and the organization has become comfortable with the notion of a centralized identity management platform, you can begin to selectively enable automated provisioning and take human provisioners out of the loop. It still may not be possible to do this for every system, but by this point, the benefits already delivered by the identity management project will have compensated for this. If the request/approval workflows have been designed correctly, then making the switch from manual to automated provisioning should merely involve a configuration change, regardless of what identity product is being used.

Adopting this approach allows you to achieve rapid benefits by providing a unified, enterprise view of who has access to what within a very short space of time, perhaps even within days or weeks. Once you have created this level of visibility into privileges across the enterprise, it is relatively trivial to centralize and automate access recertifications, enable advanced compliance reporting and even begin the process of role analytics.

To the best of my knowledge, SailPoint is currently the only IAM/IAG vendor to have embraced the methodology I just described. They refer to automation as "last mile provisioning", and the architecture of their flagship IdentityIQ product effectively promotes a loosely coupled relationship between provisioning connectors and the core identity governance engine. SailPoint has been enormously successful in proving the efficacy of this approach. Yet in theory, there is nothing to prevent any commercial identity management solution from being deployed in this manner, providing that connectors are configured in read-only mode.

The "last mile" methodology focuses on horizontal rather than vertical introduction of identity services to the enterprise. By reducing the emphasis on automated provisioning in favor of identity governance, it clearly maximizes the chances of a successful implementation without significant impact on ROI.

No comments:

Post a Comment