Consider the classic approach to a provisioning-centric identity management project. A first phase may involve standing up the foundational infrastructure and seeding users from an authoritative source such as an HR system. A second phase performs automated provisioning of these users into Active Directory. A third phase extends this same functionality to an enterprise directory, and so on, and so on.
This approach encourages the notion of vertical identity management silos, each of which has to be conquered independently of the others, as illustrated here.
Figure 1: Classic Provisioning Approach |
Within each of these silos, several things need to happen before automated provisioning becomes possible. Prerequisites typically include account discovery and correlation, data analysis and cleansing, and business process architecture. Accordingly, it can take a large enterprise several months to implement user provisioning for even a single resource. When an organization has potentially hundreds of systems that need to be managed, it becomes obvious why the failure rate for provisioning projects is so high.
Intuitively, one might think that after user provisioning has been implemented for the first resource, subsequent phases should become easier. After all, by this point the internal team is more comfortable with the technology and has gained valuable experience. Unfortunately, the opposite tends to happen. The problem with the siloed approach is that it precludes a holistic view of identity. It is therefore common for IAM architects to make false assumptions in early phases about how identity data will be persisted throughout the organization, only to have those assumptions shattered later on when attempting to manage a resource that has unusual (and previously undocumented) requirements. This inevitably requires rework and regression testing of processes that have already been implemented. I have yet to see an identity project where this didn't happen.
In summary, the classic silo approach so common in user provisioning projects is a recipe for budget overruns, extended timelines, complex configurations, inconsistent business logic and worst of all, failure to extend identity management to all critical systems.
A Governance-Centric Approach
Given the relatively low ROI and the high failure rate for provisioning-centric IAM projects, it is clear that a different approach is necessary. This is not to say that automated provisioning is unnecessary or even undesirable, but it should be viewed as just one piece of the identity management puzzle.
A governance-centric implementation strategy takes a horizontal, and therefore a more holistic approach to identity management, as illustrated here:
Figure 2: Governance-Centric Identity Management |
Phase one is now focused on the seeding, discovery and correlation of accounts for all relevant systems. Obviously, there is still a requirement to stand up the base infrastructure and seed user identities from an authoritative source, but beyond that, the goal of phase one is to build an aggregate view of identity data, providing visibility into who has access to what. This is achieved by implementing read-only connectors that go out to each resource, discover accounts and correlate them to identities where possible. There is no end-user functionality, no provisioning and thus no risk to the integrity of existing processes or data.
With this approach, it should be possible in most cases to create an aggregate view of access privileges within days or weeks, depending on how many resources are being queried. The discovery and correlation process for each resource will immediately be able to identify any orphaned or rogue accounts, in addition to data inconsistencies. These can be flagged for remediation as part of the data clean-up exercise that is essential to the success of subsequent project phases.
Once the aggregate view has been created, it immediately becomes possible to centralize and automate access recertification requests and compliance reports, perform role mining and analytics, and even to start introducing detective policy enforcement at the enterprise level. By any standard, these are all significant benefits for a phase one release. Furthermore, a horizontal approach promotes a more holistic view of identity, which helps to prevent the proliferation of resource-specific policies, processes and configurations. From the beginning, policies are implemented globally.
By the end of phase one, connectors are live for all critical target resources and identity data has been validated and cleansed. It therefore becomes possible to approach subsequent phases with a much higher degree of confidence and certainty than it would with a "one resource at a time" approach.
Phase two involves layering repeatable, generic business processes on top of what has been built thus far. Such workflows will typically encapsulate identity lifecycle events (new hire, transfer, terminate, etc...) and access request/approval processes. Again, the goal here is to define processes that are generic and reusable enough that they can be implemented globally. Business process workflows should be specialized only by the metadata with which they are populated at runtime. For example, consider an access request/approval pattern. In any organization, there are normally no more than a tiny handful of "types" of approval pattern (i.e. Manager Only, Synchronous, Asyncronous, and so on...) While each resource may require the requester or approver to provide resource-specific data, even the forms used to collect that data can be dynamically created at runtime by passing arguments into a workflow.
Once business processes have been defined as workflows, end users, managers and designated approvers can begin to use the identity management system to initiate and approve access requests. On the back-end of each process, a ticket or email can be generated to the "provisioner", who simply has to grant the desired privilege. Keeping human provisioners engaged is a useful mechanism for heading off any operational issues that may result from the introduction of new business processes. Based on their feedback, processes can be further refined to satisfy business requirements without impacting the data on any resource.
By the end of phase two, we have seeded all our accounts, deployed connectors into all target systems, created a global reporting capability, defined a unified view of access privileges and introduced centralized/streamlined business processes. Again, the benefits from phase two are significant; for one thing, centralized business processes offer greater enhanced auditing capabilities, but just as important, it begins to establish identity management as part of the corporate culture.
Which brings us to phase three. Now that the data is clean and new business processes have been introduced, existing read-only connectors can simply be write-enabled in order to start provisioning. This should be done on a resource-by-resource basis. But without the overhead of reconciliation, correlation and data cleansing for each resource, that should be a relatively trivial exercise compared to the effort of deploying provisioning connectors using the classic project approach. If workflows have been designed correctly (naturally, this depends to some extent on the identity product being used), making the switch from manual to "last mile" user provisioning should involve little more than a configuration change.
So there you have it; a holistic, governance-based strategy for implementation of an Identity Management solution. As I noted in my previous comments on this topic, the governance-centric approach is not dependent on any particular brand of identity management tool, as all of the major commercial offerings have the ability to deploy read-only connectors, correlate and define loosely-coupled workflows. In fact, the only obstacle is the willingness of IAM practitioners to think differently.