Exploring the *real* world of Identity Management Systems
In this lens, I will provide an overview of what Identity Management Systems really are, what they are not, and the most important considerations for selecting and implementing them in your organization.
The Truth About Identity Management Systems
Greetings, and thank you for visiting my Identity Management System Lens.
The topic: Identity Management Systems. What they are, what they are not, and things to consider when choosing one for your organization.
What is an Identity Management System?
An Identity Management System, or IdMS is an integrated system of software, hardware, and network components that collectively provide the ability to:
1)Create new user accounts in multiple systems from a single place.
2)Have users create and manage multiple passwords from a single place
3)Provide detailed audit reports to management and outside auditing agencies to monitor standards compliance with security and privacy legislation such as GLBA and HIPAA
4)Remove all user accounts and permissions from all places in the organization's computing infrastructure. Examples include Active Directory, Web Sites, and email systems.
5)Create and manage complex business workflows and request processing systems
6)Restrict access to systems
7)Create roles and role based access control models (RBAC)
8)Change user names, build user customization profiles, deliver customized content based on profiles and preferences
NOTE: The "Access" portion of "Identity Access Management" or "IAM" is a separate component, which will be covered in a different Lens.
What is NOT an Identity Management System?
1)It has nothing to do with credit cards and credit scores
2)It does not specifically refer to system access controls, though some systems blur this distinction (more on this in another Lens)
3)It is not a solution or a panacea for broken organizational business process, though it can facilitate improvement
4)It is not something that can ever provision or de-provision accounts to all systems in your organization. Some systems are "black boxes" in that they do not integrate with external systems due to their proprietary nature.
5)It has nothing to do with corporate branding or creating logos. For some reason, certain marketing people have hijacked the term to use for things like creating logos and artwork.
6)It is not so much to do with pure security; rather the core functions of a provisioning system are systems management, compliance measurement, user experience improvement, improved business process, and reduced cost. Security is simply a side benefit, and ties more closely to the "Access Management" portion of "Identity and Access Management."
Identity Management System Selection Criteria
Ok, time to burst vendor bubbles here. Ready? The first point of consideration when looking in to Identity Management Systems is what is / are your business driver(s) for implementing an Identity Management System? In other words, why do you really need one? Who mandated it? Are you truly looking for the comprehensive benefits of a good Identity Management package, or are you.....
1)Panicking because of an audit finding
2)Looking at these systems because of a conference you went to
3)Doing what your system software vendor, who just happens to carry Identity Management Systems told you to do?
4)Any other reason besides those determined by your organizational business requirements and steering committee/senior management decisions?
If you answered "yes" to any of the above, then it's time to step back and evaluate. A primary prerequisite is to read IAM Success Tips: Volume 1. The IAM Success Tips series covers the "missing pieces" of IAM and Identity Management Systems. Specifically, it covers all of the real world issues and things that must be considered when embarking on such a major endeavor. All the good things that software vendors may not want to share.
Let us assume that you have determined that you really and truly need an Identity Management System, and your organization is truly committed to the time, money, resources, and management support necessary to pull off a project of this type and magnitude. Here is a summarized list of selection criteria:
1)What systems will be integrated with your Identity Management System? (integration targets)
2)Are all of your integration targets supported by the Identity Management System (IdMS) If not, which ones are not? Can the ones that are not supported be customized, or can the IdMS be customized to integrate them later?
3)What resources do you have internally to support an IdMS?
4)What resources do you have internally to support the systems that will connect to the IdMS?
5)Do you have database clustering expertise in house? If not, can you obtain it? Willing to obtain it? Ditto for front end components and certain directory services.
6)What encryption standards must be supported for "standing" data? Data in transit?
7)Will your IdMS need to "talk" to other IdMS? If so, which standards and versions of standards must be supported by each one?
8)How long have your potential IdMS vendors been in the IAM "space" or vertical? Did they just buy their way in by blindly acquiring other companies, or do they have a true pedigree in the Identity Management Space? If they acquired other companies to add IdMS capability, how committed are the employees of the acquired company to support your program over multiple years?
9)What type and depth of relationship do you have with your potential IdMS vendors? Do they have the depth and expertise to support you? If not, what standards do they use to select their partners? If they use partners or subcontractors, who is ultimately responsible for work delivery?
10)How much customization is required to make IdMS usable? (Customization or "build" vs. "buy" or "retail functions in the box.")
11)Has the vendor supported and passed Liberty Alliance interoperability testing? Are they willing to commit to a short proof of concept (POC) to prove out their software against your organizational requirements?
12)What types of support options and levels are offered with the product?
13)Does the IdMS require databases, application hosting software (such as custom J2EE application servers), custom drivers, or components which you do not currently have in house?
14)How will your IdMS investment be future-proofed by the vendor? What is the vendor's roadmap for the product?
15)How quickly will the vendor respond to bug reports and fixes?
16)What is the effective shelf life of each product version? In other words, when marks "end of life" for any version of the product you may implement in your production environment? This is key, and often overlooked. IdMS are big, complex, and resource-intensive projects. The payoff is HUGE if done correctly, but if done incorrectly, the COST is enormous.
Summary and additional Identity Management Resources
We have covered a lot of ground today. As you review this Lens, realize that while it may seem daunting, the benefits of a well executed Identity & Access Management (IAM) program are numerous, and far outweigh the initial implementation and maintenance costs.
Want to learn more? Visit the following sites:
LinksBusinessGroup.com
The Identity Management Success Blog
Links Business Group LLC also offers the only Identity Management Podcast of its kind, focused on the IAM basics and dedicated to helping organizations around the world succeed with their Identity Management Plans. The Identity Management Success Podcast can be found through iTunes, the Identity Management Success Blog or picked up directly from our RSS Feed.
Thanks for reading!
All the Best, of Identity Management Success
Corbin H. Links, President
Links Business Group LLC
The topic: Identity Management Systems. What they are, what they are not, and things to consider when choosing one for your organization.
What is an Identity Management System?
An Identity Management System, or IdMS is an integrated system of software, hardware, and network components that collectively provide the ability to:
1)Create new user accounts in multiple systems from a single place.
2)Have users create and manage multiple passwords from a single place
3)Provide detailed audit reports to management and outside auditing agencies to monitor standards compliance with security and privacy legislation such as GLBA and HIPAA
4)Remove all user accounts and permissions from all places in the organization's computing infrastructure. Examples include Active Directory, Web Sites, and email systems.
5)Create and manage complex business workflows and request processing systems
6)Restrict access to systems
7)Create roles and role based access control models (RBAC)
8)Change user names, build user customization profiles, deliver customized content based on profiles and preferences
NOTE: The "Access" portion of "Identity Access Management" or "IAM" is a separate component, which will be covered in a different Lens.
What is NOT an Identity Management System?
1)It has nothing to do with credit cards and credit scores
2)It does not specifically refer to system access controls, though some systems blur this distinction (more on this in another Lens)
3)It is not a solution or a panacea for broken organizational business process, though it can facilitate improvement
4)It is not something that can ever provision or de-provision accounts to all systems in your organization. Some systems are "black boxes" in that they do not integrate with external systems due to their proprietary nature.
5)It has nothing to do with corporate branding or creating logos. For some reason, certain marketing people have hijacked the term to use for things like creating logos and artwork.
6)It is not so much to do with pure security; rather the core functions of a provisioning system are systems management, compliance measurement, user experience improvement, improved business process, and reduced cost. Security is simply a side benefit, and ties more closely to the "Access Management" portion of "Identity and Access Management."
Identity Management System Selection Criteria
Ok, time to burst vendor bubbles here. Ready? The first point of consideration when looking in to Identity Management Systems is what is / are your business driver(s) for implementing an Identity Management System? In other words, why do you really need one? Who mandated it? Are you truly looking for the comprehensive benefits of a good Identity Management package, or are you.....
1)Panicking because of an audit finding
2)Looking at these systems because of a conference you went to
3)Doing what your system software vendor, who just happens to carry Identity Management Systems told you to do?
4)Any other reason besides those determined by your organizational business requirements and steering committee/senior management decisions?
If you answered "yes" to any of the above, then it's time to step back and evaluate. A primary prerequisite is to read IAM Success Tips: Volume 1. The IAM Success Tips series covers the "missing pieces" of IAM and Identity Management Systems. Specifically, it covers all of the real world issues and things that must be considered when embarking on such a major endeavor. All the good things that software vendors may not want to share.
Let us assume that you have determined that you really and truly need an Identity Management System, and your organization is truly committed to the time, money, resources, and management support necessary to pull off a project of this type and magnitude. Here is a summarized list of selection criteria:
1)What systems will be integrated with your Identity Management System? (integration targets)
2)Are all of your integration targets supported by the Identity Management System (IdMS) If not, which ones are not? Can the ones that are not supported be customized, or can the IdMS be customized to integrate them later?
3)What resources do you have internally to support an IdMS?
4)What resources do you have internally to support the systems that will connect to the IdMS?
5)Do you have database clustering expertise in house? If not, can you obtain it? Willing to obtain it? Ditto for front end components and certain directory services.
6)What encryption standards must be supported for "standing" data? Data in transit?
7)Will your IdMS need to "talk" to other IdMS? If so, which standards and versions of standards must be supported by each one?
8)How long have your potential IdMS vendors been in the IAM "space" or vertical? Did they just buy their way in by blindly acquiring other companies, or do they have a true pedigree in the Identity Management Space? If they acquired other companies to add IdMS capability, how committed are the employees of the acquired company to support your program over multiple years?
9)What type and depth of relationship do you have with your potential IdMS vendors? Do they have the depth and expertise to support you? If not, what standards do they use to select their partners? If they use partners or subcontractors, who is ultimately responsible for work delivery?
10)How much customization is required to make IdMS usable? (Customization or "build" vs. "buy" or "retail functions in the box.")
11)Has the vendor supported and passed Liberty Alliance interoperability testing? Are they willing to commit to a short proof of concept (POC) to prove out their software against your organizational requirements?
12)What types of support options and levels are offered with the product?
13)Does the IdMS require databases, application hosting software (such as custom J2EE application servers), custom drivers, or components which you do not currently have in house?
14)How will your IdMS investment be future-proofed by the vendor? What is the vendor's roadmap for the product?
15)How quickly will the vendor respond to bug reports and fixes?
16)What is the effective shelf life of each product version? In other words, when marks "end of life" for any version of the product you may implement in your production environment? This is key, and often overlooked. IdMS are big, complex, and resource-intensive projects. The payoff is HUGE if done correctly, but if done incorrectly, the COST is enormous.
Summary and additional Identity Management Resources
We have covered a lot of ground today. As you review this Lens, realize that while it may seem daunting, the benefits of a well executed Identity & Access Management (IAM) program are numerous, and far outweigh the initial implementation and maintenance costs.
Want to learn more? Visit the following sites:
LinksBusinessGroup.com
The Identity Management Success Blog
Links Business Group LLC also offers the only Identity Management Podcast of its kind, focused on the IAM basics and dedicated to helping organizations around the world succeed with their Identity Management Plans. The Identity Management Success Podcast can be found through iTunes, the Identity Management Success Blog or picked up directly from our RSS Feed.
Thanks for reading!
All the Best, of Identity Management Success
Corbin H. Links, President
Links Business Group LLC
