In New Delhi: Most organizations are approaching identity and access management (IAM) in the wrong way by working with production requirements first, according to Gartner, Inc.
Between half and two-thirds of organizations attempting to establish a truly-effective IAM program approach it in the wrong way, said Earl Perkins, research vice president at Gartner. IAM process requirements should always precede organization and technology decisions. But currently, most IAM planning is done around clusters of technologies, rather than by addressing specific IT or business processes.
The build experience of IAM projects has traditionally not been a good one, said Perkins. While some experiences have improved and technologies are evolving, major efforts to formally build an IAM system for an organization overlook a key lesson planning for IAM often starts from the wrong direction with the wrong people, or at least not everyone who should be involved.
IAM started out as a fix the plumbing concern. However, with the advent of risk, compliance, accountability and transparency, this has changed. Now, the basis for good IAM involves a very active role by the organization as a whole, as only they can truly say what and how accountability and transparency of access should work for them. In an era where accountability and transparency are required and must be formalized, this means a more focused and structured approach for all parties affected, and not just IT.
IAM should not be planned with operations in mind; rather, it should be based on the foundations of the organization relative to policies, processes and people, said Perkins. Products are actually a relatively small focus of the decision process in an IAM program.
Gartner said that looking at IAM as a process has several advantages. First, it removes the product-centric pattern the market has placed on IAM. Instead of looking at IAM as a set of products to be purchased to fill technology gaps in an organization, viewing IAM as a process attempts to identify where people and IAM technology can be most effectively inserted to fulfill the practices and policies of the organization, Mr. Perkins said. It also contributes in a significant way to how enterprise, and security, architecture is enriched with the addition of IAM-specific architecture.
IAM as a process also helps to identify the key questions that need to be asked during IAM product selection, (such as how those products fulfill specific process steps). Viewing IAM as a process helps an enterprise articulate its requirements and target them through prioritization of need. It helps map the IAM process on top of known business processes to determine the convergence or touchpoints for control and intelligence purposes. Process steps that are best performed manually or are people-intensive can be identified as can different IAM process flows for different organizations, applications or system environments.
IAM as a process essentially serves as a lens for enterprise customers to permit a horizontal view of the identity and access process across the vertical landscape of business and IT within an organization, said Perkins. As such, it encourages customers to discover for themselves the current manual and automated processes supporting IAM, and to map them to this core process view to identify current problem areas in their process.
Perkins added that the operational process view of IAM can also enable the customer to define organizational roles for managing IAM and developing an identity and access governance model that incorporates those operations.
By linking operational IAM process to the policy model of the organization, this part of IAM governance can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way to access and identity problems. IAM as a process can be effective in converging business and enterprise processes with IT processes and accelerating IAM program maturity for the long term.
Add new comment