Taking a Governance-based Approach to Identity Management

Mike Wyatt

Over a 21-year career in IT and IT business consulting - the last 11 focused specifically on identity management - I have been directly involved in a number of provisioning implementations and have managed even more as an engagement director. I'm struck by the fact that while user expectations and needs have evolved significantly in the last decade, much of the technology has remained the same - almost frozen in time. The core functions of provisioning as defined in the late 1990s are much the same today, as then: user administration consoles, workflow and forms, provisioning policies and connectors to enterprise resources.

What has changed significantly is how the identity management market has responded to growing demand for identity governance, risk management and compliance. Amid these market changes an emerging category of identity management solutions, called "identity governance," has appeared, complementing provisioning. In many ways, these solutions are better suited than provisioning for centralized visibility and control.

In the mid-2000s, governance, risk and compliance (GRC) emerged as the primary business driver for identity management projects. At the time, most provisioning vendors claimed to be able to address regulatory requirements with their core provisioning products, with many acquiring third-party specialty products to deliver access certifications, separation-of-duty policy enforcement, and comprehensive audit and reporting capabilities. The same 'extension by way of acquisition' occurred when the provisioning vendors began buying up role management specialists. Roles became viewed as a way to simplify compliance and provisioning, and most provisioning vendors chose to add these capabilities to their respective portfolios.

Provisioning's "gravitational pull" over the past decade has put the technology on a path to potentially become an all-encompassing identity management monolith - delivering such broad functionality that it is difficult and costly to deploy. I call this 'the broken promise of provisioning.' Industry analysts have written about the same factors that I'm pointing out. In a July 2010 Gartner report, 'Provisioning's Role in the Next-Generation IdM Architecture,' Lori Rowland stated: 'Current provisioning architecture does not scale to meet growing business requirements. The existing provisioning architecture is being pushed to its limit; as a result, organizations are rethinking their provisioning infrastructures.'

While provisioning solutions solved a number of important problems when they first emerged, many of these solutions have evolved into a set of technologies that are difficult for most organizations to deploy and costly to maintain. Because of the complexity of these solutions, many provisioning projects failed and did not meet critical business requirements. Worse still, companies deploying these products find themselves with limited alternatives as business priorities continue to evolve and shift.

The Center of the Identity Management Universe? Identity Governance

The heart of the question many of us in the identity management world are asking ourselves is: What should the centralized management point for identity be? In the past, most of us assumed that provisioning was the answer. I'm beginning to think that may not be the case. An emerging category of identity management solutions called identity governance has appeared on the market to complement provisioning, and in many ways these solutions are better suited than provisioning for centralized visibility and control. I'd like to highlight three capabilities of identity governance to make my case: they are business-oriented, they allow organizations to manage identities in the context of a desired state, and they deliver value with or without direct connections to managed resources.

Business orientation: One of the key changes that I've observed over the last decade has been the growing involvement of business users in identity management processes. Identity governance solutions were designed with this requirement in mind, with business-friendly interfaces for access requests, approvals, access reviews, policy definition and role modeling. They also provide extensive glossaries and help facilities to translate complex IT data into more understandable information. Why is the inclusion of business users important? Identity management has evolved beyond IT administration and now enables business and GRC process automation. That means you can no longer deploy identity management without actively involving business users alongside IT users.

Strong desired state models: Identity governance solutions leverage a governance model to establish the 'desired' state of identity within an organization. This model is comprised of entitlements, roles and policy and functions as a centralized system of record for how access should be granted (who should have access to what) and compares this to the actual state (who does have access to what). Identity governance solutions inherently provide the preventive and detective controls required to meet today's GRC requirements, and they streamline deployment and runtime operations by reducing the need to rely on custom-coded policy and workflow.  
A flexible approach to resource connectivity: Provisioning systems require a significant investment of time and resources to build connectors for each IT resource. The connectivity layer must be formally implemented before any meaningful management or governance activities can begin. Identity governance solutions, on the other hand, use lightweight, read-only connectors to rapidly onboard applications, giving organizations immediate visibility to actual state and enabling them to move rapidly to the desired state. These vendors support a variety of tools and processes for pushing changes to managed resources, including integration with provisioning systems, help-desk systems and even manual methods for change. The result is that organizations can connect to more applications, more quickly with identity governance, and use the most cost-effective approach to push out changes to applications.

The Revolution of Identity Governance Delivers Results

Rethinking how we approach centralized control over identity management may seem revolutionary, but it's preferable to continuing down the same path with the same results. As an industry, I think it's imperative that we provide customers with a path to success that cost-effectively addresses today's identity management requirements, which are equal parts business and technology. The shift toward identity governance is a positive one. Approaching the solution from a governance perspective may help companies better achieve business agility, satisfy GRC requirements and deliver positive results to executive management.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.