Over a 21-year career in IT and IT business consulting - the last 11 focused specifically on identity management - I have been directly involved in a number of provisioning implementations and have managed even more as an engagement director. I'm struck by the fact that while user expectations and needs have evolved significantly in the last decade, much of the technology has remained the same - almost frozen in time. The core functions of provisioning as defined in the late 1990s are much the same today, as then: user administration consoles, workflow and forms, provisioning policies and connectors to enterprise resources.
What has changed significantly is how the identity management market has responded to growing demand for identity governance, risk management and compliance. Amid these market changes an emerging category of identity management solutions, called "identity governance," has appeared, complementing provisioning. In many ways, these solutions are better suited than provisioning for centralized visibility and control.
In the mid-2000s, governance, risk and compliance (GRC) emerged as the primary business driver for identity management projects. At the time, most provisioning vendors claimed to be able to address regulatory requirements with their core provisioning products, with many acquiring third-party specialty products to deliver access certifications, separation-of-duty policy enforcement, and comprehensive audit and reporting capabilities. The same 'extension by way of acquisition' occurred when the provisioning vendors began buying up role management specialists. Roles became viewed as a way to simplify compliance and provisioning, and most provisioning vendors chose to add these capabilities to their respective portfolios.
Provisioning's "gravitational pull" over the past decade has put the technology on a path to potentially become an all-encompassing identity management monolith - delivering such broad functionality that it is difficult and costly to deploy. I call this 'the broken promise of provisioning.' Industry analysts have written about the same factors that I'm pointing out. In a July 2010 Gartner report, 'Provisioning's Role in the Next-Generation IdM Architecture,' Lori Rowland stated: 'Current provisioning architecture does not scale to meet growing business requirements. The existing provisioning architecture is being pushed to its limit; as a result, organizations are rethinking their provisioning infrastructures.'
While provisioning solutions solved a number of important problems when they first emerged, many of these solutions have evolved into a set of technologies that are difficult for most organizations to deploy and costly to maintain. Because of the complexity of these solutions, many provisioning projects failed and did not meet critical business requirements. Worse still, companies deploying these products find themselves with limited alternatives as business priorities continue to evolve and shift.
The Center of the Identity Management Universe? Identity Governance
The heart of the question many of us in the identity management world are asking ourselves is: What should the centralized management point for identity be? In the past, most of us assumed that provisioning was the answer. I'm beginning to think that may not be the case. An emerging category of identity management solutions called identity governance has appeared on the market to complement provisioning, and in many ways these solutions are better suited than provisioning for centralized visibility and control. I'd like to highlight three capabilities of identity governance to make my case: they are business-oriented, they allow organizations to manage identities in the context of a desired state, and they deliver value with or without direct connections to managed resources.
Business orientation: One of the key changes that I've observed over the last decade has been the growing involvement of business users in identity management processes. Identity governance solutions were designed with this requirement in mind, with business-friendly interfaces for access requests, approvals, access reviews, policy definition and role modeling. They also provide extensive glossaries and help facilities to translate complex IT data into more understandable information. Why is the inclusion of business users important? Identity management has evolved beyond IT administration and now enables business and GRC process automation. That means you can no longer deploy identity management without actively involving business users alongside IT users.
The Revolution of Identity Governance Delivers Results
Rethinking how we approach centralized control over identity management may seem revolutionary, but it's preferable to continuing down the same path with the same results. As an industry, I think it's imperative that we provide customers with a path to success that cost-effectively addresses today's identity management requirements, which are equal parts business and technology. The shift toward identity governance is a positive one. Approaching the solution from a governance perspective may help companies better achieve business agility, satisfy GRC requirements and deliver positive results to executive management.