I have a new respect for my Identity, Privacy, Security, and Risk Management brethren. They get to come to San Francisco in a heatwave and banter about the state and future of security. This year I got to come with them, and it has been very enlightening.
As you can probably tell from my other posts, I try to find the big picture. Honestly, identity management, role management, and other arcane aspects of the security space can be a bit "cryptic". But lately, the relationship of these topics to larger-level issues has been coming into focus for me. What I've learned this week is that confusion is more common than not when it comes to Identity Management (IdM) initiatives within large enterprises.
I spent an intense day with our identity and privacy team harvesting through data gathered from their ongoing research on role management. Kevin Kampman, Ian Glazer, and I will be writing at length about these findings in the coming months.One thing that struck me as I stared at thousands of post-it notes is this: "No one really wants to own this." The technology guys want the business to take ownership, the business guys say, "no, this is a technology thing." This confusion about accountability makes it virtually impossible to formalize a system of roles and processes that actually works. Even though the tooling appears to be quite functional in support of IdM, it really doesn't matter. Until the enterprise determines ownership and authority, those tools may as well be Tinker Toys.
This is an uncomfortable truth, no surprise to IdM professionals, I'm sure. But the current economic situation is exacerbating the issue. Highly fluid workforces (i.e., people getting laid off) introduces risk to the organization if deprovisioning processes are broken. Provisioning and deprovisioning processes emerge from larger initiatives like Role and Entitlement Management that give the organization insight into who they have, what they do, what they access, and what they did.
As I ponder the research, another thing comes clear. The complexity that often kills IdM initiatives could be mitigated with effective data modeling. The nest of relationships binding users to roles and entitlements is not easy to grok, and starting to build bottom-up will only make the complexity more intransigent. And risk increases. Start with great data modeling, and the tools will be easier to apply. Also, you will have an artifact that your business partners can begin to understand.
The lack of ownership, IdM as a hot potato, stems from lack of insight and control. Data modeling of roles increases control and stabilizes the use of tools. Processes like deprovisioning then should become easier. Risk decreases. Easy, right?
Off to dinner now, to chew on these ideas some more.