Earl Perkins
Research VP
3 years at Gartner
32 years IT industry
Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio
by Earl Perkins | January 20, 2012 | Submit a Comment
Part of my research coverage at Gartner (in addition to identity and access management) is in what we refer to as the operational technology security environment. We refer to it as operational technology because most of the systems in question are used in the operations environments of industries and other companies. Some of you may have also read in the press about ‘smart grid security’, or ‘industrial control security’. All of these are part of a broad set of issues facing our country (and indeed, most countries) when it comes to critical infrastructure protection, or CIP.
Consider it this way. In addition to the personal computers we have at home and the computers large and small at work, there are also millions upon millions of smaller processing devices– computers in automobiles, on manufacturing assembly lines, in advanced medical equipment, modern electric, gas, and water meters. Everywhere you look there are small computers performing specialized functions across many industries. Increasingly, those processors are being networked, and in some cases even finding their way onto the Internet, either intentionally or unintentionally. This is where things can really start to get interesting, and not in a good way.
You have no doubt seen stories in the media about the hacking of critical infrastructure systems. One of the most notorious occurred in 2010 with the Stuxnet virus, which attacked specific technology from a specific vendor involved in (among other things) the nuclear power industry. In this case, it seemed likely that the incident was part of industrial espionage on the part of nation-states, but it highlighted the issues regarding the myriad of critical computing going on throughout our infrastructure.
One of the biggest problems however has been to separate the fear and near-hysteric tone of some of these reports from the real issues facing various industries today with operational technology. What exactly do we know for sure about operational technology security, and upon what can we commonly agree? Well, let’s see:
1- Operational technology security is a real and serious issue. The proliferation of processors and their supporting firmware, operating system, and application environments have been deployed in many cases without considering basic principles of secure development. The means to secure these environments as a “layer” of data and systems protection has also not been a high priority for many industries, resulting in areas of weakness throughout the networks of systems;
2- Operational technology security is actually larger in terms of devices, systems, and code than information technology. Think about it– for every computer we have, there are hundreds of smaller processing devices (networked and not networked) throughout the world. These processors, embedded in so many different systems, constitute the largest deployment of information systems in the world. As these devices become more ‘intelligent’ and grow in complexity and function, the ‘attack surface’ for those devices grows;
3- We are becoming increasingly dependent upon operational technology to run our industries, our transportation, and our utilities. If key critical infrastructure within those industries remains in a compromised state, the risk for those enterprises goes up, and the likelihood of compromised systems also goes up over time;
4- There are lessons that have been learned in the ‘traditional’ computer security world that can be applied to the operational technology world, as long as the differences between operational and information technology are recognized and accommodated. While some of the practices and processes by which we began to successfully address computer security are applicable, there will be entirely new approaches necessary for some operational technology security needs.
There are no doubt other common facts upon which we can agree about operational technology security. The first step in doing something about the problem is to be aware that it exists, and to take practical and pragmatic steps to mitigate the risk to our critical infrastructure before, during, and after deployment of said infrastructure. In the days ahead, we will write more about this to contribute to that awareness. Gartner has existing research in this area and there is more to come.
Category: Uncategorized Tags:
by Earl Perkins | November 14, 2011 | Comments Off
As I’m writing this, I’m somewhere over New Mexico on my way to Gartner’s annual Identity & Access Management Summit, this year in San Diego, California. This is our sixth annual summit in the USA, and I have been privileged to participate in 4 of them since returning to Gartner. What can I say to you about the Summit that won’t sound like just another commercial to get you to come?
The Summit, and others like it in the IAM industry, actually serve as an important peer forum, and we at Gartner like to think that we are part of that forum. It is an opportunity for people of like mission and mind to come together to discuss how they do it, what has worked, and not worked for them, and to ask the questions that we at Gartner most need to hear. By doing so, all of us gain a common sense of purpose. We begin to see a shape, a pattern to IAM, and what it means to peers in this particular and peculiar business. By pooling our knowlege together, we make the experience hopefully meet real expectations.
Ah, I forgot to mention the theme of the Summit, didn’t I? It is “IAM Reality Check: Solutions and Practices for Successful Business”. Or as it is known internally by some: “Get Real, IAM!”. Perhaps you sometimes feel that analysts at Gartner are chartered with a “crystal ball” to try and predict future trends and analyze leading-edge technology and process. I don’t blame you, sometimes we sound that way. But we have another charter as well to clients. It is the charter of bringing proven practices to light. Gartner must serve as a distiller of all of the hard work you have done and package it in ways that allow others to minimize the continual rediscovery of how NOT to plan, build, or operate IAM.
So you could consider our 6th Annual IAM Summit as a way for ALL of us to listen to one another, to learn from one another. Sure, I know that sounds a bit pretentious given you’re paying to be at the event, but it is my sincere hope that Gartner’s contribution to the discussion at a minimum is as much about how much we’ve learned and can learn from your experiences, and how much we can help your future IAM experience be as productive as possible.
I think that’s enough rambling for now. I’m beginning to sound too much like a commercial. I hope to see some of you here at the Summit. Safe travels.
Category: Uncategorized Tags:
by Earl Perkins | October 4, 2011 | 1 Comment
IBM’s announcement today of their acquisition of Q1 Labs, a security information and event management (SIEM) company, highlights a growing industry trend that has implications for identity and access management: acquiring tools and services available to support a formal security and IAM ‘intelligence’ practice in an enterprise or on behalf of an enterprise. What has been said in past discussions on this topic bears saying again now to emphasize this trend: the real value that IAM can provide to the business is in the intelligence it generates and owns about identity and access activities and events, not in the control it provides for access. IBM recognizes this with this and earlier acquisitions, Oracle recognizes it here at Open World this week with its emphasis on analytics across the enterprise (including security and IAM), NetIQ with Sentinel and its integration with their IAM portfolio, HP with its acquisition of ArcSight and integration into their security and IAM practices– the list goes on. Other security and IAM vendors in the industry are making similar moves in an effort to look at this as a ‘horizontal’ offering (across security and IAM products) that can be and is initiated as a distinctive practice in client enterprises.
No, they didn’t think of this all on their own. Their clients asked for it. As larger and more sophisticated IAM shops evolved their practice, they realized that without having a continuous stream of intelligence available to them from the processes IAM was involved in, they would be unable to answer important questions regarding matters related to forensics (e.g. detecting and preventing fraud during the access process) or compliance (e.g. providing detailed reports on meeting regulatory requirements as required by government and policy). It wasn’t enough to store identities and attributes, or to log authentication events– some method and tool was also needed to make sense of what was happening, to understand through correlation and analysis of data from a number of different sources the true picture end to end of those activities in identity and access management that occur every day to get work done.
While IAM has its own forensices, analytics, and data collection and correlation tools, to really have this generate the intelligence required for business-level decisions, other inputs, other ‘partners’ are required in the data gathering, correlation, analysis and reporting arena. That’s where someone like Q1 Labs comes in for IBM. IBM already has other tools for this practice from previous acquisitions (e.g. Internet Security Systems), Q1 Labs will provide another in their portfolio to offer experienced security and IAM shops the means to use identity and access intelligence effectively in decision-making.
Category: IAM Tags:
by Earl Perkins | July 22, 2011 | 2 Comments
On the list of major annoyances for me are the trite media “sound bites” that you often here on television or online, mostly by politicians, where they attempt to get their idea across in 5 seconds or less with a memorable turn of words. These phrases are decidedly unable to articulate the nature of the problem or the solution, but they sound great and make the speaker appear (emphasis on appear) intelligent. They do very little to advance the debate on issues, and in fact they often obscure complex issues that resist trite and easy answers. In other words, they hide ‘the big nasty’.
In case you haven’t noticed, I’ve just stooped to the very level that annoys me: I’ve created my own flippant phrase for a complex issue. In identity and access management, there are some complex technologies, processes, and skills that are used to fulfill IAM’s mission. The complexity is often in three major areas: the user experience, the workflow experience, and the connectivity experience. Any, some, or all of these could be considered big nasties, because they require much effort to plan, build, and operate for the enterprise. However, rather than considering the act of hiding these nasties as a bad thing, I submit that hiding the big nasty in IAM can actually be a good thing, not an annoyance. In fact, it is the one of the most critical steps that IAM vendors and service providers can take today to confirm that the discipline is maturing.
Hiding the big nasty in IAM has two dimensions. The first aim is to educate. For many years, we’ve attempted to define IAM for the enterprise in technology terms– we are always using geeky words to try and describe to executive management and others about what it is and why they need it, but the myriad blank stares and/or dozing in meetings when this occurs should be a clue that it isn’t working. We aren’t hiding the big nasty. Instead, we should be stepping back, looking at the big picture, and striking the balance between being accurate enough with our descriptions and good enough with our turn of phrase to bring the main concepts into focus for them. That ability is actually a job skill that should be required in IAM and security teams today. As much as the idea annoys me, we need a phrase-maker that gets complex, nasty concepts across quickly and effectively to the right audiences.
The second dimension in hiding the big nasty comes in the IAM solutions themselves, where the user experience itself is simplified to the point where skill set demands are reduced at ALL levels: the level that creates the user interfaces for business users, the level that develops workflow for automating process, and the level that designs and integrates IAM components across the IT software and service architecture. We need to hide the big nasty from all of them, so they can get their jobs done before most of us die of old age. That’s a job for IAM vendors and service providers. Consider harnessing all of that skill you have in marketing cures for IAM nirvana and spin them instead into product development and delivery.
Ok, maybe I’m getting a little carried away there (and am annoying in the process). But hiding the big nasty could go a long way toward building the credibility that IAM so desperately needs in a cynical buying world. The less nasty you see, the more successful you’ll be.
Oh no, a trite phrase arises, in rhyme no less. How annoying is that?
Category: IAM Tags:
by Earl Perkins | July 21, 2011 | Comments Off
Well, here we are. Identity and access management as a discipline has been here in various guises for decades now, starting from early and simple administration of passwords to the present day of access management, identity administration, and an assortment of technologies that supposedly help enterprises (and citizens/consumers/partners/fill-in-the-blank) to have a consistent experience with managing and using identities. In all of this time, with the introduction of products, processes, practices, and people into the act, why don’t we we take a step back and do a reality check on what has been accomplished?
I’m not here to bash IAM product or service vendors. That isn’t my job. As an analyst, I’m supposed to— well, analyze. I try to look at the historical record and make some conclusions about what has happened and some guesses as to what will happen. If my view of reality isn’t rosy or satisfying, it is because of what we find as researchers during analysis, not because we have something against the IAM market response to customer need. For IAM, the reality is that we have made some progress. It has been in fits and starts, with notable successes and failures, but in general we’ve progressed from a necessary evil to playing an important role in securing an enterprise and its business assets.
The reality is that our vision of IAM as a ‘gatekeeper’ has been somewhat realized. We know how to establish an access architecture and technology set that does a good job at determining whether or not someone has the initial right/privilege/permission/entitlement/claim/fill-in-the-blank to enter our IT/business kingdom and letting them in if they have it. The kingdom, anyway. Going further with those entitlements to allow entry into specific, mission-critical areas (e.g. sensitive business information, key applications) remains problematic, and allowing a lot of different players (e.g. partners, suppliers, third-parties, other strangers) into our kingdom is still a work in progress (e.g. federation), but we’re getting there.
The reality of administering the identities themselves and governing that process is still problematic. It’s just plain hard, actually, because we’re trying to define an identity for use in the business lexicon, directly, not through the IT translator. We’re actually inviting and engaging the business in direct participation in the creation, maintenance, retirement, reporting, tracking of identities for which they are personally responsible. In many respects, that scares them. It was better when most of that nasty, administrative stuff was hidden from them (more on that later). But unfortunately, with great power comes great responsibility. As the individual business user becomes more engaged in matters related to sensitive data integrity or customer data privacy or managing different forms of risk throughout their business processes, they keep running into the pesky IAM problem. The reality of IAM is that it is a pain for everyone, equally: whether the business user comes from the human resources group, the supply chain department, the customer relationship management division, all of them have IAM to worry about in some capacity. It is the horizontal commonality in a vertical world.
Work continues on taking IAM to the next stage, where formal, structured methodologies, processes, and organizational requirements are identified and employed where required in maturing enterprises. Identity and access governance (IAG), that step closer to structure, methodology, process, and organization, is heating up now, joining the ‘toolkit’ for IAM. A reality check there reveals that IAG is like Thursday’s child: it has far to go. But it comes closest in the IAM realm to addressing the business user directly, and that’s a good thing. We’ll watch closely to see what transpires.
Gartner’s annual IAM Summit in San Diego, CA 14-16 November, 2011 will have as the summit theme “IAM Reality Check: Solutions and Practices for Successful Business”. I think there all of us (you, analysts, vendors, and others) can compare notes as ‘gatekeeper veterans’ to see what has been the reality of your experiences to date, and ponder your roles for tomorrow. We could use a reality check about now, I think.
Category: IAM Uncategorized Tags:
by Earl Perkins | May 19, 2011 | Comments Off
It is embarrassing to have waited so long to write something in our blog when so much is happening in our industry. I really have no good excuse, so let’s get to the reason for this one. Or rather I should say “reasons”, since I’d like to talk about a few different topics. Consider it catching up, if you will.
First, let’s talk about Novell. By now many of you have heard that the acquisition of Novell is now complete, and that there are already some changes occurring as a result. I know that in earlier blogs and in advice to our clients that are also Novell customers I counseled against taking action too hastily, but instead let this process be completed so we can assess the impacts on your own planning. It’s evident that there are some impacts now to consider.
The Novell Identity and Security Management (ISM) division will report to Jay Gardner’s NetIQ group, both in reporting and in brand. Jay will report to Jeff Hawn along with Bob Flynn, a veteran Attachmate official who has been appointed as Novell business unit President and General Manager. This truly signals the end of one era, and part of me is sad to see that happen (no insult intended to Jay or Bob). There are no doubt pros and cons that can be debated about whether Attachmate is making the right organization and branding decision, but the bottom line is that it will ultimately affect aspects of Novell product development and support organization, from where the employees will reside, who stays with Novell, where headquarters will now be located (i.e. Houston, Texas), and what will ultimately be the roadmap for Novell products. Sure, I can read what is being produced as announcements, and there have been briefings to large Novell clients about the future, but shifting from one corporate culture to the next leaves fingerprints, so let’s be realistic.
There are definite synergies (I’ve always hated that word, but it’s appropriate here) in the Novell IAM products and the NetIQ products, and some overlap, and combined development, planning, and sales is logical. Whenever such consolidations happen, you watch carefully to see how much Novell talent decides to stay vs. how much decides to leave. You also watch who is put in charge and what their history is. It helps customers to gauge impact on long-term plans using Novell products.
I believe that there will be impacts on the both the future products and existing product support as a result of the restructuring: some good, some not so good. While few disagree that Novell has very solid and capable IAM solutions, those same people will argue that immediately prior to the acquisition announcement Novell was attempting to map an IAM future for itself to create a credible competitive opportunity, and was struggling to do so. Its efforts to combine their SIEM and IAM strategies had mixed results, though made strategic sense. Their plan for identity and access governance (IAG) with the Aveksa agreement was yielding results, but was not characteristic of the Novell approach in incorporating functionality such as that into a common, homogeneous architecture (such an architecture is past its time now, since the story of the IAM market has been one of acquisition and a kaleidoscope of archtiectures). These efforts, though much better than the old days of UnixWare and WordPerfect, still did not realize the results that Novell had hoped.
It is logical to assume that by looking at the track record of NetIQ and the work done by Mr. Gardner and Mr. Flynn will provide an indirect indication of life with a combined NetIQ and Novell. The technology Attachmate has acquired with the Novell acquisition is sound and will continue to provide value to both existing and new clients. However, don’t underestimate the eventual impact of a change this dramatic on the culture of a company that once went head-to-head with Microsoft and won for a while. To the clients and the audience I spoke to throughout 2010 and early this year, we now know more about the changes at Novell to help make a better decision in our dealings with them going forward.
Category: IAM Strategic Planning Tags: Security-Summit-NA
by Earl Perkins | March 24, 2011 | 1 Comment
When organizations are deep into an identity and access management initiative, it is difficult to stay focused on the fundamentals of why you started such an effort in the first place. IAM can be a lot of things to a lot of people. Some of those things can be relatively simple and the solution to it simple as well. Unfortunately, most IAM needs are not simple. But how does an organization maintain focus day after day, month after month, as an IAM program progresses? How does a leader keep an IAM initiative oriented to its strategic goals?
When I think about the reasons for IAM’s existence, there are 3 words that keep coming to my mind: control, observe, and inform. Let me tell you what I think they mean in the context of IAM.
Control: from the time I first started looking at IAM as an analyst, a large part of the technology, process, and skill sets involved the control of access– to networks, platforms, applications, data, and services. This concept of control is integral to IAM, and is the original reason why IAM first started looking like a discipline rather than just a loose collection of technologies to address tactical needs. Whether it is controlling access, controlling the creation and life cycle of identities, or controlling privacy (primarily through controlling access), deploying and managing access control is fundamental to your IAM project;
Observe: to control access or anything else in IAM, you have to know what is going on. You have to collect information about the control event itself, logging information about it for later analysis and use. You have to observe the changes in identity data that occur as day-to-day administration touches the data, monitoring process and workflow to ensure timely completion of IAM activities. In IAM, logging and monitoring are key functions in enabling observation.
Inform: it isn’t enough only to collect information through and for observation– you have to use that information. In IAM, compliance with policy and regulation require that reporting is provided from the control and observation of identities and access. It is necessary to inform key stakeholders and participants in IAM on what exactly is happening, whether the purpose is to improve the IAM process itself, or to inform the business with key identity-indexed knowledge to make good decisions.
Control, observe, and inform. Keep these themes in mind when you’re striving to create an optimum IAM experience in your organization. That way you will be able to see the entire forest, rather than just the trees.
Category: Uncategorized Tags:
by Earl Perkins | February 25, 2011 | 1 Comment
Let me introduce to everyone a great colleague of mine, Andrew Walls. Among other topics he covers, he is our resident Active Directory specialist. He has kindly consented to contribute to the blog– I know you will like it.
Earl Perkins
————————————————————————————-
By Andrew Walls
Active Directory is everywhere. This is both a testimonial to the success of Microsoft’s product management strategy and a challenge for any enterprise that wants to build a unified AD environment. Consolidation of AD forests and domains is the single most frequent topic raised in inquiry concerning Active Directory. Commercial organizations, governments and educational organizations are all looking for a more efficient approach to managing AD and providing AD services to their internal clients. The complexity of some AD environments is staggering. Many commercial organizations are operating >10 Forests with multiple domains in each forest and a complex network of trust relationships. Quite a number of governments are operating >50 forests with who knows how many domains. To date, the most complex environment I have encountered is at a global organization with 138 forests operating on every major release of AD since Windows NT.
There are good reasons for this infestation of AD. When AD was first released, it was seen as an extension of Windows Workgroups and was implemented as a departmental, localized solution. As the years have gone by, AD has become an enterprise solution but many organizations are still managing it as a departmental solution. This legacy architecture keeps a lot of AD administrators employed and enables departments to act as a separate fiefdom within the overall enterprise. Although this local autonomy has some benefit, the complexity produced by multiple, unique AD implementations can prevent, or drastically increase the cost of, deployments of new, enterprise wide software and work processes.
The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc. The reasons for consolidation are clear, but there are significant barriers to success.
- Politics- Let’s face it, the big problem with AD consolidation is political. No one likes to give up local control of users and machines to a centralized bureaucracy. From a technical perspective, a consolidated AD model is clearly a more elegant approach to AD management. From the perspective of local versus centralized control, the best model is not so clear.
- Cost justification- It is very hard to write a business case for an AD consolidation project. Does consolidation reduce costs? Maybe, but probably not by much. You might be able to produce minor reductions in license costs but, consolidation rarely results in AD administrators being laid off. On the other hand, the actual consolidation project can cost a considerable amount. I have reviewed AD consolidation proposals from systems integrators that range in price from ~$200k to over $5million. The benefits derived from consolidation tend to be qualitative rather than quantitative. User portability, shared GAL (Global Address List) and consolidated reporting enhance productivity, but can you measure that enhancement in dollars?
- Complexity- An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their fileshares, or access applications. No pressure.
How do you avoid all of this? You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support (I have yet to see such a requirement except for deployment of AD in an internet-facing DMZ). There is no avoiding the pain of consolidation when your existing environment is already fragmented, but once you build the core AD environment, you should not have to repeat that pain. Many clients that experience regular mergers and acquisitions have established defined processes with time lines for integrating new subsidiaries into the collective (Resistance is futile! Your AD will be absorbed within six months of merge date).
It is never too early to start on consolidation. The pain of consolidation increases the longer you wait to grapple with the situation. Take the bull by the horns and develop a strategy for consolidation now (full consolidation can take years to complete in very complex environments) and get started on implementation right away. While you are consolidating the existing AD environments do not allow any new domains or forests to be created!
Category: Uncategorized Tags:
by Earl Perkins | February 11, 2011 | Comments Off
If you’ve been following some of our recent Gartner summits or research (as well as earlier blogs) you may have noticed a theme that has been expressed around “intelligence”, namely identity and access intelligence (IAI). At first glance, you may look at this and say “So what? This is just another name for printing up a compliance report, or collecting information about an access-related breach. Why do we need to name it something different?” I can certainly understand that sentiment. It seems like we (analyst firms, the media, vendors) always seem to be looking for a way to rename something so that it looks new and exciting– and so you’ll buy whatever is being sold under the new label
With IAI, that isn’t our point. Oh, of course we’d like to sell more research, but Gartner and other firms also seek to be advocates for clients. That not only helps us because you’re more likely to buy from us if our advice is good, but it also helps you, the client. IAI is not about technology. It was never our intention to imply that in presentations or research. IAI should actually be the result of a culture change within IT and the enterprise. It should be the output of a shift in the way work is done, the way decisions are made, the way we actually USE what we know in IAM to best effect. It should be the goal that we strive for in IAM, the prerequisite to do effective access control, the means by which we can make (for example) better HR, project management, and risk decisions, the measurable and real proof that accountability and transparency are occurring.
IAI can be the result of a change in mindset of what we do with the information at hand. Believe me, it won’t be the first time that enterprise have tried to tackle this– good intelligence is hard to find, difficult to create, and still harder to maintain as a discipline. It can involve speaking to people you’ve never spoken to before, using tools that you never knew were available, acquiring skills that aren’t in your usual training agenda. Building a center of excellence around IAI actually means becoming part of an enterprise security intelligence program. And THAT subsequently means becoming part of a business intelligence program. I think you can see the pattern.
Some of the clients I have spoken to have said “well that sounds great, but I just want to provision a new employee. I don’t have time for all of this fancy analytics stuff.” What is ironic is those same clients staff up, train, and organize to do the basics like provisioning, build and deliver the reports necessary for operations and compliance, and establish the relationships with the business to ensure the results of provisioning are felt. Whether they know it or not, they’re already involved in all of the same steps that, with just a little more effort, can expand the intelligence they have to work with to get provisioning done, and then some. Again, it is a change in mindset on how we use what we have to do what we do better.
So what am I saying here? Just that this isn’t yet another round of renaming reporting and dashboarding, moving around people, process, and technology like pieces on a chessboard. This can be the “real deal” if we understand that the end result is intelligence to make our identity-based decisions (IT or business) better.
Category: Uncategorized Tags:
by Earl Perkins | January 27, 2011 | 1 Comment
An interesting thing begins to happen when you’re assigned the job of researching and analyzing identity and access management. If you aren’t careful, you can begin to lose sight of just why IAM is actually being done, and more importantly, for whom? I’ve always had this uncomfortable feeling that as an analyst, as vendors, and even as buyers we don’t take the time to sort out just exactly who is doing the managing and who is doing the using. That sounds intuitively obvious, or as an old colleague of mine used to say: “it is quite intuitively obvious to the most casual observer at the merest cursory glance”. But if you step back and examine this thing called IAM critically and with an outsider’s eyes, some interesting things come to mind.
First, is IAM a set of products with owners? If so, what are the responsibilities these owners have in insuring that management of identity and access actually happens? Or do they just “own” the products, much like an enterprise application owner would. Personally, I don’t believe IAM is a set of products, but let’s assume for the purposes of this discussion that it is. In many enterprises, IT would be the owners (what a shock). In this sense, to own might mean to manage the versions and releases of the products, the software presence on the server or servers, the customization that occurred to get the software to run, the databases and directories needed, and the SLA that outlined the expectations of the software’s performance and availability. I’m sure I’m forgetting other things being an owner might entail, but you have the gist of it. You notice, however, that this describes managing the products, not the elements it is chartered to deliver.
All of that is managing the products, not really managing identities and access. Let’s try a different lens to view IAM. Perhaps IAM is a set of processes in an enterprise that delivers the right kind of access to the right applications for the right people at the right time– a lot of “rights”, as it were. In that sense, there may some kind of access process to be owned by someone, as well as an administration process. Again, guess who probably gets that responsibility? Yep– IT, though some administration of identity might actually be done by some other parties like HR.
Now there is this idea of an intelligence process too, where you can use information from the access and administration experience, properly analyzed and formatted, to make different kinds of IT AND business decisions. Compliance reporting is an example of this. When that happens, who is doing the managing of identity and access? if consumers of identity and access intelligence need those identities to change or those accesses to be modified as a result of what the intelligence tells them, they are actually beginning to manage, as it were.
What’s the point of this rambling? I would like you to consider what the management of identity and access really means, and who is really doing the management. I want you to separate ownership of products and resources from the actual management experience (as many of you have). I want you to take up a different lens to view the act of managing identity and truly see that, in a process, there are many managers. There may actually be process owners that will manage not only the process itself, but the inputs and outputs from that process. There may be intelligence consumers that will manage the identities because they know now how they’re being used, and what they’re being used for, and under what circumstances. And of course, there will be custodians that will manage the repositories or raw and refined identity information, from directories to entitlement catalogs, to ensure that the use of identity to perform access is an effective, secure experience. Managers are also stakeholders in the success of IAM, particularly when those managers are also the consumers of IAM.
So the next time you have a discussion about identity and access management, spend some time thinking about how many managers can you fit into the picture and who they really are.
Category: Uncategorized Tags:
