Earl Perkins

First, this isn’t going to be some really deep technical set of comments regarding roles and entitlements– there have been some really good contributions of that from my colleagues inside and outside of Gartner. Rather, this is a comment regarding how you might want to try and explain this particular issue of “role-based provisioning”, or “role-based access” to the executive that just doesn’t understand it in their context, particularly when you’re telling them how much something like this costs and how long it takes.

We’re at a point in identity and access management where we’ve done about all we can with an ‘overlay’ approach– there are fundamental changes that have to be made in the way identity-related data is classified and accessed. This represents, for example, one of the fundamental approaches to entitlement management (or what is known in the general industry as authorization management)– it establishes a framework to process externalized (from applications) entitlements, but only if that framework is put into place for the bulk of the applications in the enterprise. Even in that environment, the organized and formal structure of the identity and its attributes, the roles and the entitlements all play a key part in making entitlement management successful.

In data loss prevention’s role in identity management, providing some level of content awareness of data (in files or databases) achieves a level of functionality in different areas of identity management, but primarily because there is some minimal kind of classification or capability in place of applying classification to data.

Ok, so what’s my point? Think of a public library that you use. If the books in the library are all piled on the floor and you must go in to sort through them to find the books you want or need, it’s going to take a while and will be an inefficient way of doing it. If there are piles of books sorted perhaps by fiction and non-fiction, or by date, or by geography, that will help, but they may still not be sorted in the manner you need to find what you want.

Now along comes the Library of Congress or Dewey Decimal system of classifying the books. They’re organized in such a way where the content of the book is reflected in the tag or label given to the book. Then a system is put in place that not allows you to look up a book, but if you need to add a book or take a book out of the system, there is a means to do that efficiently. Unfortunately, every single book has to be touched to be analyzed and the appropriate tag given to it.

Welcome to the future of identity and access management. If you want to be able to use an identity effectively, some formal means of approaching both the identity and what it wants to access is necessary before it can be done efficiently. Do you have to do the entire library all at once? No. Can you address different “views” to your liking first? Of course. But some system needs to be applied, either statically or in a dynamic way.

If management can be told about the need for an underlying indexing structure in a manner such as this, the level of effort required becomes more obvious to them– and helps you tell a better story about the next needs for the next generation of identity and access management systems.