Earl Perkins

A member of the Gartner Blog Network

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio

Coverage Areas:

IAM as ‘Surrogate’ Human Capital Management

by Earl Perkins  |  April 17, 2012  |  8 Comments

A curious thing has occurred as identity and access management systems are deployed in enterprises world-wide. The nature of the relationship between IT and HR, or human capital management (HCM) has evolved. For many IAM implementations, the relationship between the IAM team and HR hasn’t been a particularly good one. While the HR database can and has served as the authoritative source for IAM systems, negotiating with some HR departments to make that connection and share the neccessary data to build the IAM data repository has been, shall we say, difficult. The need to control and maintain the privacy of employee information is viewed as a sacred trust by many in HR, and they don’t like the idea of even an extract of their data used outside of their purview, even if it is for purposes other than HR.

IAM projects need a starting point, and HR data is a logical one. Synchronizing the data in HR that exists about a person and their job activities with the directory for authentication or the entitlement catalog for authorization is a natural design step. However, in making this connection, IAM data stores also become an extension of HR, because they also obtain and store data NOT found in HR systems but data about identities nonetheless. Not only is data for access found in the identity store, but even data about other people not found in many HR systems, such as contractors or partners, for example.

It is at this point that HR and IT find themselves in a bit of a dilemma. HR does not have a mandate to track contractor identities in many industries, but they ARE human resources for the business. Therefore some of the data collected by IAM systems can be and often is of interest to HR. If both of them can overcome the friction of shared data quality and access responsibilities, it can actually be an productive partnership. IAM data repositories can become a small, miniature ‘surrogate’ to larger HR systems, with data from these repositories used for purposes other than access. My colleague Lori Rowland coined an interesting term for this and related phenomena– “accidental identity management”. An IAM program captures valuable data about identities that may be used by other parties within the business for something completely outside of access.

Even though consumers and/or citizens are also not the purview of HR systems, IAM also provides valuable identity and access information (dare I say ‘intelligence’?) for a broader view of people and their interaction with IT resources. We see today how valuable such information is to consumer technology providers such as Google and Facebook. Imagine an equivalent in use cases for enterprise IAM activity and event information leveraged in business decision-making. The first and most obvious ‘customer’ of such intelligence will be HR, providing a more accurate record of what an employee actually DOES, rather than what we say they do with job titles and ‘roles’. There are of course some significant privacy implications to ‘role activity monitoring’, but I think you get the picture.

In addition to everything else you know and understand about IAM, add to that the potential to be a valuable asset in the pursuit of best-in-class human capital management.

8 Comments »

Category: IAM IT Governance     Tags:

8 responses so far ↓

  • 1 IAM as 'Surrogate' Human Capital Management « Human Resources 123   April 17, 2012 at 8:13 am

    [...] the original here: IAM as 'Surrogate' Human Capital Management Comments [...]

  • 2 Mike Gotta   April 17, 2012 at 8:39 am

    Hey Earl,

    What do you think regarding the intersect between IAM, HCM, and enterprise social network sites (e.g. profile as identity)?

    I can foresee evolution of profiles to better handle a variety of “employee” types (traditional, contractor, retiree, alumni, etc). Since profile data is often pulled from identity and HR systems and then augmented by end users, the profile arguably represents a richer form of identity construction than either the IAM or HR repository.

    It just strikes me that profiles found in enterprise social networking platforms are going to address many of the points in your post… especially since these systems are becoming the backbone for an enterprise social graph that captures interactions between people, information, activities, etc. Yet I’ve typically found IAM teams not involved enough in these initiatives re: profiles, identity, social graph). Thoughts?

  • 3 IAM as 'Surrogate' Human Capital Management « Management Fair   April 17, 2012 at 10:55 pm

    [...] more here: IAM as 'Surrogate' Human Capital Management Comments [...]

  • 4 rf   April 18, 2012 at 7:33 pm

    Earl,
    I don’t think “accidental identity management” accurately captures the change that has occurred. The introduction of the Internet to virtually all business and social functions has explicitly required the WHO ARE YOU? question to be answered at each encounter. This is lead to the each IT system or online service to have to act as an identity management system, including HR, contractor and partner management systems but also every commerce, collaboration or information sharing system.

  • 5 Earl Perkins   April 18, 2012 at 9:18 pm

    Your points are well taken. I think when Lori referred to “accidental” what she was saying was that the original intention of identity management repositories wasn’t for the uses they’re being put to now. I agree with you, and in fact I call the idea of knowing “who are you?” as “identity indexing”, to index decisions with identity context. We’re speaking of the same thing, essentially.

  • 6 Earl Perkins   April 18, 2012 at 9:21 pm

    It’s good to talk to you again, Mike.
    You’re right in that I didn’t mention the social dimension of this, and I believe that social networking platforms will play a role. However, there is still the question of trust. Just because someone puts particular profile information into their Facebook, it doesn’t mean it is accurate. We do believe that a combination of enterprise and social information about identity can and will be used. You’re also right that this hasn’t been a high-priority item for enterprise IAM systems, but I suspect that will change over time.

  • 7 Mike Gotta   April 19, 2012 at 10:39 am

    Thanks Earl, I was referencing internal social network sites (e.g., Cisco Quad, Microsoft SharePoint, IBM Connections, etc). These profiles often have been bootstrapped with identity and HR data pulled from their respective back-end systems. Employees than “make claims” about themselves in the sense that they add expertise, interests, etc in a free-form manner. These systems also begin to construct a social graph as employees “follow” each other through various mechanisms and add additional social data via “likes”, “comments” etc. As employees interact with communities, information sources, and business processes – as these applications become connected into the social graph, you can begin to see how people “perform their claims” in an identity sense. Performative identity is an interesting intersect with social network analysis. We can claim a lot – if we then perform those claims, there’s a strong sense that those claims are credible – and if you beging to collected feedback from peers on those claims and performance, you transition into topics like reputation, etc.

    You can then see a lifecycle of sorts from the “ascribed identity” given to an employee when they join the company (title, role, department, cost center, labor grade, etc). Then the “claimed identity” people construct as part of their social profile, then “performed identity” as they participate in their work, and then the “reciprocated identity” that emerges as colleagues provide signals that acknowledge that individual.

    This insight does not exist within IAM and HRMS. The enterprise social network site/platform becomes the “face” of IAM and HRMS over time. There was some chatter about XDI synergies with social profiles but I’ve lost track of it…

    You’re correct though re; FB, Twitter, etc – once you try to correlate that to external sources, a different set of issues arise.

  • 8 Earl Perkins   April 20, 2012 at 8:39 am

    Thanks Mike for the clarification, I see what you’re describing now. Part of the blogging we’ve done is on the idea of identity and access intelligence, where if we can construct an identity data model (data at rest, e.g. directory, as well as data in motion, e.g. log data) and an analytics practice around mining identity data for valuable insight, we can make more informed decisions at many levels, both within IT and business. Your description is a classic example of leveraging identity data repositories and applying filtering, correlation, and analysis to arrive at the necessary intelligence to make a decision about the identity of an individual and its use. I’m grateful for you pointing out the implications of social media tools in enriching this and related functions in IAM.