Ian Glazer

A member of the Gartner Blog Network

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio

Coverage Areas:

Performing an entitlement lobotomy on the enterprise

by Ian Glazer  |  June 8, 2010  |  2 Comments

As a part of its data center consolidation efforts, HP is going to be letting going 9000 IT workers. As this Computerworld article points out, although not confirmed, it highly likely that at least some of these terminated employees are system administrators. And as those admins walk out the door so too will walk an understand of how applications actually work and what the entitlements in them actually do. The loss of this kind of institutional knowledge will make it harder for compliance teams at HP to answer the question, “who has access to what.”

I am just wrapping up some research on how enterprises gather and catalog entitlements. With a decent entitlement management process in place, understanding what an entitlement grants in an application is next to impossible. Why? Because the people who know what permissions an entitlement grants, keep this information in their heads. And when they leave the enterprise, so too does that knowledge.

From there, the management of access becomes an exercise in cargo cult IdM. You start to see a lot of “model after” access (mis)management. You get a lot of wasted effort trying to figure out which dataset a group provides access to in the midst of a compliance exercise.

Without a means of capturing the meaning of entitlements enterprises put themselves at risk. Letting go a of a huge number of system administrators, who likely have some crucial understanding of what their systems’ entitlements do, compounds that risk.

2 Comments »

Category: Identity and Access Governance     Tags: , , , ,

2 responses so far ↓