Blog post

Time for Intelligence and Clarity in IAM

By Earl Perkins | August 24, 2010 | 1 Comment

Something interesting is developing in the identity and access management arena. It isn’t new– if you look closely, you’ll recognize it from countless other technologies and processes that progress to maturity. IAM is no different. What I’m seeing is the maturing of intelligence.

Now I know you are tempted to make some jokes here, like intelligence and IAM are mutually exclusive in the same sentence, but here me out. As this technology area matures, there is more awareness by those who take care of it as well as those who use it that there’s a lot of  ‘record-keeping’ going on; plenty of logs and repositories of rich historical and definitive significance. From the beginning there have been  identity and access repositories for the identities themselves and their attributes, of entitlements, roles— all of that information that allows the ‘engines’ to do their job, whether it’s authenticating, authorizing, provisioning, certifying– there are a number of processes and events unfolding in a typical IAM process, and much of it is being recorded.

With those records or logs, one could say that data, once properly assembled and correlated turns into information. That information once reviewed, analyzed, and presented to the right people, process, or other application becomes knowledge, or information with value. One could even say that once that knowledge gets into the hands of the right people and they make actionable decisions with it, it’s no longer knowledge– it’s intelligence.

Of course, you may be thinking that I’m just playing with words and definitions, but consider the logic. Information of value really does allow an IT professional responsible for identity repositories to know whether they contain good information or trash, and can take action to cleanse or update it. Another set of information might allow an IT analyst to determine whether something should be reported to other IT professionals, or if something is ‘broken’, to repair it. But the real value, that which IT knowledge workers strive to provide, is business knowledge.

The delivery of business knowledge means that IT has succeeded in its core mission– it has provided information of value to the business, information they can actually use for a change, something with clarity— not some obscure spreadsheet, or a chart with technical terms on it that leaves people scratching their head, or report that provides little value. Of course, one should recognize that the primary value of IAM in this kind of knowledge is to give a context (you’ll see that word plenty in the months ahead, so get ready) to the business knowledge they already possess from other sources. I believe one context can be referred to as the “who view” of business knowledge— that dimension that uses identity to view business knowledge in a different way, where having that view may be the one element that turns that business knowledge into business intelligence, where a business user says “well now that I know who is doing this, I can make a decision”.

IAM should be (among other things) about clarity. How do we make clear to the business that there is intelligence on those logs, waiting to be mined, and that intelligence may make all the difference in their decisions? The best way is to deliver it, to provide that IAM intelligence is more knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

IAM and Business Intelligence is our theme for the annual Gartner IAM Summit, November 15-17 in San Digeo, California. I hope to see you there.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • I agree with Earl’s viewpoint and I am seeing the same trends and needs in the emerging market called intelligent workload management.

    Earl has put his finger on a key evolution that’s happening in the IAM space: The IAM systems that people have implemented are not just to serve the machinery that provides access or even to feed the audit and certification beast. It’s table stakes for a well-implemented IAM system to provide secure and easy access to resources throughout the organization and to provision users in a way that business users can understand without having to speak geek. The challenge is that doing this across physical, virtual and cloud environments is hard. Tying this to the security infrastructure is hard. However, once this system is in place you can start to answer the questions that provide real business intelligence: “What’s just happened on my system? Who did it? Should I care?”

    It’s the last question that’s at the core of why identity systems sit at the core of an enterprise. “Should I care?” impacts both security and compliance. All levels of the organization clearly care about these challenges – after all, CEOs hate seeing stippled drawings of themselves in the Wall Street Journal after a security breach or failed audit.

    At Novell, we talk about the Identity-Infused Enterprise that highlights the key characteristics of helping an organization be more Intelligent, Cloud-Ready and Secure. An IAM system is only fulfilling its promise when it’s providing full intelligence to the business across all of the connected systems. This starts with the identity management system but rapidly scales out to the access management infrastructure, the security infrastructure and connections to the cloud.

    As pointed out by Earl, intelligence must span all phases for building, securing, managing and measuring workloads. When a workload becomes identity-aware, it knows where and how it should be deployed, and it can provide audit trails of who has been using it. When a management framework becomes identity-aware, it enables self-regulation and management according to business policy, thus maximizing performance and flexibility, while minimizing cost, complexity and risk.

    Great post.