An interesting thing begins to happen when you’re assigned the job of researching and analyzing identity and access management. If you aren’t careful, you can begin to lose sight of just why IAM is actually being done, and more importantly, for whom? I’ve always had this uncomfortable feeling that as an analyst, as vendors, and even as buyers we don’t take the time to sort out just exactly who is doing the managing and who is doing the using. That sounds intuitively obvious, or as an old colleague of mine used to say: “it is quite intuitively obvious to the most casual observer at the merest cursory glance”. But if you step back and examine this thing called IAM critically and with an outsider’s eyes, some interesting things come to mind.
First, is IAM a set of products with owners? If so, what are the responsibilities these owners have in insuring that management of identity and access actually happens? Or do they just “own” the products, much like an enterprise application owner would. Personally, I don’t believe IAM is a set of products, but let’s assume for the purposes of this discussion that it is. In many enterprises, IT would be the owners (what a shock). In this sense, to own might mean to manage the versions and releases of the products, the software presence on the server or servers, the customization that occurred to get the software to run, the databases and directories needed, and the SLA that outlined the expectations of the software’s performance and availability. I’m sure I’m forgetting other things being an owner might entail, but you have the gist of it. You notice, however, that this describes managing the products, not the elements it is chartered to deliver.
All of that is managing the products, not really managing identities and access. Let’s try a different lens to view IAM. Perhaps IAM is a set of processes in an enterprise that delivers the right kind of access to the right applications for the right people at the right time– a lot of “rights”, as it were. In that sense, there may some kind of access process to be owned by someone, as well as an administration process. Again, guess who probably gets that responsibility? Yep– IT, though some administration of identity might actually be done by some other parties like HR.
Now there is this idea of an intelligence process too, where you can use information from the access and administration experience, properly analyzed and formatted, to make different kinds of IT AND business decisions. Compliance reporting is an example of this. When that happens, who is doing the managing of identity and access? if consumers of identity and access intelligence need those identities to change or those accesses to be modified as a result of what the intelligence tells them, they are actually beginning to manage, as it were.
What’s the point of this rambling? I would like you to consider what the management of identity and access really means, and who is really doing the management. I want you to separate ownership of products and resources from the actual management experience (as many of you have). I want you to take up a different lens to view the act of managing identity and truly see that, in a process, there are many managers. There may actually be process owners that will manage not only the process itself, but the inputs and outputs from that process. There may be intelligence consumers that will manage the identities because they know now how they’re being used, and what they’re being used for, and under what circumstances. And of course, there will be custodians that will manage the repositories or raw and refined identity information, from directories to entitlement catalogs, to ensure that the use of identity to perform access is an effective, secure experience. Managers are also stakeholders in the success of IAM, particularly when those managers are also the consumers of IAM.
So the next time you have a discussion about identity and access management, spend some time thinking about how many managers can you fit into the picture and who they really are.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.