One of the areas of our core expertise at Predica is some mystical unicorn named identity and access governance. We work on such projects from the Predica dawn; we have a dedicated team working on it and tons of projects delivered from which you can learn. For some not so obvious reason, we haven’t covered it here yet.
What are identity, access management, and governance?
In my work with customers across the world, when I ask them what is currently on their mind very often “identity and access management” gets on top of the list. However, when asked what they mean through it, rarely I get the same answer twice. It’s time to name things and make some order out of it. It helps in the further understanding of the subject.
First of all – it is a process. Yes! It is not a single technical solution deployed. We can’t agree it is not a tool (however tool might support it) which will solve all of these problems for you. This process is supported by a tool with the goal to manage the lifecycle of your people access to the applications, data and other resources your organization is using to deliver its value to users.
There are multiple areas we cover by this single term and here is where the most confusion comes from. This simple acronym might cover many areas. Typically these areas have mixed in the single request to the providers as a single solution which leads to gargantuan proposals, budgets and not always gargantuan project outcome.
What does it cover then?
Here is a short list of areas this process covers which you may want to address when thinking about it. I kept it short and focused only on crucial aspects to not start the discussion what is and what’s not IAG process.
- Lifecycle management: Something that is most obvious for most people. It covers all the processes like onboarding, changes, and off-boarding of people and other entities (think service accounts or assets) to your organization. How to onboard or register person? How to push it to some critical systems to enable work environment? How to make sure that the status of a person gets reflected in IT systems when changed in HR? How to close an account on time when needed? It is where identity lifecycle management kicks in and deliver order and automation.
- Access management: If we have it created, where it has access to. It is a question where the answer is delivered by access management. The process here might be simple (many organization sticks to the old concept of groups, and it is perfect for them) or difficult (think complex roles and entitlements hierarchies). Its goal is to answer one question: WHERE THIS IDENTITY HAS ACCESS TO! When it is responded to, it might also be automated to provide efficiency but not necessarily
- Access governance: If it is granted can you report on it? Is it compliant with our policies? It is where the governance part kicks in. Where managing access is one area, getting access rights into compliant state, when we know that what was granted to users is (a) right to their job, (b) compliant with our policies and (c) we can prove that it was granted within a process and we have it audited is another area. Companies might do access management but not governance. It depends on their maturity.
Those are three pillars of this process. There are many other aspects of identity and access management like single sign-on, authentication and authorization policies, and risk assessment and management. Those three items are where I want o focus in this article.
Focus is a keyword!
I work in this field for almost 20 years, and I saw this part of IT changing and evolving. From simple lifecycle projects to complex, compliance-driven implementations which span across dozens of applications and handles hundreds of thousands of entitlements (rights granted for people to keep it simple). What is differentiating implementations successfully from those failed once? There is one word to describe the difference: focus! The easiest way to not succeed on a project related to identity management is to try to tackle all these areas at once, defined in a single project and with all possible features and target systems and applications included.
If you want to succeed, the first rule is the focus, what you need is:
- Having clear goals of your identity and access management program defined.
- Assigning priority to the issues at hand, as you will have many with different parts of a company trying to address different things.
- Defining it into iterations, with a single iteration lasting no longer than 3-4 months to deliver functionality to the end-user (in the best case some low hanging fruits should be delivered sooner in the process).
- Understanding that this is an iterative process, which requires getting back to drawing board with every iteration.
Yes. You will change your priorities and ideas what to do next with every iteration. It is how business looks like right now. It is also why projects planned for 12-24 months are most likely to fail.
In 12-24 months since you start there might be no one who will remember why you are doing it in the first place!
What drives your process?
Typically there are two drivers for projects in this area:
- Projects driven by IT: IT department focuses mostly on operations efficiency and automation. Some aspects of compliance and impact on security are also present, but mostly the goal is to automate processes which we have to execute manually at the moment.
- Compliance / Security: Typically started from audit or security departments, with the greater focus on providing compliance processes, access. Management and governance workflows, reporting and similar aspects. Identity lifecycle is there, but somewhere in the background – we still have to execute it, but it is not the main focus of it.
It brings ownership of systems to the organization, permissions assigned to users, context-based authorization grants and other similar aspects. It is a tool not only for the IT department, but great enforcement and control tool for auditing, security, and compliance focused part of the organization.
Solutions! Bring me some answers!
Nice Tomasz! You put all this theory in front of us, but are there solutions out there and how to choose the best fit to implement for us? Sure there are. There is the entire industry at your disposal, which also shows that there is a problem to tackle. There is not one, but two Gartner reports on this industry for you to consider.
At Predica we work in this area for almost ten years with dozens of projects delivered for customers ranging from few hundreds to well over 100 000 identities. Simple cases, not standard cases, complex cases – we had it all! Our background is in Microsoft technologies, but in this area we have also adopted tool from the vendor other than Microsoft, partnering with Omada.
How do we choose what to apply in each case we work with customers?
It is simple when you will answer the questions I put in this article before. Let’s look at product capabilities at a glance:
Knowing answers to what drives your project and what are your priorities it is simple to evaluate such tool and choose one. Both deliver. Both have a similar set of features in some areas.
Where we focus mostly on identity lifecycle we go primarily for Microsoft Identity Manager and customers are happy about it. It delivers. It doesn’t require extensive resources. It provides common end-user scenarios. It does a password reset, which is still a pain for most of the organizations.
What is very important for many companies it is also the cost-effective option since Microsoft made server license free and CAL is included in Azure AD license.
With simple cases of access management, MIM will also deliver with our extensions for it. You have a choice of using one of those solutions (or other in similar class).
The difference starts when your process is driven by the need to provide rich, compliance-based processes around access management, auditing, reporting and other related functions in the regulation-driven environment. Here Omada Identity Suite has a clear advantage and is a way to go, even if it brings price tag with it.
With clarity about goals, drivers and desired outcome choice of the solution are much easier, and often does not require extensive process – it might be done much, much more straightforward.
Cloud! What about cloud? You haven’t mentioned cloud yet!
Yes, I haven’t! What about the cloud? The truth is that the cloud does not change much in this picture. It is yet another part of your organization we need to manage. You have to provide the same processes around it as for on-premises resources and solution of your choice will have to address it. It is why Omada among few other solutions is tightly integrated with Azure AD for access management and compliance process. This is why recent addition to Microsoft Identity Manager is the Azure AD Graph connector. It brings the process of managing guest users for on-premises application access to the picture.
Those are the questions which auditors might rise, and you can’t answer. If you want to know how to address it, please get in touch with us to discuss your questions!