Last month I highlighted the broad range of business and
technology drivers for identity management and the need for
astandards-based architecture blueprint(Computer Weekly 21 November).
There are a number of steps that organisations should take to
establish this architectural approach and so respond to those
requirements.
Any identity management initiative must begin with an
understanding of the business objectives. You need to understand
the relative priorities of the different objectives in order to
focus on the projects that provide opportunities for quick wins,
but without losing sight of the broader roadmap.
The creation of your roadmap and the scoping of initial projects
should incorporate a review of existing identity management
systems, data and processes. This is likely to reveal that identity
data and capabilities are fragmented in existing applications and
will highlight both duplication and deficiencies.
You can use this review to identify the identity data,
capabilities and processes that should be harvested from your
current IT portfolio.
It is unlikely that budget and time constraints will allow a
“big bang” implementation. This increases the risk of perpetuating
existing silos and introducing new ones as technologies are
acquired to address high-priority requirements.
Your roadmap will help to reduce this risk by ensuring that
existing technologies and new acquisitions are considered in the
context of business objectives.
An understanding of users and requirements is essential for risk
management as well as for determining the appropriate set of
identity technologies for your needs. In the case of external
users, you must consider identity from their, or their employers’,
perspective.
In a business-to-business context, this understanding is
critical if you are going to define and assign responsibilities for
the creation of identity data and policies, provisioning of that
data, policy enforcement and auditing and other phases of the
identity lifecycle.
In a business-to-consumer context, on the other hand, you must
pay close attention to developments in the world of user-centric
identity, in terms of both the standards and the leading players,
and how enterprise identity management players plan to coexist with
user-centric identity initiatives. Ease-of-use and consistency are
also important considerations.
You should involve the relevant stakeholders, from both the
business and IT organisation, including business domain experts,
auditors, security specialists and IT architects. To engender the
business commitment required for investment and to deal effectively
with organisational and cultural issues, you should establish an
“identity governance” team comprising these stakeholders.
This team is responsible for defining requirements, standards
and policies and ensuring they are adhered to as part of broader IT
governance.
The identity governance team should also have responsibility for
assessing the risks associated with the business objectives and
ensuring that their implications, together with the costs
associated with mitigating them, are considered.
Your identity management architecture should be considered as
part of broader enterprise architecture and service oriented
architecture initiatives. The objective should be to enable
delivery of identity management capabilities as a set of shared
infrastructure services.
This depends on understanding the intersection between business
function services, the resources they depend on, and the subjects
which are required to use them. These intersections will drive
identity management policies, in terms of authentication, access
control and privacy, and also provide the basis for control and
ongoing monitoring.
The architecture should provide guidance on the use of standards
and technologies and provide a clear understanding of the
relationships and dependencies between those identity management
services.
Your identity management initiative will be unmanageable and
unsustainable without identity management lifecycle processes in
place that are well documented and understood by the relevant
stakeholders.
Those processes do not live in isolation so you must consider
identity management alongside IT service management (ITSM)
initiatives. You should look to the IT Infrastructure Library
(ITIL) guidelines since identity is central to the attainment of
the confidentiality, integrity and availability objectives of
ITIL’s security management.
Other aspects of ITSM, from service desk to change management,
also touch identity. You must therefore understand how enterprise
systems management technology suppliers and implementers are
addressing identity management.
Lastly, identity management ¬lifecycle processes should be
available in the applications that support day-to-day business
activities, both to increase employee productivity and reduce the
IT operations burden. This will require investment in process and
workflow management technologies to automate identity management
lifecycle processes.
We are a long way from having a set of mature standards
addressing the different elements of identity management. It is
unclear which of these standards, if any, will come to dominate
and, if not, whether effective interoperability will be
feasible.
Similarly, the technology required to enable the right
architectural approach is still in its formative stages. That said,
it is not too early to start down the identity management road, as
long as you do not attempt to lock down technologies and standards
too early.
Instead, focus on what the architecture is to achieve, rather
than how it is to achieve it, by establishing a framework and
associate principles and policies that should be applied when
making technology choices and evaluating suppliers.
It is perfectly acceptable to deviate from the ideal, but only
if the implications are clearly understood. You should revisit and
refine the framework frequently, given the fast pace at which
standards and technologies are evolving.
Neil Macehiter is a partner at advisory firm Macehiter
Ward-Dutton
Putting the identity pieces together
www.computerweekly.com/219262
Identity management for the SOA era
www.computerweekly.com/219933
Comment on this article:
computer.weekly@rbi.co.uk