Identity Management Survey

I was reading the Ponemon Institute Survey on Identity Compliance. You can download it here.

The report focuses on identity management (IdM) across different sized organisations (i.e. enterprise IdM as opposed to customer IdM), eventually concluding

Despite the perceived importance of identity compliance, our results show that a large percentage of respondents believe their companies are not equipped to secure provisioning and access rights management using current methods. Moreover, our study finds that respondents find it difficult to collaborate across different functional areas across the enterprise.

It’s an interesting but unsurprising conclusion. My experience is that implementing an IdM solution across a large, complex, organisation requires more than just having a half decent off-the-shelf product. For starters, such projects are expensive and putting together a business case that sells it on cost benefits is very difficult. I don’t think you can justifiably sell such a solution on the basis of ROI or any other method of calculating returns. We can make a good case in terms of reducing the cost of compliance, data protection, efficiency of management and also security, but not on costs.

This same point is supported within the report where the survey found only 10% of respondents citing cost savings as their principle business driver. From my perspective, the most revealing statistic being reported is that 65% of respondents report little or no collaboration between IT, audit functions, and the business towards achieving project objectives. This is a recipe for disaster because it means that the interests of all the stakeholders (and when it comes to IdM the entire organisation should be considered as stakeholders) are not being taken into account. The result is likely to be a solution lacking in required features and subsequently lacking support from within various parts of the business.

Here’s an example of what I mean: some time ago I was notified about the impending implementation of a new IdM solution. Note: impending implementation. Few outside of the project group involved had been given the opportunity to contribute requirements and the result was a solution lacking some key security features. For example, corporate policy called for two factor authentication for remote access however, the IdM solution had been implemented with an Internet front end that only asked for a username and password. The project was subsequently shelved (not just because of the lack of 2FA I hasten to add) and some tough lessons learnt.

My last comment is the report finding that the element of an identity management solution considered most important by the most number of respondents (39%) is the “ability to track temporary or contract workers who have access to sensitive or confidential data”. Really? I’m not denying that this is important – sometimes vitally so – but is it the most important purpose of your enterprise IdM project? Conversely, only 13% cited provisioning and de-provisioning as the most important element. I think these facts should – need – to be the other way around. If you can’t focus on provisioning then you’re not going to be able to track contractors.

A couple of good blogs that focus on identity management issues:

Kim Cameron’s Identity Weblog

Digital Identity Blog