Scope out your ID risks and goals

To be successful, an identity management initiative needs clear planning to prioritise for quick wins while ensuring that longer-term business objectives are met

Last month I highlighted the broad range of business and technology drivers for identity management and the need for a standards-based architecture blueprint (Computer Weekly 21 November).

There are a number of steps that organisations should take to establish this architectural approach and so respond to those requirements.

Any identity management initiative must begin with an understanding of the business objectives. You need to understand the relative priorities of the different objectives in order to focus on the projects that provide opportunities for quick wins, but without losing sight of the broader roadmap.

The creation of your roadmap and the scoping of initial projects should incorporate a review of existing identity management systems, data and processes. This is likely to reveal that identity data and capabilities are fragmented in existing applications and will highlight both duplication and deficiencies.

You can use this review to identify the identity data, capabilities and processes that should be harvested from your current IT portfolio.

It is unlikely that budget and time constraints will allow a “big bang” implementation. This increases the risk of perpetuating existing silos and introducing new ones as technologies are acquired to address high-priority requirements.

Your roadmap will help to reduce this risk by ensuring that existing technologies and new acquisitions are considered in the context of business objectives.

An understanding of users and requirements is essential for risk management as well as for determining the appropriate set of identity technologies for your needs. In the case of external users, you must consider identity from their, or their employers’, perspective.

In a business-to-business context, this understanding is critical if you are going to define and assign responsibilities for the creation of identity data and policies, provisioning of that data, policy enforcement and auditing and other phases of the identity lifecycle.

In a business-to-consumer context, on the other hand, you must pay close attention to developments in the world of user-centric identity, in terms of both the standards and the leading players, and how enterprise identity management players plan to coexist with user-centric identity initiatives. Ease-of-use and consistency are also important considerations.

You should involve the relevant stakeholders, from both the business and IT organisation, including business domain experts, auditors, security specialists and IT architects. To engender the business commitment required for investment and to deal effectively with organisational and cultural issues, you should establish an “identity governance” team comprising these stakeholders.

This team is responsible for defining requirements, standards and policies and ensuring they are adhered to as part of broader IT governance. 

The identity governance team should also have responsibility for assessing the risks associated with the business objectives and ensuring that their implications, together with the costs associated with mitigating them, are considered.

Your identity management architecture should be considered as part of broader enterprise architecture and service oriented architecture initiatives. The objective should be to enable delivery of identity management capabilities as a set of shared infrastructure services.

This depends on understanding the intersection between business function services, the resources they depend on, and the subjects which are required to use them. These intersections will drive identity management policies, in terms of authentication, access control and privacy, and also provide the basis for control and ongoing monitoring.

The architecture should provide guidance on the use of standards and technologies and provide a clear understanding of the relationships and dependencies between those identity management services.

Your identity management initiative will be unmanageable and unsustainable without identity management lifecycle processes in place that are well documented and understood by the relevant stakeholders.

Those processes do not live in isolation so you must consider identity management alongside IT service management (ITSM) initiatives. You should look to the IT Infrastructure Library (ITIL) guidelines since identity is central to the attainment of the confidentiality, integrity and availability objectives of ITIL’s security management.

Other aspects of ITSM, from service desk to change management, also touch identity. You must therefore understand how enterprise systems management technology suppliers and implementers are addressing identity management.

Lastly, identity management ¬lifecycle processes should be available in the applications that support day-to-day business activities, both to increase employee productivity and reduce the IT operations burden. This will require investment in process and workflow management technologies to automate identity management lifecycle processes.

We are a long way from having a set of mature standards addressing the different elements of identity management. It is unclear which of these standards, if any, will come to dominate and, if not, whether effective interoperability will be feasible.

Similarly, the technology required to enable the right architectural approach is still in its formative stages. That said, it is not too early to start down the identity management road, as long as you do not attempt to lock down technologies and standards too early.

Instead, focus on what the architecture is to achieve, rather than how it is to achieve it, by establishing a framework and associate principles and policies that should be applied when making technology choices and evaluating suppliers.

It is perfectly acceptable to deviate from the ideal, but only if the implications are clearly understood. You should revisit and refine the framework frequently, given the fast pace at which standards and technologies are evolving.

Neil Macehiter is a partner at advisory firm Macehiter Ward-Dutton

Putting the identity pieces together

Identity management for the SOA era

Comment on this article:

Read more on Identity and access management products