Most organisations are approaching identity and access management (IAM) in the wrong way, by planning deployments around technologies, says Gartner.
IAM process requirements should always precede organisational and technology decisions, according to Earl Perkins, research vice-president at Gartner.
"Most IAM planning is still done around clusters of technologies, rather than by addressing specific IT or business processes," he told the Gartner IAM Summit 2011 in London.
According to Perkins, IAM should be based on policies, processes and people, and products should be a relatively small focus of the decision process in an IAM project.
Gartner recommends that business view IAM as a process, because that removes the product-centric pattern imposed by the market.
"Viewing IAM as a process attempts to identify where people and IAM technology can be most effectively used to fulfil the practices and policies of the organisation, and helps an organisation articulate its requirements and target them at the areas where there is the most need," said Perkins.
Many IT departments within businesses make the mistake of assuming that business will adopt whatever IAM systems they build, he said, but projects that do not meet real business need or bring benefit to the business are bound to fail.
"IT should quit answering questions no-one is asking and instead work with the business to find out what the real needs are and where IAM can add value."
One way of building bridge between IT and the business, says Perkins, is to move beyond core IAM functions of being able to control, observe and inform about access.
By linking up the wealth of data stored in IAM systems with business data, he says, IT can help create real business benefit and justify investment in IAM.