Many times in my career I have been asked “What is Identity and Access Management and how does it work?” Even Security professionals feel unsure about the scope and nature of our discipline. Identity and Access Management –I always say– is above everything else, a security discipline, but it would be a misunderstanding to interpret it as simply another “protection” orientated technique, when actually the ultimate goal is not only to “protect” but to achieve efficiency and organizational excellency. In reality, key informational assets tend to be well protected in most organisations, but giving access to them, to the correct people, at the correct time and in a cost-effective manner is still complex, problematic and costly.
Identity and Access Management certainly works on establishing role-based access controls, but the main direction of our efforts is not towards “control” but directed to managing user accounts on applications, databases, systems and services. Managing the Account Life Cycle: that is the essence of I&AM.
Because of this emphasis, Identity and Access Management is the least “technological” of the Security disciplines. On the one hand, it actually develops management processes which can be described as “user administration”. On the other hand, I&AM technologies automate and accelerate those processes. While the user administration processes make sense from the point of view of pure management, automation and acceleration are a consequence, and not a cause of a successful implementation.
This is difficult to see in a world-wide situation where user management efficiency and transformation are not at the forefront of business preoccupations, and where most I&AM drivers are derived from regulatory concerns, not from organizational strategy. Due to this trend, the transformational and organizational aspects of I&AM are less visible and this causes an undue focus on technologies and technical controls.
In a well-balanced scenario Identity & Access Management directly induces changes in the organizational structure, and also *requires* specific changes, without which the process cannot even start. Identity & Access Management requires, for example, the functions of Data Owner, Role Owner and Identity Data Steward. Without these functions it is impossible to define, validate and re-certify a role model. It goes without saying that without a role model, none of the advantages of user management and provisioning can be materialized.
The Identity & Access Management process also induces changes, in that it creates new processes for authorization, maintenance and termination of user accounts. It does not matter really if these processes are automated, although it is desirable to have such automation. What matters is that the processes are in place, and that these are mandatory, standardized and operational.
Identity & Access Management, at a different level, imposes certain disciplines on IT project definition and execution, especially on the way user data is stored, updated and transported between systems. These are the key aspects of our discipline as seen from an organisational perspective. In future posts I will develop these ideas .