Identity and Access Management (IAM) is one of the most critical security functions you have in your business. Even if you do not have a set of tools designed for it, you are and have been always practicing it. Since you put in your first computer you had a process to get people to access it. It may not be a detailed process, but it is a process. As the technology world is accelerating the evolution to a virtual/cloud based deployments, controlling access and knowing who is accessing your systems are getting more critical.
However, Identity and Access Mananagement projects often fail and fail hard. It’s not because of the technologies chosen, how many applications you have, how complex your data is. They fail because the project itself is not internally advertised properly to get the sponsorship, full support and focus that it needs. If it’s left in the hands of IT, it doesn’t get very far. In fact, the most successful IAM implementations and one of the most mature I know about was actually driven and controlled out of HR not IT. IT manged the technology and ‘kept the lights on‘ but HR drove the implementation.
IAM is heavily technological in nature but the success of the solution is 100% on the business. You can put the best and greatest into your environment but without a business purpose or business created plan it’s not going to go anywhere beyond 20% of the ultimate goal. That failure is that the decision makers and check writers are not presented with what IAM really is, instead they see a few million dollars being spent to make the IT guys life easier through automation. Too many people focus on the workload aspect of Identity Management provisioning rather on what provisioning really is meant for.
“Why would I spend $2 million so those geeks down on the 6th floor don’t have to manually create accounts? It works today just fine, they just want to be more lazy.”
Right? Heard something like that before? Said something like that before?
When I have conversations or hear people talking about their IAM projects I listen to see if they talk more about provisioning and most don’t, the stop there, some even call their IAM project the Provisioning project. I have blogged about this disconnect before but I am seeing it more and more that IAM is getting a reduced focus because the business enabling benefits are getting missed.
Here’s a script to provision into AD. Save yourself a few bucks if that’s all you are going to do is provision.
Dim objRootLDAP, objContainer, objNewUser
strUser = “ProvisionedUser1”
‘ Bind to Active Directory, Users container.
Set objRootLDAP = GetObject(“LDAP://ActiveDirectoryServer”)
Set objContainer = GetObject(“LDAP://cn=Users,” & _
‘ Build the actual User.
Set objNewUser = objContainer.Create(“User”, “cn=” & strUser)
objNewUser.Put “sAMAccountName”, strUser
If you want to be successful in an IAM implementation there here are the things you need to figure out long before you worry about the act of provisioning.
- Who are your business partners? HR, Management, Audit & Compliance, Info Security, Application Developers, Business Analysts. These are your primary benefactors from a mature IAM system, IT is not listed here.
- What are the business rules? Your business functions in a specific way, you have an organizational structure, use unique decision matrix, want your information flow to be a certain way. IT does not know this in detail and probably don’t care what the business does outside their world.
- Compliance requirements? Depending on what type of business you have, chances are you need to meet increasing external compliance requirements. What part of the business has to meet that? What information is needed? IT makes sure that the data is there and available but they are usually not data users for compliance, just deliver.
- What are the business operational costs? Help desks, paper, time (waiting for the process), compliance failures, reporting, and so on. Does IT know about these costs or do they care?
The act of provisioning should be one of the last things you worry about. Any tool set that leads with how many directories they can create accounts in should be looked at with a raised eyebrow. There are tons of programs out there that can create accounts. So What?
Identity and Access Management is not about how automated you can create objects, it’s all about how your can apply your business functionality to manage them. Taking your how your business works and automate that to to increase processing times, harden security, gain real time reporting, put in automatic rule enforcement for access (People in Accounts Receivable cannot have the same access as Accounts Payable) is what IAM is about. In addition, a well defined IAM system can be used for managing physical assets as well as accounts. Cell phones, desk phones, building access cards, and so on.
Where did I mention provisioning in that description? Provisioning is about 20% of an entire IAM project, if that’s how it’s sold to the business that’s how far you will get and miss 80% of the enabling, cost saving reasons on why you need IAM in the first place.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.