Identity Management has had a long difficult road of overall acceptance at an enterprise level. Is it an IT program? An Information Security initiative? A Service Desk owned process? Where does it fall in the grand enterprise picture? Where Identity Management lives within the enterprise determines the success and maturity ceiling it obtains. When it’s an IT initiative it will stall out, not by lack of expertise to drive it, but from the business attitude for another adopting IT project. New IT technology means it’s complicated and that means a pain to use. Why should we spend the time and money on all these tools to make the IT department’s life easier?
Identity Management depends 100% on user adoption, without it, you’re done before you start.
Several years back Binary Blogger shifted the Identity Management approach and put a new program in place with an entirely different direction than before. This approach turned out to be more successful than anticipated, adoption was almost immediate and advancement of the Identity Management program was faster than it ever has been before. In fact a backlog of feature requests began to pile up. Why? What changed?
HR was put in the center of the Identity Management world. They owned it. HR was given the oversight of the internal process and business functions of the core Identity framework.
Why shouldn’t HR be? Identity Management is not an IT function alone. The sole purpose of Identity Management is to manage the Identities of individuals. Tie all the IT, physical, and business assets/objects to a person. Identity Management, when done properly, bridges the digital and physical world. Who has the responsibility to manage the physical people? Human Resources (HR)!
The Identity birthing process begins with HR, long before a person even becomes an employee, they are birthed in a HR system. The basic building blocks of the identity profile HR has.
What is the first step when implementing an Identity Management system? You figure out where and how you get the HR Identity data into it. HR is the single source of truth when it comes to most Identity Management systems, yet I bet most if not all Identity Management programs do not include HR as one of the program primary decision makers if not the owner.
An HR centric Identity Management program give you greater control and visibility into the data that drive it. HR controls department names, job titles, org. charts, and all the subtle data points that when they change without notifying IT messes everything up. So make them the data owner for Identity Data. IT doesn’t care about Job Title names if it’s “Manager of IT” or “IT Manager” or “Manager, IT”. (Believe me, some HR folks are really into titles and each format means something different). Since all the Identity Data comes from an HR source, make HR responsible for the accuracy of it.
Secondly the birthing process starts with HR. It makes sense to put HR as the first and only method for provisioning new users. The Identity Management system is going to be fully automated anyway. The main goal is to get admins hands off with the directories. The IAM system will create the actual accounts and assign the rights. It will be HR that will be filling out a simple webform and the IAM business rules behind it that will do all the dirty IT work.
This accomplishes a few things that makes huge security advances. One, HR is now the only ‘authorized agent’ that can create the base user accounts. No longer can a manager or department head sneak a new user into the system without HR knowing about it. How? Because your new Access Request process will require username, email address and an employee number. Data points that cannot be gathered until the account it created and since HR is the only group that does it no one can side step it easily. But how? HR will get a nice, clean web based provisioning form that on the back end will tie into the Identity Management system and/or the HR system(s) that feeds the Identity Management systems. Automated! Simple, elegant and HR is in control and they like that.
Thirdly, with HR in control of provisioning, HR needs to be in control and center stage for deprovisioning. People come and go and all through HR. If your contractors don’t, those should too. They are people. Give HR the power to disable accounts instantly. The urgent termination process is the one discreet, secure event that needs to be handled delicately. If HR needs to call someone at the Service Desk or IT department to disable accounts then that reduces discreet handling of it and potentially increases the risk of an unwelcome or stressful event if word go out. Another simple web form to disable the accounts as they proceed with removal of the individual. Protect the company, the data, the other employees and minimize emotional problems on a term.
Lastly working with HR as the leader in your Identity Management program will get your agenda done. For whatever reason, probably because HR controls the employee’s money, all employees listen to HR. Take a step back and look how many new programs, ideas, projects, and sweeping changes HR does. Compare those to your IT projects. Now, how many projects of yours were stalled, cancelled, changed, escalated because of objections, push back and whining? How many of HR’s?
What HR says, stays. HR’s word is rarely challenged at the level of IT complaints. HR wants to change vendors. Done. They want to implement a new vacation policy. Done. They want to reduce 401k. Done. When HR says that users will reset their passwords through a new system…. Done. Requests for access through the HR system. Done.
See how that works. HR can get it done from the business adoption. I have yet to see an HR centric Identity Management program work less efficiently than a ‘traditional’ IT or Security focused one.
It just makes sense, HR are the keepers of the Identities. IT manages the directories the accounts associated to those Identities reside. They are two completely different things and when your Identity Management system matures you will have Identity Profiles for people within the company that do not have IT assets. Kitchen crews, custodial services, cleaning crews. They will have keys and physical access points but not IT login accounts. Identity Management is still required but that scenario has nothing to do with IT but everything to do with HR.
Identity Management is driven by technology solutions but true Identity Management is not an IT program.
HR is a powerful ally in the success of your Identity Management program. Include them at the ground level, empower them with capabilities that put them in control, allow them to own the HR data officially and be responsible for it. You will have magic happen when you do.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.