The Undeniable Truths of IAM
Being an Identity and Access Management consultant is cool. I get to work with clients big and small across various industries. I run into new challenges each time and I love developing innovative approaches to solving these challenges. But as fun as it is to innovate, there are certain undeniable truths in IAM that provide the foundation for good advice.
Have a Strategy
It may sound obvious, but any good IAM Program will have a strategy and a roadmap. When a business partner or stakeholder asks, “what’s your strategy?” your response should be, “I’d love a chance to review our strategy with you. Can we schedule a half hour soon?” Your strategy should be clear and it should be documented.
By the time you have a strategy, it should be bought into by at least the key stakeholders. In my experience, the way to achieve stakeholder buy-in is to involve them early, ensure their voice is heard, and allow them to contribute to the definition of the problem that IAM is solving. Keep them involved during the solution definition and explain how the solution solves the problem statement they helped define.
Maturity is the Measuring Stick
A proper strategy will take stock of the current state of maturity in the form of an assessment. The two approaches to gauging maturity are conducting a benchmark or performing a maturity assessment. A benchmark is a comparison of “how are we doing versus our peers?” A maturity assessment concerns itself with the state of maturity of current people, process, and technology per IAM capability.
A good strategy and roadmap illustrates a path from the current level of maturity to a targeted level that is more mature. The undeniable truth here is that the road to IAM maturity is through formalization and automation. This does not mean everything must be very formal and completely automated, but these are the factors that drive maturity.
A program can become more formal by having a framework for monitoring compliance of its application portfolio with the organization’s IAM policies and standards. Furthermore, remedies can be defined in the form of standard integration patterns with the central IAM tools that are pre-qualified as compliant.
Keep the Architecture Simple
There are a few cardinal rules in designing good IAM architecture. The first is that you need to have one place to go to know who has access to what. This best practice is the driver of the modern Identity Governance platforms that are designed to receive updates from target systems.
These systems periodically inventory all of the accounts and entitlements, correlate those accounts to an identity, and can alert on any issues that exist. The business value is the comprehensive “one pane of glass” view of an individual’s access.
Of course, since automation is a main key to increasing maturity, it should be the driver in good IAM architecture. Think about IAM in the old-school context of data-in, processing, and data-out. Data-in will include identity data from authoritative sources (HR, contractor management, student systems, etc.) and even end-points who periodically report their accounts and entitlement data to the central IAM system.
Processing includes workflows that range from access requests to correlation of data. Again, performing these activities in an automated way is more mature because it is efficient and far less error prone than manual processes.
Data-out in the form of automated account or entitlement provisioning is the third place where automation can drive a higher maturity and better IAM architecture. Data-in and automated processing are prerequisites to automated provisioning. The caution here is to be sure to design this in a scalable way. An example of what I mean is not to provision directly from IAM to 200 Linux servers, instead have Linux provision to an LDAP or AD and bridge those servers to that credential store.
Another practice most well-planned IAM architectures strive for is “one ID per person” which usually results in one credential per person. This, of course, makes de-provisioning access simpler and that is usually the most important process we can perform.
Having one credential makes it easier for users to remember a strong password among other benefits to the company and the individual user. To achieve one ID, integrate a SSO solution whether it is single sign-on (log in once) or simplified sign-on (same credentials across all apps).