ITIL V3 and IAM Governance: the PBR Model…
As we continue to evolve our advisory services offerings, namely our Kickstart program, we recognize that, in addition to helping clients figure out their Identity and Access Management (IAM) strategic roadmap, governance model, and implementation approach, our customers increasingly look to us for advice about best practices and practical advice on how they can improve the success of their IAM program.
In addition to discussing our credo: “whatever we do, we must avoid the common pitfalls of an IAM program”, we are now spending a lot of our advisory services time helping customers understand, define and instate an effective organizational structure for managing the IAM program, and even though we only speak identity, we find ourselves converging on well-known IT governance frameworks such as COBIT and ITIL V3, which advocate IT management best practices.
This may sound very simple and logical, but for someone who has only focused in IAM for basically his entire career, this comes as a revelation: the best practices and lessons learned that evolved from working in IAM, converge surprisingly well with general IT best practices (surprise!).
In light of this convergence, we have created an IAM version of the Plan-Build-Run (PBR) model, as explained in COBIT and ITIL V3, and it is one of the key best practices that we discuss with our clients when we asses their IAM programs. This model for executing and governing the program will substantially increase their success rates. The figure below illustrates what this could look like for the IAM team at an organization.
In our more recent engagements with clients, we have discussed how they could restructure or reorganize their IAM teams to better align with the PBR model and thus sharpen their team’s focus and efficiency in executing the IAM program.
In many cases, the IAM team is unable to achieve much success, mainly because the team is spread thin with its members tending to various plan, build and run functions, instead of solely focusing on one particular function. Examples include teams in which the team that is responsible for deploying and up keeping the IAM infrastructure is also the one running access recertification cycles and supporting audit inquiries. In other cases, the same team that is running and operating the infrastructure is the one taking on new requirements from the line of business and, since they get so consumed by the operations workload (the run function), there is little or no focus on managing and maintaining the strategic IAM roadmap; and thus the initiative loses focus and direction.
One of our clients was so heavily focused on the run function, they had nobody effectively performing the plan function, and thus there was no roadmap. The organization ended up deploying 3 different technologies that basically did the same function, and had 3 teams running each of the infrastructures, resulting in lots of inconsistencies, end-user dissatisfaction and of course, added cost in supporting redundant infrastructures.
We recommend to our clients they identify how, if at all, their current IAM team maps to the PBR model, and in cases of unbalances or misalignments, we spend time discussing them, since these could be the culprits for some of the issues in their IAM program. Our suggestion is that, as a first step, the organization defines and maps the PBR model that would best suit them and their IAM program scope; before taking any other steps.
An actual separation of the functions may not be feasible in all cases, perhaps due to the size of the IAM team or other organizational or resource challenges. But even in this scenario, a well-defined and balanced logical separation needs to be defined, such that the team can at least gauge and track how well or poorly it is doing in a given function, and avoid focusing exclusively in one over the other, since that would otherwise hinder the success of their program.
We are now incorporating the PBR model as one of the areas of our advisory service program, since we have found it to be a very important part of the success of the IAM program and our clients validate that it is valuable.
I would like to thank my friend Steve Curtis for his contribution. His practical knowledge in IAM governance and IT best practices were essential input for creating this article.
I would be very interested in your comments regarding experiences with the PBR model in IAM or in general, and how to incorporate industry best practices to an IAM program in a repeatable and structured fashion. Thanks in advance for your input.