Identity management solutions are comprised of several critical components: directory services, access management services, authentication services, and user management and provisioning services.
The first three components have garnered much attention in recent years more recently, user management and provisioning, has emerged as a critical component that helps organizations enforce security policies, meet new regulatory compliance requirements, reduce costs, and ensure that users have access to corporate resources.
The very reason user management and provisioning systems are so valuable is also the reason organizations have difficulty implementing them. A complete system involves setting and enforcing policies for hundreds, if not thousands of different applications, directories, and non-digital assets, most of which are owned by different teams or business units, making it hard to gain consensus on overall policies.
Then, you have the practical issues within today's IT departments. Identity management has vaulted to the top of organization priority lists, but at the same time IT budgets remain tight and staffing remains low, making it difficult to embark on large-scale projects. Additionally, most organizations have already addressed some portion of identity management with best-of-breed products that have been available for years and meet specific needs. Today, organizations are hesitant to deploy large scale systems -- they want to reuse existing technology and solve manageable problems with manageable solutions within manageable timeframes.
Fortunately, user management and provisioning products built using modern product architectures and emerging standards make it easier for solutions to be designed modularly and deployed by organizations in phases.
- Easier to choose best-of-breed products and components
- Mitigate project risk
- Quicker results
- Integration with legacy systems
- Overcome political challenges
User management and provisioning solutions address several critical business functions such as:
- Identity creation and maintenance
- Password management
- Group management
- Shared file management
- Compliance and reporting
- Entitlement management
The final solution should encompass all of these disciplines, but they do not have to be implemented all at once.
For example, a major manufacturing customer identified that enabling end-users to manage group membership and easily request group creation for distribution lists and file shares would substantially reduce help desk costs and empower their users. They chose to implement this function first, and then follow on later with a solution to automate group membership assignment and add more complex workflow. Once they are ready, or they identify the need, they can easily round out their solution with password management and entitlement management.
Modular products allow organizations to deploy the functions they need, when they need them.
All applications are not created equal
Many user management and provisioning deployments are hindered when organizations attempt to automate too many applications at one time. Effective deployments prioritize application rollout based on risk, complexity, and business need.
A major airline customer chose to automate the provisioning of their email system before automating other applications primarily because of the pervasiveness of email systems amongst its users. Additionally, they found the risk associated with not effectively enabling, and more importantly disabling and archiving email, was too great. Other organizations view their CRM and sales force automation systems as their most critical applications.
By choosing to automate applications that are the most pervasive and carry the highest potential risks first, organizations can overcome the daunting challenge of supporting numerous legacy applications and processes on day one.
One administration approach does not fit all
User management and provisioning systems enable organizations to delegate identity administration to help desks and even non-IT personnel, automate the process from an authoritative source, or securely push tasks to end-users through self-service portals. These approaches can dramatically improve the process and reduce costs; however one size does not fit all.
One of our customers, a major financial services firm, has a central IT organization that serves multiple business units. Each business unit has a different approach to administration--some want very specific web-based forms to walk an administrator through a tightly controlled process, others want to have it completely hands-free from the HR system. All of them want to have a centralized way to define and enforce overall policies, regardless of administration approach, and have a central location to access audit and compliance data.
Modularity makes it easier for user management solutions to allow different departments and business units to customize their processes and user interfaces while still conforming to a unified set of policies and reporting capabilities.
Whether an organization is embarking on user management and provisioning to lower costs, improve security, or meet compliance regulations, the key to a successful project is to start with the end in mind but implement and deploy in phases. Fortunately, the products, technologies, and standards now exist to take that approach.
Jeff Schultz is an SVP with Abridean