|By Jay O'Donnell||
|December 27, 2012 06:11 AM EST||
Evolving regulatory compliance requirements can be a major headache for the IT teams responsible for identity and access management (IAM). Sarbanes Oxley, the wide range of privacy regulations and other federal requirements, have transformed IAM from a problem that keeps the chief information security officer up at night into a true business concern shared by all company executives. Knowing who has access to what information within your organization - and whether they should have that access - is a deceptively complex issue that has the potential to drive a wedge between even the healthiest of relationships across the business.
On the surface, it may seem as though the nuts and bolts of IAM should reside in a company's IT department. This is because there are many islands of information stored in databases across the business that are managed and administered by the IT team. In addition, employee access to particular areas of the network is usually enabled and revoked by IT.
The problem is that these functions are just the tip of the iceberg when it comes to effectively managing your identity governance program.
IAM Is Driven by Business Requirements
It has long been recognized that identity and access management must be process-driven if it is to gain any longer-term traction within an organization. In fact, Gartner highlighted the importance of process in a 2005 research report, stating that "Identity and access management is not only a set of technologies but also a set of processes that address fundamental issues about handling the strategic asset of identity in any enterprise. Establishing a long-term solution for managing identity requires understanding these basic processes."
Why is the process so important?
Any change to the identity of an employee is triggered by the business. The identity attributes of an employee are created when they are hired (onboarding), changed when they are promoted or assigned new responsibilities (change in responsibility), and must be restricted when they leave the organization (offboarding).
A strong partnership between IT and the company's business divisions is essential to ensure that:
- There is a process to capture all of the changes that happen to the identity of an employee during their life cycle within an organization.
- The business has established and approved the policies under which employee access will be granted or denied.
- Changes are processed within the identified framework (i.e., no one is given access "through the backdoor").
By involving business owners early in the development of your IAM program - including human resources as it traditionally "owns" the bulk of employee attributes, like name, address, social security number and banking information - companies will improve the chances of executing their IAM goals on time and on budget.
Create a Culture of Continuous Compliance
Traditional approaches to identity and access governance take a reactive approach to meeting compliance requirements. If the sole measure of success is the ability to generate an attestation report, the company will always be in "firefighting" mode. It is far better to prevent access violations from happening than trying to chase them down once they occur. At that point, the security breach has already taken place, inappropriate access has already been granted and the damage has been done.
The goal of an effective identity governance initiative should be to ensure that employees are only given the access that is assigned to them under a clearly defined set of rules in accordance with company policy. On the other hand, requests for access that would violate a policy (e.g., separation of duties) should be denied and the appropriate manager should be alerted that a request has been made that would violate company policy. By working with business divisions to set these proactive policy parameters up front, the company is able to create a true culture of continuous compliance.
Your IAM Program Should Deliver More than Compliance
Compliance is a necessary evil. However, if handled correctly, compliance can also create the opportunity for meaningful efficiency improvements and cost reductions throughout an organization.
By managing the identity of your employees centrally and establishing proper business processes to manage identities, companies are able to:
- Shorten new employee onboarding time to less than a day: It is important to capture the primary attributes needed to create an employee identity during the onboarding process and feed this information to all related systems (e.g., payroll, HR, Active Directory, SAP). This approach gives employees the access and assets they need to be productive on their first day with the company.
- Eliminate repetitive manual data entry: A large Canadian retailer recently identified more than 90 attributes that make up the identity of their employees. More important, it also realized that these attributes were being manually re-entered up to ten times for different purposes across the company. Once it began managing their identity administration centrally, the retailer was able to capture data with no re-entry, thereby eliminating hundreds of redundant entries per employee.
- Lower administrative costs: Improving time to productivity, streamlining administrative functions, and simplifying audits will result in millions of dollars saved, depending on the size of the organization.
Learn from Past Failures
Many organizations have been down the IAM solution path before with varying degrees of success. The problem-solving responsibility has traditionally been handed off to - you guessed it - the IT department, which typically attempts to solve the issue via technological solutions. As discussed earlier, the challenge is that the IT department is trying to solve the issue when it doesn't own the information or the process. Attempting an IT-only fix, centered around third-party technology and buy-in from other departments, leads to annoyance at best and losses in time and capital at worse.
In spite of these challenges, there is hope for organizations looking for the Holy Grail of IAM. Below are some best practices organizations can employ to improve their internal IAM processes:
- Solicit business involvement early: IT cannot solve the problem alone. They're the custodians and the business is the end user. IT must engage with business and HR in lay language and find common denominators.
- Create an identity warehouse: Conduct a thorough cleaning of identity data housed by various internal systems so there is easy reconciliation and clear visibility into access granted to employees.
- Fix the controls: Implement procedures early in the business process (i.e., during onboarding), and make sure they are followed, to derive the most value from your identity and access management program.
- Process, process, process: IT spends a significant portion of its time and budget on the dreary work of managing identities. IT and the business divisions can realize measurable benefits from implementing processes that drive down wasted time and money.
- Go paperless: Going paperless with IAM liberates employees from the stacks of paper on their desks. An electronic IAM system can lighten the load across divisions by identifying holdups and speeding timelines.
- Prevention is the key: Get away from the "putting out the fires" mentality. True process control means that fires are prevented.
Approaching IAM in a process-oriented way allows organizations to deal with potential problems proactively. When implemented properly, these best practices can help streamline IAM processes across all organizational departments, resulting in shortened onboarding, reduced costs, increased efficiency and regulatory compliance. Those are goals the whole company can get behind.
In the first four parts of this series I presented an introduction to microservices along with a handful of emerging microservices patterns, and a discussion of some of the downsides and challenges to using microservices. The most recent installment of this series looked at ten ways that PaaS facilitates microservices development and adoption. In this post I’ll cover some words of wisdom, advice intended for individuals, teams, and organizations considering a move to microservices. I've gleaned...
May. 27, 2015 11:30 AM EDT Reads: 2,456
T-Mobile has been transforming the wireless industry with its “Uncarrier” initiatives. Today as T-Mobile’s IT organization works to transform itself in a like manner, technical foundations built over the last couple of years are now key to their drive for more Agile delivery practices. In his session at DevOps Summit, Martin Krienke, Sr Development Manager at T-Mobile, will discuss where they started their Continuous Delivery journey, where they are today, and where they are going in an effort ...
May. 27, 2015 11:00 AM EDT Reads: 1,285
SYS-CON Events announced today that EnterpriseDB (EDB), the leading worldwide provider of enterprise-class Postgres products and database compatibility solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. EDB is the largest provider of Postgres software and services that provides enterprise-class performance and scalability and the open source freedom to divert budget from more costly traditiona...
May. 27, 2015 11:00 AM EDT Reads: 1,523
I read an insightful article this morning from Bernard Golden on DZone discussing the DevOps conundrum facing many enterprises today – is it better to build your own DevOps tools or go commercial? For Golden, the question arose from his observations at a number of DevOps Days events he has attended, where typically the audience is composed of startup professionals: “I have to say, though, that a typical feature of most presentations is a recitation of the various open source products and compo...
May. 27, 2015 10:45 AM EDT Reads: 374
Do you think development teams really update those BMC Remedy tickets with all the changes contained in a release? They don't. Most of them just "check the box" and move on. They rose a Risk Level that won't raise questions from the Change Control managers and they work around the checks and balances. The alternative is to stop and wait for a department that still thinks releases are rare events. When a release happens every day there's just not enough time for people to attend CAB meeting...
May. 27, 2015 10:45 AM EDT Reads: 1,345
There is no question that the cloud is where businesses want to host data. Until recently hypervisor virtualization was the most widely used method in cloud computing. Recently virtual containers have been gaining in popularity, and for good reason. In the debate between virtual machines and containers, the latter have been seen as the new kid on the block – and like other emerging technology have had some initial shortcomings. However, the container space has evolved drastically since coming on...
May. 27, 2015 10:15 AM EDT Reads: 1,259
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud en...
May. 27, 2015 10:00 AM EDT Reads: 1,794
Containers Expo Blog covers the world of containers, as this lightweight alternative to virtual machines enables developers to work with identical dev environments and stacks. Containers Expo Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Bookmark Containers Expo Blog ▸ Here Follow new article posts on Twitter at @ContainersExpo
May. 27, 2015 10:00 AM EDT Reads: 899
May. 27, 2015 10:00 AM EDT Reads: 1,822
In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, president of Intellyx, panelists Roberto Medrano, Executive Vice President at Akana; Lori MacVittie, IoT_Microservices Power PanelEvangelist for F5 Networks; and Troy Topnik, ActiveState’s Technical Product Manager; will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of ...
May. 27, 2015 09:45 AM EDT Reads: 1,526
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
May. 27, 2015 09:30 AM EDT Reads: 4,004
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
May. 27, 2015 09:30 AM EDT Reads: 4,246
This is the final installment of the six-part series Microservices and PaaS. It seems like forever since I attended Adrian Cockroft's meetup focusing on microservices. It's actually only been a couple of months, but much has happened since then: countless articles, meetups, and conference sessions focusing on microservices have been delivered, many meetings and design efforts at companies moving towards a microservices-based approach have been endured, and five installments of this blog series ...
May. 27, 2015 09:15 AM EDT Reads: 2,347
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently. In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, will cover the union between the two topics and why this is important. He will cover an overview of Immutable Infrastructure then show how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He will end the session with some interesting case study examples.
May. 27, 2015 09:00 AM EDT Reads: 1,668
Even though it’s now Microservices Journal, long-time fans of SOA World Magazine can take comfort in the fact that the URL – soa.sys-con.com – remains unchanged. And that’s no mistake, as microservices are really nothing more than a new and improved take on the Service-Oriented Architecture (SOA) best practices we struggled to hammer out over the last decade. Skeptics, however, might say that this change is nothing more than an exercise in buzzword-hopping. SOA is passé, and now that people are ...
May. 27, 2015 09:00 AM EDT Reads: 3,482
SYS-CON Media named Andi Mann editor of DevOps Journal. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. DevOps Journal brings valuable information to DevOps professionals who are transforming the way enterprise IT is done. Andi Mann, Vice President, Strategic Solutions, at CA Technologies, is an accomplished digital business executive with extensive global expertise as a strategist, technologist, innovator, marketer, communicator, and thought lea...
May. 27, 2015 09:00 AM EDT Reads: 1,371
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
May. 27, 2015 09:00 AM EDT Reads: 1,412
It's 2:15pm on a Friday, and I'm sitting in the keynote hall at PyCon 2013 fidgeting through a succession of lightning talks that have very little relevance to my life. Topics like "Python code coverage techniques" (ho-hum) and "Controlling Christmas lights with Python” (yawn - I wonder if there's anything new on Hacker News)...when Solomon Hykes takes the stage, unveils Docker, and the world shifts. If you haven't seen it yet, you should watch the video of Solomon's Pycon The Future of Linux C...
May. 27, 2015 09:00 AM EDT Reads: 1,902
Virtualization is everywhere. Enormous and highly profitable companies have been built on nothing but virtualization. And nowhere has virtualization made more of an impact than in Cloud Computing, the rampant and unprecedented adoption of which has been the direct result of the wide availability of virtualization software and techniques that enabled it. But does the cloud actually require virtualization?
May. 27, 2015 08:45 AM EDT Reads: 1,742
An effective way of thinking in Big Data is composed of a methodical framework for dealing with the predicted shortage of 50-60% of the qualified Big Data resources in the U.S. This holistic model comprises the scientific and engineering steps that are involved in accelerating Big Data solutions: problem, diagnosis, facts, analysis, hypothesis, solution, prototype and implementation. In his session at Big Data Expo®, Tony Shan focused on the concept, importance, and considerations for each of t...
May. 27, 2015 08:30 AM EDT Reads: 2,394