|By Jay O'Donnell||
|December 27, 2012 06:11 AM EST||
Evolving regulatory compliance requirements can be a major headache for the IT teams responsible for identity and access management (IAM). Sarbanes Oxley, the wide range of privacy regulations and other federal requirements, have transformed IAM from a problem that keeps the chief information security officer up at night into a true business concern shared by all company executives. Knowing who has access to what information within your organization - and whether they should have that access - is a deceptively complex issue that has the potential to drive a wedge between even the healthiest of relationships across the business.
On the surface, it may seem as though the nuts and bolts of IAM should reside in a company's IT department. This is because there are many islands of information stored in databases across the business that are managed and administered by the IT team. In addition, employee access to particular areas of the network is usually enabled and revoked by IT.
The problem is that these functions are just the tip of the iceberg when it comes to effectively managing your identity governance program.
IAM Is Driven by Business Requirements
It has long been recognized that identity and access management must be process-driven if it is to gain any longer-term traction within an organization. In fact, Gartner highlighted the importance of process in a 2005 research report, stating that "Identity and access management is not only a set of technologies but also a set of processes that address fundamental issues about handling the strategic asset of identity in any enterprise. Establishing a long-term solution for managing identity requires understanding these basic processes."
Why is the process so important?
Any change to the identity of an employee is triggered by the business. The identity attributes of an employee are created when they are hired (onboarding), changed when they are promoted or assigned new responsibilities (change in responsibility), and must be restricted when they leave the organization (offboarding).
A strong partnership between IT and the company's business divisions is essential to ensure that:
- There is a process to capture all of the changes that happen to the identity of an employee during their life cycle within an organization.
- The business has established and approved the policies under which employee access will be granted or denied.
- Changes are processed within the identified framework (i.e., no one is given access "through the backdoor").
By involving business owners early in the development of your IAM program - including human resources as it traditionally "owns" the bulk of employee attributes, like name, address, social security number and banking information - companies will improve the chances of executing their IAM goals on time and on budget.
Create a Culture of Continuous Compliance
Traditional approaches to identity and access governance take a reactive approach to meeting compliance requirements. If the sole measure of success is the ability to generate an attestation report, the company will always be in "firefighting" mode. It is far better to prevent access violations from happening than trying to chase them down once they occur. At that point, the security breach has already taken place, inappropriate access has already been granted and the damage has been done.
The goal of an effective identity governance initiative should be to ensure that employees are only given the access that is assigned to them under a clearly defined set of rules in accordance with company policy. On the other hand, requests for access that would violate a policy (e.g., separation of duties) should be denied and the appropriate manager should be alerted that a request has been made that would violate company policy. By working with business divisions to set these proactive policy parameters up front, the company is able to create a true culture of continuous compliance.
Your IAM Program Should Deliver More than Compliance
Compliance is a necessary evil. However, if handled correctly, compliance can also create the opportunity for meaningful efficiency improvements and cost reductions throughout an organization.
By managing the identity of your employees centrally and establishing proper business processes to manage identities, companies are able to:
- Shorten new employee onboarding time to less than a day: It is important to capture the primary attributes needed to create an employee identity during the onboarding process and feed this information to all related systems (e.g., payroll, HR, Active Directory, SAP). This approach gives employees the access and assets they need to be productive on their first day with the company.
- Eliminate repetitive manual data entry: A large Canadian retailer recently identified more than 90 attributes that make up the identity of their employees. More important, it also realized that these attributes were being manually re-entered up to ten times for different purposes across the company. Once it began managing their identity administration centrally, the retailer was able to capture data with no re-entry, thereby eliminating hundreds of redundant entries per employee.
- Lower administrative costs: Improving time to productivity, streamlining administrative functions, and simplifying audits will result in millions of dollars saved, depending on the size of the organization.
Learn from Past Failures
Many organizations have been down the IAM solution path before with varying degrees of success. The problem-solving responsibility has traditionally been handed off to - you guessed it - the IT department, which typically attempts to solve the issue via technological solutions. As discussed earlier, the challenge is that the IT department is trying to solve the issue when it doesn't own the information or the process. Attempting an IT-only fix, centered around third-party technology and buy-in from other departments, leads to annoyance at best and losses in time and capital at worse.
In spite of these challenges, there is hope for organizations looking for the Holy Grail of IAM. Below are some best practices organizations can employ to improve their internal IAM processes:
- Solicit business involvement early: IT cannot solve the problem alone. They're the custodians and the business is the end user. IT must engage with business and HR in lay language and find common denominators.
- Create an identity warehouse: Conduct a thorough cleaning of identity data housed by various internal systems so there is easy reconciliation and clear visibility into access granted to employees.
- Fix the controls: Implement procedures early in the business process (i.e., during onboarding), and make sure they are followed, to derive the most value from your identity and access management program.
- Process, process, process: IT spends a significant portion of its time and budget on the dreary work of managing identities. IT and the business divisions can realize measurable benefits from implementing processes that drive down wasted time and money.
- Go paperless: Going paperless with IAM liberates employees from the stacks of paper on their desks. An electronic IAM system can lighten the load across divisions by identifying holdups and speeding timelines.
- Prevention is the key: Get away from the "putting out the fires" mentality. True process control means that fires are prevented.
Approaching IAM in a process-oriented way allows organizations to deal with potential problems proactively. When implemented properly, these best practices can help streamline IAM processes across all organizational departments, resulting in shortened onboarding, reduced costs, increased efficiency and regulatory compliance. Those are goals the whole company can get behind.
Earlier this week, we hosted a Continuous Discussion (#c9d9) on Continuous Delivery (CD) automation and orchestration, featuring expert panelists Dondee Tan, Test Architect at Alaska Air, Taco Bakker, a LEAN Six Sigma black belt focusing on CD, and our own Sam Fell and Anders Wallgren. During this episode, we discussed the differences between CD automation and orchestration, their challenges with setting up CD pipelines and some of the common chokepoints, as well as some best practices and tips...
May. 24, 2016 03:45 AM EDT Reads: 1,198
As AT&Ts VP of Domain 2.0 architecture writes one aspect of their Domain 2.0 strategy is a goal to embrace a Microservices Application Architecture. One page 9 they describe how these envisage them fitting into the ECOMP architecture: "The initial steps of the recipes include a homing and placement task using constraints specified in the requests. ‘Homing and Placement' are micro-services involving orchestration, inventory, and controllers responsible for infrastructure, network, and applicati...
May. 24, 2016 02:45 AM EDT Reads: 1,532
Automation is a critical component of DevOps and Continuous Delivery. This morning on #c9d9 we discussed CD Automation and how you can apply Automation to accelerate release cycles, improve quality, safety and governance? What is the difference between Automation and Orchestration? Where should you begin your journey to introduce both?
May. 24, 2016 01:30 AM EDT Reads: 1,210
While there has been much ado about interoperability, there are still no real solutions, same as last year and the year before that. The large EHR vendors who continue to dominate the market still maintain that interoperability is all but solved, still can't connect EHRs across the continuum causing frustration by providers and a disservice to patients. The ONC pays lip service to the problem, but that is about it. It is time for the healthcare industry to consider alternatives like middleware w...
May. 23, 2016 10:00 PM EDT Reads: 1,387
SYS-CON Events announced today the Docker Meets Kubernetes – Intro into the Kubernetes World, being held June 9, 2016, in conjunction with 18th Cloud Expo | @ThingsExpo, at the Javits Center in New York, NY. Register for 'Docker Meets Kubernetes Workshop' Here! This workshop led by Sebastian Scheele, co-founder of Loodse, introduces participants to Kubernetes (container orchestration). Through a combination of instructor-led presentations, demonstrations, and hands-on labs, participants learn ...
May. 23, 2016 07:00 PM EDT Reads: 1,762
The pace of innovation, vendor lock-in, production sustainability, cost-effectiveness, and managing risk… In his session at 18th Cloud Expo, Dan Choquette, Founder of RackN, will discuss how CIOs are challenged finding the balance of finding the right tools, technology and operational model that serves the business the best. He will discuss how clouds, open source software and infrastructure solutions have benefits but also drawbacks and how workload and operational portability between vendors...
May. 23, 2016 07:00 PM EDT Reads: 1,706
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
May. 23, 2016 05:00 PM EDT Reads: 4,593
Our CTO, Anders Wallgren, recently sat down to take part in the “B2B Nation: IT” podcast — the series dedicated to serving the IT professional community with expert opinions and advice on the world of information technology. Listen to the great conversation, where Anders shares his thoughts on DevOps lessons from large enterprises, the growth of microservices and containers, and more.
May. 23, 2016 04:00 PM EDT Reads: 1,400
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit y...
May. 23, 2016 04:00 PM EDT Reads: 1,794
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
May. 23, 2016 03:00 PM EDT Reads: 1,645
@DevOpsSummit taking place June 7-9, 2016 at Javits Center, New York City, and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
May. 23, 2016 01:00 PM EDT Reads: 3,223
IoT generates lots of temporal data. But how do you unlock its value? How do you coordinate the diverse moving parts that must come together when developing your IoT product? What are the key challenges addressed by Data as a Service? How does cloud computing underlie and connect the notions of Digital and DevOps What is the impact of the API economy? What is the business imperative for Cognitive Computing? Get all these questions and hundreds more like them answered at the 18th Cloud Expo...
May. 23, 2016 12:30 PM EDT Reads: 2,018
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
May. 23, 2016 12:30 PM EDT Reads: 1,778
Just last week a senior Hybris consultant shared the story of a customer engagement on which he was working. This customer had problems, serious problems. We’re talking about response times far beyond the most liberal acceptable standard. They were unable to solve the issue in their eCommerce platform – specifically Hybris. Although the eCommerce project was delivered by a system integrator / implementation partner, the vendor still gets involved when things go really wrong. After all, the vendo...
May. 23, 2016 09:30 AM EDT Reads: 1,285
As enterprises around the world struggle with their digital transformation efforts, many are finding that innovative digital teams are moving much faster than their hidebound IT organizations. Rather than struggling to convince traditional IT to get with the digital program, executives are taking advice from IT research firm Gartner, and encouraging existing IT to continue in their desultory ways. However, many CIOs are realizing the dangers of following Gartner’s advice. The central challenge ...
May. 23, 2016 09:00 AM EDT Reads: 1,839
The initial debate is over: Any enterprise with a serious commitment to IT is migrating to the cloud. But things are not so simple. There is a complex mix of on-premises, colocated, and public-cloud deployments. In this power panel at 18th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will look at the present state of cloud from the C-level view, and how great companies and rock star executives can use cloud computing to meet their most ambitious and disruptive business ...
May. 23, 2016 08:45 AM EDT Reads: 1,961
The demand for organizations to expand their infrastructure to multiple IT environments like the cloud, on-premise, mobile, bring your own device (BYOD) and the Internet of Things (IoT) continues to grow. As this hybrid infrastructure increases, the challenge to monitor the security of these systems increases in volume and complexity. In his session at 18th Cloud Expo, Stephen Coty, Chief Security Evangelist at Alert Logic, will show how properly configured and managed security architecture can...
May. 23, 2016 08:00 AM EDT Reads: 1,912
You might already know them from theagileadmin.com, but let me introduce you to two of the leading minds in the Rugged DevOps movement: James Wickett and Ernest Mueller. Both James and Ernest are active leaders in the DevOps space, in addition to helping organize events such as DevOpsDays Austinand LASCON. Our conversation covered a lot of bases from the founding of Rugged DevOps to aligning organizational silos to lessons learned from W. Edwards Demings.
May. 23, 2016 06:30 AM EDT Reads: 1,281
Agile teams report the lowest rate of measuring non-functional requirements. What does this mean for the evolution of quality in this era of Continuous Everything? To explore how the rise of SDLC acceleration trends such as Agile, DevOps, and Continuous Delivery are impacting software quality, Parasoft conducted a survey about measuring and monitoring non-functional requirements (NFRs). Here's a glimpse at what we discovered and what it means for the evolution of quality in this era of Continuo...
May. 23, 2016 05:30 AM EDT Reads: 1,346
When I talk about driving innovation with self-organizing teams, I emphasize that such self-organization includes expecting the participants to organize their own teams, give themselves their own goals, and determine for themselves how to measure their success. In contrast, the definition of skunkworks points out that members of such teams are “usually specially selected.” Good thing he added the word usually – because specially selecting such teams throws a wrench in the entire works, limiting...
May. 23, 2016 05:00 AM EDT Reads: 1,379