We’ve recently been seeing a renewed interest in the Identity space, more specifically around Identity Governance and Administration (IGA). Although Identity and Access Management (IAM) as a practice has been around for many years, most implementations still go awry. Why is this? In my humble opinion, the traditional implementation approach has been wrong.
Cloud versus On-Premises Identity
Let’s lay some groundwork. Most organizations have adopted at least a few SaaS applications. In order to access each of these applications, an end-user needs to have an ID and Password. While some organizations have integrated these IDs with the ones they use to log on to Active Directory, most have not. A quick search on the interwebs will show that doing this integration is a recommended practice, but is not necessarily easy to accomplish. If we add to this the automation of identity provisioning (automatically creating IDs for people in various IT systems), suddenly our task becomes vastly more complex. The goals of IAM or IGA are to make life better for people working in our businesses, to improve governance for compliance reasons, and to improve security to protect our businesses. In comes the Elephant.
How to Eat an Elephant
While cliché, this term certainly does apply to IGA. There truly is only one way to eat an Elephant – one bite at a time. We have seen far too many IGA projects fail because the approach was to eat the Elephant in one bite. By the time the results of the project are ready to be released, the requirements have changed. Months (years?) have been spent trying to identify and document every process, connect to every system, and target every person. Then years are spent trying to automate and connect to every application. In our cloud world, we are guaranteed at least half of our organization will change between the start and end of the project, virtually guaranteeing project failure.
A New Approach to Implementing IGA
So, how about a different approach to IGA? How about iteratively building a system which can be modified and updated dynamically based on needs? Sounds like DevOps? Exactly.
The challenge of creating a DevOps approach to IGA is keeping a multi-disciplinary team trained and on task. If IT is not your core business, then this approach will be expensive. Picture a team comprised of AD experts, Single Sign-On experts, Business Analysts, Developers, Identity Specialists, Cloud Specialists, and Project/Service Managers to keep it all together, mixed with 2nd and 3rd level IGA application support specialists. In a nutshell, an end-to-end integrated team supporting the business processes. Consider treating the IGA system as an ongoing software development project following agile release cycles, and working through a Dev/Test/QA/Production set of environments.
The approach would also leverage best-of-breed software and services. No one software vendor can provide everything your organization will need and do it well, and often you have already paid for some of these components as part of a licensing agreement (Microsoft EA anyone?). So, why not leverage a variety of systems which are implemented, managed and evolved by a group of experts. I most certainly will have many dissenters to this approach but would suggest keeping an open mind given the number of failed, multi-million dollars projects in this space.
Wrapping it Up
Whether you have a mature IAM system in place, or just beginning to plan one, consider this proposed agile approach to meeting your business objectives. Traditional IT thinking hasn’t helped raise the success level of the projects to an acceptable level, in my opinion. Let’s adopt a more DevOps mindset, and provide the business with some immediate value while enabling us to evolve with both technology changes and changing business needs.