“Caminante, no hay camino. Se hace camino al andar.”
Wanderer, there is no path. The path is made by walking.
At the start, Identity Governance can seem an impossible task—much like pairing socks from a fresh load of laundry, or buying a toilet brush from Amazon, or, as I described in my previous blog post, navigating your way in a new city.
As I gazed at the subway map of Madrid, I was rapidly overwhelmed by the blizzard of dots which represented potential stops throughout the city. One of the largest public transport systems in the world, the Madrid metro presents travelers with a task similar to those faced by enterprises wanting to implement identity governance: the assimilation of large amounts of data. The way forward in both situations is to ask the right questions and discover the environment.
Asking the Right Questions
In that first Madrid waystation, the questions that I needed answered dominated my thoughts. Even though they were basic (“Where am I?”), they provided parameters to my task and kept me from being overwhelmed by the volume of data available. The initial phases of identity governance are the same. In this first maturity stage, enterprises should continually ask the following questions: “What identities are out there?” “What applications exist that need to be secured?” These questions will focus the investigation on what truly matters to the organization: how security will be improved through a robust identity governance program.
Discover Key Identity Repositories
With the correct questions in mind, discovery is the key activity of this stage. In Madrid, this meant observation—noting what stations exist, and how they are roughly grouped. In identity governance, the initial phase will be similar—noting what identities exist and where they are concentrated. These concentrations or “identity repositories” are essential to understanding how the organization uses identity. Ordering and grouping these repositories then becomes the next logical step.
The most important of these identity repositories are usually administered by the Human Resources department, and are considered “authoritative”—put simply, this means that for any real-world person to be known by the business, they must exist in this repository. Most often, this is an HR-specific application (Workday, Peoplesoft, etc.), and is the foundation for establishing identity governance. These identities should be imported into the identity governance solution in the first round of data acquisition and will form the basic identity foundation for each real-world person.
Map out the Environment
After the key authoritative identity repositories are known, then focus on discovering the overall environment. Check for secondary repositories such as a user directory that is utilized by particular groups within the organization as a source of identity (often this is an Active Directory domain.) Note what applications exist and begin to order them into a hierarchy. This organizational structure may be based on relative size, sensitivity of the application’s data, geographic location, or a combination of factors. Remember, this phase is all about triage, about discovering what currently exists and what identities and access might need to be secured as the program progresses.
This first phase of the Maturity Model for Identity Governance (MMIG) may be defined as follows:
- Data Context
- Basic identities established
- Secondary identity repositories identified
- Applications organized into hierarchy
- Business Context:
- Visibility into environment
- Catalog identities and applications
- Establish visibility into the environment
- Questions Asked:
- “What identities are out there?”
- “What applications exist that need to be secured?”
Much like finding your way in a foreign metropolis, implementing identity governance and analytics is not as difficult as it may appear at first glance—by asking the right questions and rapidly analyzing the environment, organizations can establish a foundation for success and pave the way to a mature view of identity that helps secure sensitive data and information.