The 5 Critical Tenets of Identity Management

I consider being the CTO at SailPoint the best job in the world! Everyday I get to meet and work with super smart people, who like me, have a passion for identity management. Given my role as CTO, I get to discuss many varied topics with any given client, prospect, or partner, but the most prevalent question I’m asked is, “where’s it all going?”. With cloud and mobile now a deployment reality in most businesses, and with IAM-as-a-Service (IDaaS) now offering an alternative deployment model, it’s interesting to consider where our industry will be in 10 years from now.

Now, I don’t have a crystal ball, so predicating change is always a gamble. The only thing you can do is focus on the core things that have been proven to work so far. As we look back on what we’ve learned in the industry so far, and we lay out a path to the future products and solutions for tomorrow, I think some basic and very simple patterns (or tenets) of IAM approach emerge that can help guide a solution and a deployment today and ten years from now. For the purpose of this post, lets consider these as the “five critical tenets of IAM” and summarize them as follows:

1. Think identity – not account
Even before the advent of cloud computing, we learned that more often than not, an end user in the organization typically has multiple accounts and multiple entitlements per person across the infrastructure. If an enterprise only focuses its IAM program on managing at the account level, it will never get the total visibility needed to properly know “who does have access to what.” Understanding the relationship between the identity and the account, between the account and the entitlement and between the entitlement and the data/information that it protects is key. By centralizing data around an identity, enterprises have a single place to model roles, policies, and risk to support compliance, provisioning, and access management processes across the organization.

2. Visibility is King! – silos are bad!
While new technologies like cloud and mobile are being mixed with established mainstays like SAP, Oracle and RACF (and, yes, that is still very prevalent in the enterprise!), all enterprise applications that contains “valuable” or sensitive data, or perform mission critical operations within the organization must be managed with an increasing focus on governance, compliance and automation – in one single place. This allows the IT organization to leverage common detective and preventative controls to ensure an enterprise-wide view of identity data, which can help the business and IT effectively analyze risk, make informed decisions and implement appropriate controls in an automated and more sustainable fashion. Many of today’s cloud-based identity solutions only manage cloud apps – so they require you to implement a second solution, or leave yourself exposed.

3. Full lifecycle governance is required
It is critical to always manage the lifecycle of an identity by tying it to the business policies and business owners that are responsible for it. We must allow detective and preventative controls to span the entire lifecycle of an identity as request, review and revocation takes place. By embedding policy and controls throughout the full identity lifecycle process, enterprises can achieve ongoing, sustainable compliance and reduce the need for after-the-fact remediation.

4. Consistency throughout the lifecycle
It’s more important than ever to apply centralized, automated controls and policy to key identity business processes safe, secure and compliant. Adding consistency and repeatability will allow enterprises to strengthen their controls, work more efficiently, and promote good governance policies over the long-term. Importantly, cloud apps should always be handled using the same processes and centralized controls as the applications in the datacenter.

5. User experience is everything
IAM tools and technology must continue to evolve to more closely mirror the user experience that consumer-focused technologies provide. Having the right overall user experience for Identity Management is a critical part of achieving widespread participation from business users inside and outside of the enterprise. The right user experience is key to ensuring that organizations get active ongoing participation from business users throughout the identity lifecycle. The user experience has to be part of the business flow not apart from the business flow.

This week, I will be tackling this very topic during a panel session at KuppingerCole’s European Identity Conference with fellow panelists, Mike Neuenschwander of iC Consult Americas and Amar Singh of KuppingerCole. If you are attending the event in Munich, be sure to join us on Wednesday, May 14th, at 3:30 p.m. (15:30) or stop by our booth (G3) at the show. I hope to see you there!