The Value of Taking a Governance-based Approach to Provisioning

In case you missed it, SailPoint recently announced a new provisioning solution based on identity governance. I believe this announcement not only signaled a fundamental change in approach from “old school” provisioning systems, but also sent a much needed life preserver to companies struggling with a provisioning quagmire. I know talk is cheap, so I want to provide a more technology focused description on how our new approach will lead to a much needed improvement in the overall success rate for provisioning projects.

At the core of the problems with most legacy provisioning products is their failure to truly understand the security models within the systems they connect to and provision changes for. This may sound strange, but it’s true. Rather than focusing on building an overall control model that understands entitlement, legacy provisioning systems tend to focus on defining account schemas and building complex forms logic and rules to control the assignment of entitlements to identities via that schema.

To overload a much used term, the legacy approach to provisioning is “bottom up.” It starts at the bottom with a connector. The provisioning system itself requires complex configuration and programming by highly skilled IT technical staff, and the true business processes that the system provides are hidden in complex programming logic rather than being expressed in high-level business policy terms.

Quite the reverse is true for a governance-based approach to provisioning. A governance-based approach starts “top down” with a focused on managing entitlements within a defined governance lifecycle. This provides the business with a single view of the overall processes of request, controls, assignment and last mile provisioning as one overall business process. It builds upon clearly defined risk, role and policy models – models designed for and used by the business, NOT by an IdM specialist within IT.

Some of you might be wondering, “That’s just roles for provisioning isn’t it?” To be very clear, I’m saying that governance-based provisioning is much more than role-based provisioning! In fact, sometimes it doesn’t involve a role model at all. In those cases, a governance-based approach to provisioning is built upon a catalog of entitlements that describes business meaning, and prescribes clear ownership and approval processes for provisioning.

Here governance is built upon business oriented assignment policies that describe who should have what, and provides further insight into what that means – what data can be accessed, what files can be shared, etc. All this data comes together to create a core governance model that describes, in business terms, how access is defined, requested, approved, tracked, audited and later reviewed by the line of business. This is provisioning based on a governance meta-model, not XML coded “workflow rules.” It is “model based,” and the provisioning process itself is dynamically driven by the data that the model provides.

So what’s the net result of this next generation approach to provisioning? It’s better preventative and detective controls, fewer violations, and greater visibility and transparency over the complete end-to-end provisioning process. A governance-based approach to provisioning captures, documents and controls both the business and technical context of identity and the entitlement access governance lifecycle for all applications across the entire identity ecosystem, regardless of how the “last mile” of provisioning is enacted.

By modeling all of the rules, relationships and processes that make up “the business of identity” you can bridging the gap between these business processes and the technical implementation of the underlying security models. This allows organizations to gain end-to-end visibility and control across all systems and applications – a breadth of coverage that has proved nearly impossible to achieve using traditional provisioning solutions.

I think we were way overdue for a fresh approach to user provisioning. What do you think?