Identity and Access Management Framework Book

Actually, I hate cats. A dog tells you what it’s thinking with its tail and its voice, while a cat tells you it doesn’t want to be petted by clawing you. You never really own a cat, just like if you run Windows, you don’t really own your box, you just make suggestions to it while it does whatever it feels like doing.

But I digress. I wanna talk about one of the reasons some of my clients put off deploying an IAM system: they think it’s too huge an undertaking. And it is, if you’re dumb enough to try doing it all at once. Such an attempt is one of my Top Ten Ways to screw up an IAM project, listed here:

http://www.identityaccessmanagementbook.com/download10.html

Not only are there too many tasks to handle at once, there are too many parties to corral, as if you’re herding cats. You might want to get people on board for an overall strategy, because you will (hopefully) one day have that complete-solution IAM framework in place, with all your pieces integrated and all your sins forgiven. But you’re goofy in the head if you try to put it all in place at once. Slow and steady wins the race.

There’s password reset, account creation, provisioning, web access management, fraud prevention, attestation and other compliance cares, and a host of other processes and goals to master. But each one of these is an onion to peel. Provisioning alone means

• An authoritative source
• Defined target resources and connectors
• Role definitions
• Policy definitions
• Workflow
• Auditing and reporting
• Heavy drinking
• Some other stuff

Naturally, you attack your biggest pain points early on, but it’s also a great idea to get some early wins, just for political and feel-good reasons. Pick the stuff that can be set up the fastest, and has some quick, gratuitous value. “Look, kids, we have password reset and single sign-on. One password policy, one password, all systems, and the ability to fix yourself if you forget the thing or wait too long.” It’s something everybody can agree on. Early wins score you points across the board, from the end users who have a new toy to the management types who green-lighted your project in the first place.

Maybe you never end up putting the whole thing in. Maybe your budget gets exhausted. Maybe your organization gets exhausted. Maybe you achieve your initial goals, and take a breath. Maybe you stumble on your way to your first success, and need to convince management to let you build that second stage.

But at least you’ve gotten that first win, and the foundation for going forward. I’ve got clients who put in place self-service and manager requests, then after workflow and approvals, they route the final request to the help desk, so that somebody in the back room fat-fingers the user into the desired targets. That’s certainly not true provisioning, but at least it sets the stage for when they will take the help desk out of the loop and substitute as that last stage the connectors which actually do the provisioning and account creation.

• Everybody has their own path to true identity management, but figure it this way:
• You need an authoritative source for identity
• You need a database or directory to store the metadata for the provisioning and access
• You need to define and store roles and rules
• You need a policy engine to match up the roles and rules with the users, and a workflow engine to push the requests and approvals
• You need to hook up the authoritative source with the engine to get people their stuff
• You need connectors to actually create the accounts

Eventually, you may drive access control off all of this as well. Or you could even start with access, and say, “I have resources, and I have an LDAP. The people in this ou can access this set of URLs.” And then slowly migrate off that help desk procedure for punching users manually into the directory, as you put true provisioning in place.

I’ve had a couple of huge clients over the years, one in transportation and the other in the beverage industry, who had so many resources and such grandiose plans, that they were paralyzed. “How will we ever accomplish all this?” And I would tell them, YOU WON’T. Bite off the piece you can handle. The front of the cat looks tasty, worry about the tail later. Increments. Otherwise, it may not even be a matter of finishing, because you’ll be too intimidated to take that first nibble.