Identity Management is an interesting topic. It’s always touted by the vendors as the tool organisations need to ensure that they have assurance of who their employees are, and they only have the access that they require.
But this doesn’t really sell it for most people, and it probably doesn’t really make much sense. That’s a pretty vague benefit, unless your organisation is handling really sensitive data, or you’re in the business of national security. IdM usually isn’t cheap to build and implement (let’s be honest here), and being told that you now have assurance of who your employees are doesn’t really inspire confidence that your budget was spent wisely.
So, what are some tangible benefits to IdM?
Say you have an organisation of 400,000 staff. That’s a lot of people, and that’s a lot of software licences required for them. Not only that, but that’s a lot of different software licences required, and I’m sure not everyone in the organisation needs the same software across the board. You’re probably looking at the number of different products in the thousands.
Say you just(!) have 50,000 staff. That’s still a lot of licencing.
Even going down to just a few thousand employees. That’s still a lot of licencing.
Now, one of your many employees decides to leave the organisation. OK cool, just disable/delete their AD account, get their access pass back and we’re covered, right?
Oh wait, they were also running:
- Microsoft Office
- Microsoft Visio
- Microsoft Project
- The Time Tracking Tool
- Some little converter software to get the data out of one spreadsheet into some performance reports
And they also had accounts in:
- The HR System, to get some report data out once a year because they’re the best at doing that report
- The Online Task Management Tool
- The Smartcard Management System
- The Test and Development Network, because they made the move from technical staff to management and they just couldn’t let go of tinkering every now and then.
Now, each of those products & accounts was happily approved and purchased over the life of their time at the organisation, but now somebody (some disgruntled sysadmin) has the task of making sure those product licences can be consumed again by the next new employee, and that all of those accounts get suspended/deleted. That person as well will spend a huge amount of time doing this recovery process.
Now, whack an IdM on top, and through the Provisioning/Deprovisioning processes we can easily approve the purchase and allocation of software and recover it once they have left the organisation.
If you have tens, hundreds, or even thousands of orphan accounts lying around, you’re looking at a serious amount of money being wasted. IdM is designed to “search and destroy” these orphan/rogue accounts, and if it isn’t fully automated by the IdM (because in reality some things can’t always be connected) you will still get a report on all the orphan/rogue acounts in your organisation. Something you can action a lot faster and more efficiently.
If you’ve actually managed to capture provisioning/deprovisioning in some manual process, you’re wasting the energy of your employees (and depleting their sanity) by making them go through these motions. And a technical resource doing work like this is a unnecessary cost burden to the organisation. Seriously, repeatable manual tasks is what computers are designed for.
Ew. Nobody likes Auditing. It’s never fun. Its pretty much a swearword to those who have to do it once in their lifetime.
But, this is one area IdM can save the day.
If, for compliance reasons, you are required to provide proof that your privileged accounts aren’t being exploited, and that sensitive data stores are only being accesses by those requiring access, then having that account provisioning information stored in an IdM allows you quickly punch out a report when that dreaded audit time comes along.
This benefit is really suited to Financial Organisations, Organisations handling Medical Records and Defence/National Security, as they’re really the key areas where compliance and auditing comes into play.
But that doesn’t exclude everyone else. This ties in with my previous point on Licencing. A large organisation can run a report on number of users provisioned something like Acrobat Professional, and then the bean counters can match that with how many Acrobat Professional licences are actually being paid for.
Big organisations inevitably end up with a lot of different systems. Things like Corporate Directories, Human Resource Management Systems, Active Directory, Training Systems, and so on.
And the best part is some large orgs will be running 2 of the same type of product from different vendors, as they’re either in transition or they just aren’t aware of there being a duplication.
This is far easier said than done, but with an IdM in place an organisation can enforce that the IdM is the single point of data integrity. Any modifications, insertions, deletes will be handled at the IdM as the authoritative source.
As a result, we end up with a trusted source of Identities in the organisation. We can be assured that an update to contact information in the Corporate Directory will end up being reflected on the employees payslip.
I guess the only way this actually feels like an important benefit is to experience the frustration first hand. You know, having to fill in an application form to get an account in one system, and then fill in the exact same data for a different system, because the two just don’t talk to each other. It’s only little things, but those can add up pretty quickly when you have a lot of staff.
Technology exists not to just create more technology and to entertain us. It exists to make our lives easier. Don’t look at implementing IdM because you have to. Or because a consultant is pitching it to you. Or because it’s just part of the way you need the organisation to become compliant with some ICT compliance rules.
Look at implementing IdM because you want the organisation to run better. You want security to get stronger. You want less wastage. You want people do less menial crap and be more productive in the workplace. You want them to stop calling the helpdesk to say their phone number isn’t up to date in XYZ system.
And especially important, don’t half-arse your IdM implementation. Don’t let internal groups fight to maintain ownership over data just because they’re scared of losing their jobs. Make sure the organisation will continually review ways to keep connecting the IdM to other systems, not just the ones scoped in the migration project.
Use IdM to follow the process of continual improvement, and make sure it itself follows that process as well.