An Identity and Access Management project is not always an easy job. It is very difficult to describe in few words why, but one reason for sure is that in the IAM environment procedures are always more important than technology. In other environments, (e.g. Document Management), technology can drive procedures, thus the right technology choice is the most important aspect.
Conversely, in the IAM environment it is quite impossible to find customers willing to change procedures because technology is unable to map these procedures into the product (or achievable only with huge software customisation). Procedures are important and relevant processes have to be mapped into technology without compromises.
On the flip side of the coin, there is another aspect to consider.
AM technology is still evolving. Most “official” IAM technology vendors are coming from the User Provisioning environment; in essence, coming from the bottom. Pure technology. Of course vendors are adding features trying in attempts to raise the bar but they are still conditioned by original sin – They want to add intelligence to technology instead of adding technology to intelligence.
Intelligence, as in many other IT contexts, is represented mostly by the conceptual model standing behind the product and a data model representing the conceptual model.
The secret of product “intelligence” lies in the conceptual model and its relevant data model.
Technology features like a beautiful, rich graphical interface for workflow design or the huge standard support are all important aspects, …. but I suggest that customers intending to acquire an IAM solution verify how complex it could be to implement simple procedures (e.g. user lock/unlock levels or procedure). It turns out to be a mess with customized software development and the writing of many, many technical policies: even if within a nice graphical environment.
This situation has encouraged the founding of companies who start from RBAC and progressively enrich the model to reach complete RBIA (Role based Identity Administration).
The RBIA model intends to integrate all concepts of User Management (including Credential Management), Role Management, Role Engineering, SOD compliance, Audit and Reporting all the way up to Unified Identity Approach, in order to unify Logical and Physical Access Management views.
According to my understanding, customers’ important expectation of an IAM project that easily supports present and future Identity Management procedures and processes, indicates that a field proven RBIA product is a “must”.
Addition of RBIA functionalities could result in an increase in license costs with respect to the budget sum. However, in our experience, this is greatly offset by tremendous savings of time and cost of project implementation along with a heavy reduction of project risks.
BTW, in a following post I’ll try to justify why implementing a lock/unlock account procedure might not be so easy.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment