The evolution of identity management
Identity management steps into the light – and what a beauty it is!
Darwin told us that it’s the survival of the fittest. Well, nowadays, in an age where the only constant is change, the fittest are the fastest. Technological developments are happening at the speed of light, and the speed we see now is only the beginning. Technology is developing exponentially, and it’s impacting every part of society. It brings great benefits and great threats.
Identity management is changing
From our identity and access management (IAM) practice we see this increasingly impacting our clients: most of the identity and access management programs in the past were confined to the security department and tied into areas of control and segregation of duties. Nowadays we see an increasing number of areas where organizations are going through a digital transformation. And within that transformation things really change. Employees bring their own (untrusted) devices, business partners access your information directly and vice versa and you wonder whose information it is anyway, and customers visit online and leave numerous tracks that contain valuable information, but these are difficult to combine into one view. The topic of identity management truly becomes identity management. It doesn’t matter which identity you can think of, in the digital world it requires proper management.
Businesses going digital
This means you and your organization needs to find a way to handle this transformation, the speed at which it occurs and the new forms of identity that you face. The key emphasis in this is the business, which is going digital. In the past you may have sufficed with identity and access management for security reasons and it provided some pretty compliance overviews. Today any effort in the realm of identity (and access as well) management needs to consider at least these three:
- What is your business and how do people and information move through it?
Where security in the past only looked at the risks and tried to ‘protect’ the business by locking it up, now digital organizations focus on collaboration. The digital world does not work with standalone, siloed organizations. Coopetition (a blend of competition and cooperation) is the norm and becomes the requirement to survive and grow. And that has everything to do with what you want people to be able to do (both your employees, your customers and your other stakeholders) and what information you want to see flow (both your information as information related to and about you in other domains, such as social media). This gives you the true business direction and requirements for identities and information, and note this is not restricted to employees. It explicitly should include all people that you interact with, customers, business partners and stakeholders that you have in social media environment. Don’t let this view be a lock-in on a specific set of identity populations (or IT applications for that matter).
- Can you explain it in a business context?
A simple picture that describes the different domains for identity and access management is the next thing you need to set up, once you know the true business requirements. I’ll refer to the simple picture as architecture. The architecture presents a complete overview, with all different identity populations and how you relate to them. It’s a high level overview, which aims for completeness and business, not for detail. It helps you to manage the potential myriad of identity and access management efforts that you could start later on and it supports you in distinguishing between the main areas of identity management (identity, authentication, authorization, access control and domains such as privileged access management, federation, etcetera). This is an ever growing list of topics if you go into more detail, and you need one overview to capture them in. An architecture map helps you define the IAM realm and discuss IAM topics in context within and outside your organization. It’s also something to point at when clarifying a complex area.
- Do you control the portfolio of activities?
For each of the domains consequently requirements will need to be defined that will be followed up by projects delivering solutions that address the requirements. These may address internal administrators, access by third parties, the level of authentication, the customer or client accounts, up to the customer experience of having access to information. Within projects technologies are used to deliver effective solutions, which will start filling blank spots in the architecture. And as your architecture expands over time and covers new digital areas, the projects will address and deliver solutions that support the organization to expand on those digital areas. And this is the part of identity management where program and project management becomes a key skill in your team.
Keeping an overview
We’ve seen from experience that being able to keep the overview of activities and projects is an essential factor for success in the realm of identity and access management. Another essential ingredient is connecting to the business and not only providing security, but providing access to information and enabling the flows of information to identities. You should keep a helicopter view on identity management and include all identities, including third parties and customers. How the organization can manage identities and their access consequently becomes a key element in your innovation, because the more digital you go, the more of a hindrance not being able to provide proper access becomes. But with IAM it becomes easier to provide the proper access, it’s no longer a hurdle to innovation.
Identity and access management is going to move to the forefront of the business and will require marketing skills, technology skills and security, privacy and risk management skills to be combined, in order to compete. However, if you don’t keep it simple, it won’t fly. IAM is an inherent complex topic that requires simple explanation with thorough understanding, because expectations need to be managed.
"Cyber threats are a manageable problem, if you have the right preventive, detective and reactive measures in place"